Presentation is loading. Please wait.

Presentation is loading. Please wait.

Session Management Dan Boneh CS 142 Winter 2009. Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be.

Published byJaiden Brabazon Modified over 9 years ago

Similar presentations

Presentation on theme: "Session Management Dan Boneh CS 142 Winter 2009. Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be."— Presentation transcript:

1 Session Management Dan Boneh CS 142 Winter 2009

2 Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be long (Gmail - two weeks) or short without session mgmt: users would have to constantly re-authenticate Session mgmt: Authorize user once; All subsequent requests are tied to user

3 Pre-history: HTTP auth HTTP request:GET /index.html HTTP response contains: WWW-Authenticate: Basic realm="Password Required“ Browsers sends hashed password on all subsequent HTTP requests: Authorization: Basic ZGFddfibzsdfgkjheczI1NXRleHQ=

4 HTTP auth problems Hardly used in commercial sites User cannot log out other than by closing browser  What if user has multiple accounts?  What if multiple users on same computer? Site cannot customize password dialog Confusing dialog to users Easily spoofed

5 Session tokens BrowserWeb Site GET /index.html set anonymous session token GET /books.html anonymous session token POST /do-login Username & password elevate to a logged-in session token POST /checkout logged-in session token check credentials (CS155) Validate token

6 Storing session tokens: Lots of options (but none are perfect) Browser cookie: Set-Cookie: SessionToken=fduhye63sfdb Embedd in all URL links: https://site.com/checkout ? SessionToken=kh7y3b In a hidden form field: Window.name DOM property

7 Storing session tokens: problems Browser cookie: browser sends cookie with every request, even when it should not (CSRF) Embed in all URL links: token leaks via HTTP Referer header In a hidden form field: short sessions only Best answer: a combination of all of the above. why? next lecture.

8 The HTTP referer header Referer leaks URL session token to 3 rd parties

9 SESSION HIJACKING Attacker waits for user to login; then attacker obtains user’s Session Token and “hijacks” session

10 1. Predictable tokens Example: counter (Verizon Wireless)  user logs in, gets counter value, can view sessions of other users Example: weak MAC (WSJ) token = {userid, MAC k (userid) } Weak MAC exposes k from few cookies. Apache Tomcat: generateSessionID() MD5(PRG) … but weak PRG [GM’05]. Predictable SessionID’s Session tokens must be unpredicatble to attacker: Use underlying framework. Rails: token = MD5( current time, random nonce )

11 2. Cookie theft Example 1: login over SSL, but subsequent HTTP What happens as wireless Café ? Other reasons why session token sent in the clear:  HTTPS/HTTP mixed content pages at site  Man-in-the-middle attacks on SSL Example 2: Cross Site Scripting (XSS) exploits Amplified by poor logout procedures: Logout must invalidate token on server

12 Session fixation attacks Suppose attacker can set the user’s session token: For URL tokens, trick user into clicking on URL For cookie tokens, set using XSS exploits Attack: (say, using URL tokens) 1. Attacker gets anonymous session token for site.com 2. Sends URL to user with attacker’s session token 3. User clicks on URL and logs into site.com  this elevates attacker’s token to logged-in token 4. Attacker uses elevated token to hijack user’s session.

13 Session fixation: lesson When elevating user from anonymous to logged-in, always issue a new session token Once user logs in, token changes to value unknown to attacker.  Attacker’s token is not elevated.

14 Generating session tokens Goal: prevent hijacking and avoid fixation

15 Option 1: minimal client-side state SessionToken = [random unpredictable string] (no data embedded in token) Server stores all data associated to SessionToken: userid, login-status, login-time, etc. Can result in server overhead: When multiple web servers at site, lots of database lookups to retrieve user state.

16 Option 2: lots of client-side state SessionToken: SID = [ userID, exp. time, data] where data = (capabilities, user data,...) SessionToken = Enc-then-MAC (k, SID) (as in CS255) k: key known to all web servers in site. Server must still maintain some user state: e.g. logout status (should be checked on every request) Note that nothing binds SID to client’s machine

17 Binding SessionToken to client’s computer; mitigating cookie theft Client IP Address: Will make it harder to use token at another machine But honest client may change IP addr during session  client will be logged out for no reason. Client user agent: A weak defense against theft, but doesn’t hurt. SSL session key: Same problem as IP address (and even worse) approach: embed machine specific data in SID

18 MORE ON CROSS SITE SCRIPTING (XSS)

19 Recall: reflected XSS search field on victim.com: http://victim.com/search.php ? term = apple Server-side implementation of search.php: Echo search term directly into HTML response To exploit, attacker crafts a URL containing a script http://victim.com/search.php ? term = do_something_bad (no filtering of user input)

20 Reflected XSS: the exploit browserattacker site.com user logs in send XSS URL http://site.com/search click on URL respond with attacker’s script Bad things happen: site.com session token sent to attacker rewrite site.com DOM rewrite links and persist boom

21 Persistent XSS XSS script is injected into blog, message board, etc. When user’s view the block, the malicious script runs in their browser  blogs must filter uploaded content The famous MySpace Samy worm: (2005) Bypassed MySpace script filters Script spread from user to user making everyone Samy’s friend http://namb.la/popular/tech.html

22 Persistent XSS using images Suppose pic.jpg on web server contains HTML !  request for http://site.com/pic.jpg results in: HTTP/1.1 200 OK … Content-Type: image/jpeg fooled ya  IE will render this as HTML (despite Content-Type) Consider photo sharing sites that support image uploads What if attacker uploads an “image” that is a script?

23 Universal XSS Adobe PDF viewer “feature” : (version <= 7.9) http://site.com/abc.pdf # whatever=javascript: --- code – viewer will execute the javascript in origin of current domain! Any site that hosts a single PDF is vulnerable to XSS ! (in fact, PDF files in Windows can also be used)

Download ppt "Session Management Dan Boneh CS 142 Winter 2009. Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Web Security: Session Management

Web Security: Session Management
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

Similar presentations

Ads by Google