Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

Cross-site Request Forgery (CSRF) Attacks
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Session Management Dan Boneh CS 142 Winter Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be.
Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Attacking Session Management Juliette Lessing
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Online Security Tuesday April 8, 2003 Maxence Crossley.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Web Security: Session Management
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Session Management and User Authentication Dan Boneh CS 155 Spring 2011.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
Feedback #2 (under assignments) Lecture Code:
1 Maryland ColdFusion User Group Session Management December 2001 Michael Schuler
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Cookies & Session Web Technology
Prof Frankl, Spring 2008CS Polytechnic University 1 Overview of Web database applications with PHP.
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Ram Santhanam Application Level Attacks - Session Hijacking & Defences
Broken Authentication & Session Management. What is it ? Bad implementation of authentication and session management. If an attacker can get your session.
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.
Web Technologies Interactive Responsiveness Function Hypertext Web E-Publishing Simple Response Web Fill-in Forms Object Web « Full-Blown » Client/Server.
BeamAuth : Two-Factor Web Authentication with a Bookmark 14 th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park.
Ch. 7 -Attacking Session Management Latasha A. Gibbs CSCE 813 – Internet Security, Fall 2012 College of Engineering and Computing University of South Carolina.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.
Sessions and Cookies State Management, Cookies, Sessions, Hidden Fields SoftUni Team Technical Trainers Software University
ECMM6018 Enterprise Networking for Electronic Commerce Tutorial 7
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Cross-site request forgery Collin Jackson CS 142 Winter 2009.
CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.
Lecture 16 Page 1 CS 236 Online Exploiting Statelessness HTTP is designed to be stateless But many useful web interactions are stateful Various tricks.
1 PHP HTTP After this lecture, you should be able to know: How to create and process web forms with HTML and PHP. How to create and process web forms with.
COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
PHP: Further Skills 02 By Trevor Adams. Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies.
BIT 286: Web Applications Lecture 04 : Thursday, January 15, 2015 ASP.Net MVC -
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Srinivas Balivada USC CSCE548 07/22/2016.  Cookies are generally set server-side using the ‘Set-Cookie’ HTTP header and sent to the client  In PHP to.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Avishai Wool Slides credit: Dan Boneh, John Mitchell
Cross-Site Forgery
Cross-Site Request Forgeries: Exploitation and Prevention
CSC 495/583 Topics of Software Security Intro to Web Security
Web Security Advanced Network Security Peter Reiher August, 2014
John Mitchell (based on Dan’s previous slides)
Cross Site Request Forgery New Attacks and Defenses
Cross-Site Scripting Attack (XSS)
Cross Site Request Forgery (CSRF)
Presentation transcript:

Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1

Sessions A sequence of requests and responses from one browser to one (or more) sites – Session can be long (e.g. Gmail) or short – without session mgmt: users would have to constantly re-authenticate Session mgmt: authorize user once; – All subsequent requests are tied to user 2

Pre-history: HTTP auth HTTP request:GET /index.html HTTP response contains: WWW-Authenticate: Basic realm="Password Required“ Browsers sends hashed password on all subsequent HTTP requests: Authorization: Basic ZGFddfibzsdfgkjheczI1NXRleHQ= 3

HTTP auth problems Hardly used in commercial sites: User cannot log out other than by closing browser – What if user has multiple accounts? multiple users on same machine? Site cannot customize password dialog Confusing dialog to users Easily spoofed 4

Session tokens Browser GET /index.html set anonymous session token GET /books.html anonymous session token POST /do-login Username & password elevate to a logged-in session token POST /checkout logged-in session token check credentials (crypto) Validate token web site 5

Storing session tokens: Lots of options (but none are perfect) Browser cookie: Set-Cookie: SessionToken=fduhye63sfdb Embed in all URL links: ? SessionToken=kh7y3b In a hidden form field: 6

Storing session tokens: problems Browser cookie: browser sends cookie with every request, even when it should not (CSRF) Embed in all URL links: token leaks via HTTP Referer header (or if user posts URL in a public blog) In a hidden form field: does not work for long- lived session Best answer: a combination of all of the above 7

The HTTP referer header Referer leaks URL session token to 3 rd parties Referer supression: not sent when HTTPS site refers to an HTTP site in HTML5: 8

The Logout Process Web sites must provide a logout function: Functionality: let user to login as different user Security: prevent others from abusing account What happens during logout: 1. Delete SessionToken from client 2. Mark session token as expired on server Problem: many web sites do (1) but not (2) !! ⇒ Especially risky for sites who fall back to HTTP after login 9

Session hijacking

Attacker waits for user to login then attacker steals user’s Session Token and “hijacks” session ⇒ attacker can issue arbitrary requests on behalf of user Example: FireSheep [2010] Firefox extension that hijacks Facebook session tokens over WiFi. Solution: HTTPS after login 11

Beware: Predictable tokens Example 1: counter  user logs in, gets counter value, can view sessions of other users Example 2: weak MAC. token = { userid, MAC k (userid) } Weak MAC exposes k from few cookies. Apache Tomcat: generateSessionId() Returns random session ID [server retrieves client state based on sess-id] 12

Session tokens must be unpredictable to attacker To generate: use underlying framework (e.g. ASP, Tomcat, Rails) Rails: token = MD5( current time, random nonce ) 13

Beware: Session token theft Example 1: login over HTTPS, but subsequent HTTP Enables cookie theft at wireless Café (e.g. Firesheep) Other ways network attacker can steal token: – Site has mixed HTTPS/HTTP pages ⇒ token sent over HTTP – Man-in-the-middle attacks on SSL Example 2: Cross Site Scripting (XSS) exploits Amplified by poor logout procedures: – Logout must invalidate token on server 14

Mitigating SessionToken theft by binding SessionToken to client’s computer Client IP addr: makes it harder to use token at another machine – But honest client may change IP addr during session client will be logged out for no reason. Client user agent: weak defense against theft, but doesn’t hurt. SSL session id: same problem as IP address (and even worse) A common idea: embed machine specific data in SID 15

Session fixation attacks Suppose attacker can set the user’s session token: For URL tokens, trick user into clicking on URL For cookie tokens, set using XSS exploits Attack: (say, using URL tokens) 1.Attacker gets anonymous session token for site.com 2.Sends URL to user with attacker’s session token 3.User clicks on URL and logs into site.com – this elevates attacker’s token to logged-in token 4.Attacker uses elevated token to hijack user’s session. 16

Session fixation: lesson When elevating user from anonymous to logged-in: always issue a new session token After login, token changes to value unknown to attacker  Attacker’s token is not elevated. 17

Summary Always assume cookie data retrieved from client is adversarial Session tokens are split across multiple client state mechanisms: – Cookies, hidden form fields, URL parameters – Cookies by themselves are insecure (CSRF, cookie overwrite) – Session tokens must be unpredictable and resist theft by network attacker Ensure logout invalidates session on server 18

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.