Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ch. 7 -Attacking Session Management Latasha A. Gibbs CSCE 813 – Internet Security, Fall 2012 College of Engineering and Computing University of South Carolina.

Published byOsborn Morgan Modified over 8 years ago

Similar presentations

Presentation on theme: "Ch. 7 -Attacking Session Management Latasha A. Gibbs CSCE 813 – Internet Security, Fall 2012 College of Engineering and Computing University of South Carolina."— Presentation transcript:

1 Ch. 7 -Attacking Session Management Latasha A. Gibbs CSCE 813 – Internet Security, Fall 2012 College of Engineering and Computing University of South Carolina Adapted from The Web Application Hacker’s Handbook 2 nd Edition by Dafydd Stuttard and Marcus Pinto 1

2 OVERVIEW The Need Weaknesses of Token Generation Weaknesses of Session Token Handling Securing Session Management Summary 2

3 THE NEED Reminder: HTTP Protocol is stateless Majority of web “sites” are actually web applications The session management mechanism is a fundamental security component in most web applications 3

4 TRUE OR FALSE? If we use smartcards for authentication, a user’s session cannot be compromised without them? 4

5 SESSION MANAGEMENT VULNERABILITIES HTTPOnly Flag Not Set Secure Flag Not Set Session Porting Permitted Persistent Cookie Cookieless Sessions in Use Session Token Content Weaknesses Session Token Not Regenerated on Login Cookie Domain and Path not Restricted JUST A FEW VULNERABILITIES! 5

6 WHAT HAPPENS IF THE ATTACKER SUCCEEDS? 1.Attacker can bypass authentication 2.Attacker can masquerade as a legitimate user 3.Attacker can compromise an administrative user or own the entire application The list goes on… 6

7 OVERVIEW The Need Weaknesses of Token Generation Weaknesses of Session Token Handling Securing Session Management Summary 7

8 WEAKNESSES IN TOKEN GENERATION Meaningful Tokens Predictable Tokens Concealed Sequences Weak Random Number Generation 8

9 MEANINGFUL TOKENS Tokens containing account username, first or last names, date/time stamp, client IP, etc. Attackers can use a hexadecimal decoder to reveal the session token easily Examples of online decoders include: www.string-functions.com or www.converstring.com www.string-functions.com www.converstring.com 757365723d6461663b6170703d61646d696e3b646174653d30312f31322f3131 User=daf;app=admin;date=10/09/11 9

10 WEAK RANDOM NUMBER GENERATION Predictable pseudorandom generator used After a visual inspection, a more rigorous approach to test the quality of randomness is necessary Burp Sequencer is a tool that will test randomness of web application tokens Obtaining a sample size of 20,000 tokens, will achieve compliance with FIPS test for randomness 10

11 OVERVIEW The Need Weaknesses of Token Generation Weaknesses of Session Token Handling Securing Session Management Summary 11

12 WEAKNESSES IN TOKEN HANDLING Disclosure of tokens on network Occurs when tokens are transmitted in an unencrypted form For example, a site that uses HTTPS to protect login, but reverts to HTTP for the remainder of the user session Disclosure of Tokens in System Logs An application may use the URL query string as a mechanism for transmitting tokens For example, google search inurl:jsessionid will produce a list of applications that transmit the Java platform session token 12

13 DO’S & DON’TS Tokens should only be transmitted over HTTPS Tokens should never be transmitted in the URL Visibility of session token for administrative or diagnostic purposes should be limited Logout functionality should be implemented Session expiration should be implemented Concurrent logins should be prevented Restrict domain and path scope of application should be restricted as much as possible 13

14 COMMON MYTHS “Our token is secure from disclosure to 3 rd -parties because we use SSL.” “Our token is generated by the platform using cryptographically sound technologies.” 14

15 OVERVIEW The Need Weaknesses of Token Generation Weaknesses of Session Token Handling Securing Session Management Summary 15

16 HOW CAN WE ENSURE SECURE SESSIONS? 16

17 SECURING SESSION MANAGEMENT Appears simple...as generating strong tokens and providing token protection throughout life cycle But…requires developers to have an in- depth understanding of protocols, algorithms, and black-hat community attacks 17

18 OVERVIEW The Need Weaknesses of Token Generation Weaknesses of Session Token Handling Securing Session Management Summary 18

19 SUMMARY Web Applications with Broken Session Management = Keys to the Kingdom Possible avenues of attack are endless Secure session management is necessary to protect web applications 19

20 FURTHER READING OWASP-Session Management Cheat Sheet https://www.owasp.org/index.php/Session_Management_Cheat_Sheet Paper on Secure Session Management with Cookies http://www.isecpartners.com/files/web-session-management.pdf Paper on Web Session Management http://www.technicalinfo.net/papers/WebBasedSessionManagement.html Session Management for Clustered Applications http://www.oracle.com/technetwork/articles/entarch/session-management- 092739.html 20

21 Thanks and have a lovely evening… QUESTIONS? 21

Download ppt "Ch. 7 -Attacking Session Management Latasha A. Gibbs CSCE 813 – Internet Security, Fall 2012 College of Engineering and Computing University of South Carolina."

Similar presentations

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 6 Security & Privacy Web servers continue to be attractive target for hacker for variety of reasons –Most easy target –Personal satisfaction –Political.

Chapter 6 Security & Privacy Web servers continue to be attractive target for hacker for variety of reasons –Most easy target –Personal satisfaction –Political.

Similar presentations

Ads by Google