1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
87 88<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
Session fixation vulnerabilities occur when:<br />
• A web application authenticates a user without first invalidating the<br />
existing session ID, thereby continuing to use the session ID already<br />
associated with the user.<br />
• An attacker is able to force a known session ID on a user so that,<br />
once the user authenticates, the attacker has access to the authenticated<br />
session.<br />
In the generic exploit of session fixation vulnerabilities, an attacker<br />
creates a new session on a web application and records the associated<br />
session identifier. The attacker then causes the victim to authenticate<br />
against the server using the same session identifier, giving the<br />
attacker access to the user’s account through the active session.<br />
Furthermore, the issue described above is problematic for sites that<br />
issue a session identifier over HTTP and then redirect the user to a<br />
HTTPS log in form. If the session identifier is not reissued upon authentication,<br />
the attacker can eavesdrop and steal the identifier and<br />
then use it to hijack the session.<br />
How to Test<br />
Black Box Testing<br />
Testing for Session Fixation vulnerabilities:<br />
The first step is to make a request to the site to be tested (example<br />
www.example.com). If the tester requests the following:<br />
They will obtain the following answer:<br />
GET www.example.com<br />
HTTP/1.1 200 OK<br />
Date: Wed, 14 Aug 2008 08:45:11 GMT<br />
Server: IBM_HTTP_Server<br />
Set-Cookie: JSESSIONID=0000d8eyYq3L0z2fgq10m4v-rt4:-1;<br />
Path=/; secure<br />
Cache-Control: no-cache=”set-cookie,set-cookie2”<br />
Expires: Thu, 01 Dec 1994 16:00:00 GMT<br />
Keep-Alive: timeout=5, max=100<br />
Connection: Keep-Alive<br />
Content-Type: text/html;charset=Cp1254<br />
Content-Language: en-US<br />
8eyYq3L0z2fgq10m4v-rt4:-1 for the client.<br />
Next, if the tester successfully authenticates to the application with<br />
the following POST HTTPS:<br />
POST https:/www.example.com/authentication.php HTTP/1.1<br />
Host: www.example.com<br />
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it;<br />
rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16<br />
Accept: text/xml,application/xml,application/xhtml+xml,text/<br />
html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5<br />
Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3<br />
Accept-Encoding: gzip,deflate<br />
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7<br />
Keep-Alive: 300<br />
Connection: keep-alive<br />
Referer: http:/www.example.com<br />
Cookie: JSESSIONID=0000d8eyYq3L0z2fgq10m4v-rt4:-1<br />
Content-Type: application/x-www-form-urlencoded<br />
Content-length: 57<br />
The application sets a new session identifier JSESSIONID=0000d-<br />
Name=Meucci&wpPassword=secret!&wpLoginattempt=Log+in<br />
The tester observes the following response from the server:<br />
HTTP/1.1 200 OK<br />
Date: Thu, 14 Aug 2008 14:52:58 GMT<br />
Server: Apache/2.2.2 (Fedora)<br />
X-Powered-By: PHP/5.1.6<br />
Content-language: en<br />
Cache-Control: private, must-revalidate, max-age=0<br />
X-Content-Encoding: gzip<br />
Content-length: 4090<br />
Connection: close<br />
Content-Type: text/html; charset=UTF-8<br />
...<br />
HTML data<br />
...<br />
As no new cookie has been issued upon a successful authentication<br />
the tester knows that it is possible to perform session hijacking.<br />
Result Expected: The tester can send a valid session identifier to a<br />
user (possibly using a social engineering trick), wait for them to authenticate,<br />
and subsequently verify that privileges have been assigned<br />
to this cookie.<br />
Gray Box Testing<br />
Talk with developers and understand if they have implemented a session<br />
token renew after a user successful authentication.<br />
Result Expected: The application should always first invalidate the existing<br />
session ID before authenticating a user, and if the authentication<br />
is successful, provide another sessionID.<br />
Tools<br />
• Hijack - a numeric session hijacking tool - http:/yehg.net/lab/pr0js/<br />
files.php/jhijackv0.2beta.zip<br />
• OWASP WebScarab: OWASP_WebScarab_Project<br />
References<br />
Whitepapers<br />
• Session Fixation<br />
• ACROS Security: http:/www.acrossecurity.com/papers/session_<br />
fixation.pdf<br />
• Chris Shiflett: http:/shiflett.org/articles/session-fixation<br />
Testing for Exposed Session Variables<br />
(OTG-SESS-004)<br />
Summary<br />
The Session Tokens (Cookie, SessionID, Hidden Field), if exposed, will<br />
usually enable an attacker to impersonate a victim and access the<br />
application illegitimately. It is important that they are protected from<br />
eavesdropping at all times, particularly whilst in transit between the<br />
client browser and the application servers.<br />
The information here relates to how transport security applies to the<br />
transfer of sensitive Session ID data rather than data in general, and<br />
may be stricter than the caching and transport policies applied to the<br />
data served by the site.<br />
Using a personal proxy, it is possible to ascertain the following about<br />
each request and response:<br />
• Protocol used (e.g., HTTP vs. HTTPS)<br />
• HTTP Headers<br />
• Message Body (e.g., POST or page content)<br />
Each time Session ID data is passed between the client and the server,<br />
the protocol, cache, and privacy directives and body should be examined.<br />
Transport security here refers to Session IDs passed in GET<br />
or POST requests, message bodies, or other means over valid HTTP<br />
requests.<br />
How to Test<br />
Testing for Encryption & Reuse of Session Tokens vulnerabilities:<br />
Protection from eavesdropping is often provided by SSL encryption,<br />
but may incorporate other tunneling or encryption. It should be noted<br />
that encryption or cryptographic hashing of the Session ID should be<br />
considered separately from transport encryption, as it is the Session<br />
ID itself being protected, not the data that may be represented by it.<br />
If the Session ID could be presented by an attacker to the application<br />
to gain access, then it must be protected in transit to mitigate that risk.<br />
It should therefore be ensured that encryption is both the default and<br />
enforced for any request or response where the Session ID is passed,<br />
regardless of the mechanism used (e.g., a hidden form field). Simple<br />
checks such as replacing https:/ with http:/ during interaction with<br />
the application should be performed, together with modification of<br />
form posts to determine if adequate segregation between the secure<br />
and non-secure sites is implemented.<br />
Note that if there is also an element to the site where the user is<br />
tracked with Session IDs but security is not present (e.g., noting which<br />
public documents a registered user downloads) it is essential that a<br />
different Session ID is used. The Session ID should therefore be monitored<br />
as the client switches from the secure to non-secure elements<br />
to ensure a different one is used.<br />
Result Expected:<br />
Every time the authentication is successful, the user should expect to<br />
receive:<br />
• A different session token<br />
• A token sent via encrypted channel every time they make an HTTP<br />
Request<br />
Testing for Proxies & Caching vulnerabilities:<br />
Proxies must also be considered when reviewing application security.<br />
In many cases, clients will access the application through corporate,<br />
ISP, or other proxies or protocol aware gateways (e.g., Firewalls). The<br />
HTTP protocol provides directives to control the behavior of downstream<br />
proxies, and the correct implementation of these directives<br />
should also be assessed.<br />
In general, the Session ID should never be sent over unencrypted<br />
transport and should never be cached. The application should be examined<br />
to ensure that encrypted communications are both the default<br />
and enforced for any transfer of Session IDs. Furthermore, whenever<br />
the Session ID is passed, directives should be in place to prevent its<br />
caching by intermediate and even local caches.<br />
The application should also be configured to secure data in caches<br />
over both HTTP/1.0 and HTTP/1.1 – RFC 2616 discusses the appropriate<br />
controls with reference to HTTP. HTTP/1.1 provides a number<br />
of cache control mechanisms. Cache-Control: no-cache indicates that<br />
a proxy must not re-use any data. Whilst Cache-Control: Private appears<br />
to be a suitable directive, this still allows a non-shared proxy<br />
to cache data. In the case of web-cafes or other shared systems, this<br />
presents a clear risk. Even with single-user workstations the cached<br />
Session ID may be exposed through a compromise of the file-system<br />
or where network stores are used. HTTP/1.0 caches do not recognise<br />
the Cache-Control: no-cache directive.<br />
Result Expected:<br />
The “Expires: 0” and Cache-Control: max-age=0 directives should be<br />
used to further ensure caches do not expose the data. Each request/<br />
response passing Session ID data should be examined to ensure appropriate<br />
cache directives are in use.<br />
Testing for GET & POST vulnerabilities:<br />
In general, GET requests should not be used, as the Session ID may be<br />
exposed in Proxy or Firewall logs. They are also far more easily manipulated<br />
than other types of transport, although it should be noted that<br />
almost any mechanism can be manipulated by the client with the right<br />
tools. Furthermore, Cross-site Scripting (XSS) attacks are most easily<br />
exploited by sending a specially constructed link to the victim. This is<br />
far less likely if data is sent from the client as POSTs.<br />
Result Expected:<br />
All server side code receiving data from POST requests should be tested<br />
to ensure it does not accept the data if sent as a GET. For example,<br />
consider the following POST request generated by a log in page.<br />
POST http:/owaspapp.com/login.asp HTTP/1.1<br />
Host: owaspapp.com<br />
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;<br />
rv:1.0.2) Gecko/20030208 Netscape/7.02 Paros/3.0.2b<br />
Accept: */*<br />
Accept-Language: en-us, en<br />
Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66<br />
Keep-Alive: 300<br />
Cookie: ASPSESSIONIDABCDEFG=ASKLJDLKJRELKHJG<br />
Cache-Control: max-age=0<br />
Content-Type: application/x-www-form-urlencoded