SAP: Session (Fixation) Attacks and Protections - Black Hat

More documents

Recommendations

Info

#2 Discovery and Exploitation (2)• Successful authentication (post-auth):Set-Cookie: _WL_AUTHCOOKIE_JSESSIONID=G4lD…vQ14; path=/; secure• Any previous value is renewed– _WL_AUTHCOOKIE_JSESSIONID• Very common scenario: two cookies– Pre-auth (unsecure): always (www, portal, etc)– Post-auth (secure): portal only (SSL) & renewedSession ID (authenticated users) = JSESSIONID +_WL_AUTHCOOKIE_JSESSIONIDCopyright © 2011 Taddong S.L. www.taddong.com36
#2 Discovery and Exploitation (3)• All links from “www” to “portal” are HTTPS– But HTTP is also allowed in “portal”• What is used for session ID verification whenaccessing “authenticated resources”?– Common sense: both cookies (! in reality)• HTTPS behavior:1. Both cookies: OKMissing orexpired2. JSESSIONID bad: redirect to login & renewed3. AUTH_JSESSIONID bad: 401 Basic?Copyright © 2011 Taddong S.L. www.taddong.com37
Page 1 and 2: UPDATEDwww.taddong.comSAP: Session
Page 3 and 4: Sessions in Web Applications• A w
Page 5 and 6: OWASP Top 10 2010• The Top 10 Mos
Page 7 and 8: WASC Threat Clasification v2.0• W
Page 9 and 10: What Session Fixation Should Be?Obs
Page 11 and 12: Session ID Exchange (1)• Multiple
Page 13 and 14: Session ID ExchangeUsed vs. Accepte
Page 15 and 16: The Attacker is After the…http://
Page 17 and 18: Session Fixation Attackshttp://www.
Page 19 and 20: Attack Vectors (2)• Web traffic i
Page 21 and 22: Attack Vectors (4)• Cross-Site Sc
Page 23 and 24: Session Fixation ExploitationSummar
Page 25 and 26: Three Case Studies• From real-wor
Page 27 and 28: Case Study #1Joomla! Open-Source CM
Page 29 and 30: #1 Discovery and Exploitation• Ta
Page 31 and 32: #1 Vulnerability Disclosure Timelin
Page 33 and 34: Case Study #2Commercial Web Applica
Page 35: #2 Discovery and Exploitation (1)
Page 39 and 40: #2 Impact• Three possible scenari
Page 41 and 42: WebLogic HTTPS Enforcement (2)• H
Page 45 and 46: #2 Protections (2)HTTPS Secure Cook
Page 47 and 48: #2 Protections (4)WebLogic Session
Page 49 and 50: #2 Protections (6)Summary• Too ma
Page 51 and 52: #2 Protections (8)Industry standard
Page 53 and 54: #3 Summary• Session fixation in t
Page 55 and 56: #3 Discovery and Exploitation (2)
Page 57 and 58: #3 Discovery and Exploitation (4)Co
Page 59 and 60: #3 Discovery and Exploitation (5)
Page 61 and 62: #3 Impact (1)• Hijack any SAP use
Page 63 and 64: #3 Impact (2)• Direct impact of s
Page 67 and 68: SAP Disclosure Guidelines (1)• SA
Page 69 and 70: #3 Protections (1)• Monthly Patch
Page 71 and 72: #3 Protections (3)• Use HTTPS-onl
Page 73 and 74: ConclusionsCopyright © 2011 Taddon
Page 75 and 76: Conclusions (1)• Session fixation
Page 77 and 78: Conclusions (3)• Impact on the we
Page 79 and 80: Questions? Copyright © 2011 Taddon

SAP: Session (Fixation) Attacks and Protections - Black Hat

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?