4.0
1NSchAb
1NSchAb
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
87<br />
Web Application Penetration Testing<br />
16 bit chunk is incrementing at a regular rate, it may indicate a<br />
sequential or even time-based element to the token generation.<br />
See examples.<br />
If static elements to the Tokens are identified, further samples<br />
should be gathered, varying one potential input element at a time.<br />
For example, log in attempts through a different user account or<br />
from a different IP address may yield a variance in the previously<br />
static portion of the session token.<br />
The following areas should be addressed during the single and<br />
multiple Session ID structure testing:<br />
• What parts of the Session ID are static?<br />
• What clear-text confidential information is stored in the Session<br />
D? E.g. usernames/UID, IP addresses<br />
• What easily decoded confidential information is stored?<br />
• What information can be deduced from the structure of the<br />
Session ID?<br />
• What portions of the Session ID are static for the same log in<br />
conditions?<br />
• What obvious patterns are present in the Session ID as a whole,<br />
or individual portions?<br />
Session ID Predictability and Randomness<br />
Analysis of the variable areas (if any) of the Session ID should be<br />
undertaken to establish the existence of any recognizable or predictable<br />
patterns. These analyses may be performed manually and<br />
with bespoke or OTS statistical or cryptanalytic tools to deduce<br />
any patterns in the Session ID content. Manual checks should include<br />
comparisons of Session IDs issued for the same login conditions<br />
– e.g., the same username, password, and IP address.<br />
Time is an important factor which must also be controlled. High<br />
numbers of simultaneous connections should be made in order to<br />
gather samples in the same time window and keep that variable<br />
constant. Even a quantization of 50ms or less may be too coarse<br />
and a sample taken in this way may reveal time-based components<br />
that would otherwise be missed.<br />
Variable elements should be analyzed over time to determine<br />
whether they are incremental in nature. Where they are incremental,<br />
patterns relating to absolute or elapsed time should be investigated.<br />
Many systems use time as a seed for their pseudo-random<br />
elements. Where the patterns are seemingly random, one-way<br />
hashes of time or other environmental variations should be considered<br />
as a possibility. Typically, the result of a cryptographic<br />
hash is a decimal or hexadecimal number so should be identifiable.<br />
In analyzing Session ID sequences, patterns or cycles, static elements<br />
and client dependencies should all be considered as possible<br />
contributing elements to the structure and function of the<br />
application.<br />
• Are the Session IDs provably random in nature? Can the resulting<br />
values be reproduced?<br />
• Do the same input conditions produce the same ID on a<br />
subsequent run?<br />
• Are the Session IDs provably resistant to statistical or<br />
cryptanalysis?<br />
• What elements of the Session IDs are time-linked?<br />
• What portions of the Session IDs are predictable?<br />
• Can the next ID be deduced, given full knowledge of the<br />
generation algorithm and previous IDs?<br />
Cookie reverse engineering<br />
Now that the tester has enumerated the cookies and has a general<br />
idea of their use, it is time to have a deeper look at cookies<br />
that seem interesting. Which cookies is the tester interested in?<br />
A cookie, in order to provide a secure method of session management,<br />
must combine several characteristics, each of which is<br />
aimed at protecting the cookie from a different class of attacks.<br />
These characteristics are summarized below:<br />
[1] Unpredictability: a cookie must contain some amount of hardto-guess<br />
data. The harder it is to forge a valid cookie, the harder is<br />
to break into legitimate user’s session. If an attacker can guess the<br />
cookie used in an active session of a legitimate user, they will be<br />
able to fully impersonate that user (session hijacking). In order to<br />
make a cookie unpredictable, random values and/or cryptography<br />
can be used.<br />
[2] Tamper resistance: a cookie must resist malicious attempts<br />
of modification. If the tester receives a cookie like IsAdmin=No,<br />
it is trivial to modify it to get administrative rights, unless the application<br />
performs a double check (for instance, appending to the<br />
cookie an encrypted hash of its value)<br />
[3] Expiration: a critical cookie must be valid only for an appropriate<br />
period of time and must be deleted from the disk or memory<br />
afterwards to avoid the risk of being replayed. This does not apply<br />
to cookies that store non-critical data that needs to be remembered<br />
across sessions (e.g., site look-and-feel).<br />
[4] “Secure” flag: a cookie whose value is critical for the integrity<br />
of the session should have this flag enabled in order to allow its<br />
transmission only in an encrypted channel to deter eavesdropping.<br />
The approach here is to collect a sufficient number of instances<br />
of a cookie and start looking for patterns in their value. The exact<br />
meaning of “sufficient” can vary from a handful of samples,<br />
if the cookie generation method is very easy to break, to several<br />
thousands, if the tester needs to proceed with some mathematical<br />
analysis (e.g., chi-squares, attractors. See later for more information).<br />
It is important to pay particular attention to the workflow of the<br />
application, as the state of a session can have a heavy impact on<br />
collected cookies. A cookie collected before being authenticated<br />
can be very different from a cookie obtained after the authentication.<br />
Another aspect to keep into consideration is time. Always record<br />
the exact time when a cookie has been obtained, when there is<br />
the possibility that time plays a role in the value of the cookie (the<br />
server could use a time stamp as part of the cookie value). The<br />
time recorded could be the local time or the server’s time stamp<br />
included in the HTTP response (or both).<br />
When analyzing the collected values, the tester should try to figure<br />
out all variables that could have influenced the cookie value and<br />
try to vary them one at the time. Passing to the server modified<br />
versions of the same cookie can be very helpful in understanding<br />
how the application reads and processes the cookie.