4.0
1NSchAb
1NSchAb
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
88<br />
Web Application Penetration Testing<br />
Examples of checks to be performed at this stage include:<br />
• What character set is used in the cookie? Has the cookie a<br />
numeric value? alphanumeric? hexadecimal? What happens if<br />
the tester inserts in a cookie characters that do not belong to the<br />
expected charset?<br />
• Is the cookie composed of different sub-parts carrying different<br />
pieces of information? How are the different parts separated?<br />
With which delimiters? Some parts of the cookie could have a<br />
higher variance, others might be constant, others could assume<br />
only a limited set of values. Breaking down the cookie to its base<br />
components is the first and fundamental step.<br />
An example of an easy-to-spot structured cookie is the following:<br />
ID=5a0acfc7ffeb919:CR=1:TM=1120514521:LM=11205145<br />
21:S=j3am5KzC4v01ba3q<br />
This example shows 5 different fields, carrying different types of data:<br />
ID – hexadecimal<br />
CR – small integer<br />
TM and LM – large integer. (And curiously they hold the<br />
same value. Worth to see what happens modifying one of<br />
them)<br />
S – alphanumeric<br />
Even when no delimiters are used, having enough samples can help.<br />
As an example, let’s look at the following series:<br />
0123456789abcdef<br />
Brute Force Attacks<br />
Brute force attacks inevitably lead on from questions relating to<br />
predictability and randomness. The variance within the Session<br />
IDs must be considered together with application session duration<br />
and timeouts. If the variation within the Session IDs is relatively<br />
small, and Session ID validity is long, the likelihood of a successful<br />
brute-force attack is much higher.<br />
A long Session ID (or rather one with a great deal of variance) and<br />
a shorter validity period would make it far harder to succeed in a<br />
brute force attack.<br />
• How long would a brute-force attack on all possible Session IDs<br />
take?<br />
• Is the Session ID space large enough to prevent brute forcing? For<br />
example, is the length of the key sufficient when compared to the<br />
valid life-span?<br />
• Do delays between connection attempts with different Session IDs<br />
mitigate the risk of this attack?<br />
Gray Box testing and example<br />
If the tester has access to the session management schema implementation,<br />
they can check for the following:<br />
• Random Session Token<br />
The Session ID or Cookie issued to the client should not be easily predictable<br />
(don’t use linear algorithms based on predictable variables<br />
such as the client IP address). The use of cryptographic algorithms<br />
with key length of 256 bits is encouraged (like AES).<br />
• Token length<br />
Session ID will be at least 50 characters length.<br />
• Session Time-out<br />
Session token should have a defined time-out (it depends on the criticality<br />
of the application managed data)<br />
• Cookie configuration:<br />
• non-persistent: only RAM memory<br />
• secure (set only on HTTPS channel):<br />
Set Cookie: cookie=data; path=/; domain=.aaa.it; secure<br />
• HTTPOnly (not readable by a script):<br />
Set Cookie: cookie=data; path=/; domain=.aaa.it; HTTPOnly<br />
More information here: Testing for cookies attributes<br />
Tools<br />
• OWASP Zed Attack Proxy Project (ZAP) -<br />
https://www.owasp.org/index.php/OWASP_Zed_Attack_<br />
Proxy_Project - features a session token analysis mechanism.<br />
• Burp Sequencer -<br />
http: /www.portswigger.net/suite/sequencer.html<br />
• Foundstone CookieDigger -<br />
http://www.mcafee.com/us/downloads/free-tools/<br />
cookiedigger.aspx<br />
• YEHG’s JHijack - https: /www.owasp.org/index.php/JHijack<br />
References<br />
Whitepapers<br />
• RFC 2965 “HTTP State Management Mechanism”<br />
• RFC 1750 “Randomness Recommendations for Security”<br />
• Michal Zalewski: “Strange Attractors and TCP/IP Sequence<br />
Number Analysis” (2001): http: /lcamtuf.coredump.cx/oldtcp/<br />
tcpseq.html<br />
• Michal Zalewski: “Strange Attractors and TCP/IP Sequence<br />
Number Analysis - One Year Later” (2002):<br />
http: /lcamtuf.coredump.cx/newtcp/<br />
• Correlation Coefficient:<br />
http: /mathworld.wolfram.com/CorrelationCoefficient.html<br />
• Darrin Barrall: “Automated Cookie Analysis” –<br />
http: /www.spidynamics.com/assets/documents/SPIcookies.<br />
pdf<br />
• ENT: http: /fourmilab.ch/random/<br />
• http: /seclists.org/lists/fulldisclosure/2005/Jun/0188.html<br />
• Gunter Ollmann: “Web Based Session Management” -<br />
http: /www.technicalinfo.net<br />
• Matteo Meucci:”MMS Spoofing” -<br />
http: /www.owasp.org/images/7/72/MMS_Spoofing.ppt<br />
Videos<br />
• Session Hijacking in Webgoat Lesson -<br />
http://yehg.net/lab/pr0js/training/view/owasp/webgoat/<br />
WebGoat_SessionMan_SessionHijackingWithJHijack/<br />
Related Security Activities<br />
Description of Session Management Vulnerabilities<br />
See the OWASP articles on Session Management Vulnerabilities.