4.0
1NSchAb
1NSchAb
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
97<br />
Web Application Penetration Testing<br />
user should be required to gain access to the application after log<br />
out in the SSO system and connected application.<br />
Tools<br />
• “Burp Suite - Repeater” - http:/portswigger.net/burp/repeater.html<br />
References<br />
Whitepapers<br />
• “The FormsAuthentication.SignOut method does not prevent cookie<br />
reply attacks in ASP.NET applications” -<br />
http:/support.microsoft.com/default.aspx?scid=kb;en-us;900111<br />
• “Cookie replay attacks in ASP.NET when using forms authentication”<br />
- https:/www.vanstechelman.eu/content/cookie-replay-attacks-inaspnet-when-using-forms-authentication<br />
Test Session Timeout (OTG-SESS-007)<br />
Summary<br />
In this phase testers check that the application automatically logs<br />
out a user when that user has been idle for a certain amount of<br />
time, ensuring that it is not possible to “reuse” the same session<br />
and that no sensitive data remains stored in the browser cache.<br />
All applications should implement an idle or inactivity timeout for<br />
sessions. This timeout defines the amount of time a session will<br />
remain active in case there is no activity by the user, closing and<br />
invalidating the session upon the defined idle period since the last<br />
HTTP request received by the web application for a given session<br />
ID. The most appropriate timeout should be a balance between<br />
security (shorter timeout) and usability (longer timeout) and heavily<br />
depends on the sensitivity level of the data handled by the application.<br />
For example, a 60 minute log out time for a public forum<br />
can be acceptable, but such a long time would be too much in a<br />
home banking application (where a maximum timeout of 15 minutes<br />
is recommended). In any case, any application that does not<br />
enforce a timeout-based log out should be considered not secure,<br />
unless such behavior is required by a specific functional requirement.<br />
The idle timeout limits the chances that an attacker has to guess<br />
and use a valid session ID from another user, and under certain<br />
circumstances could protect public computers from session reuse.<br />
However, if the attacker is able to hijack a given session, the idle<br />
timeout does not limit the attacker’s actions, as he can generate<br />
activity on the session periodically to keep the session active for<br />
longer periods of time.<br />
Session timeout management and expiration must be enforced<br />
server-side. If some data under the control of the client is used<br />
to enforce the session timeout, for example using cookie values<br />
or other client parameters to track time references (e.g. number<br />
of minutes since log in time), an attacker could manipulate these<br />
to extend the session duration. So the application has to track the<br />
inactivity time on the server side and, after the timeout is expired,<br />
automatically invalidate the current user’s session and delete every<br />
data stored on the client.<br />
Both actions must be implemented carefully, in order to avoid introducing<br />
weaknesses that could be exploited by an attacker to<br />
gain unauthorized access if the user forgot to log out from the application.<br />
More specifically, as for the log out function, it is important<br />
to ensure that all session tokens (e.g. cookies) are properly destroyed<br />
or made unusable, and that proper controls are enforced<br />
at the server side to prevent the reuse of session tokens. If such<br />
actions are not properly carried out, an attacker could replay these<br />
session tokens in order to “resurrect” the session of a legitimate<br />
user and impersonate him/her (this attack is usually known as<br />
‘cookie replay’). Of course, a mitigating factor is that the attacker<br />
needs to be able to access those tokens (which are stored on the<br />
victim’s PC), but, in a variety of cases, this may not be impossible<br />
or particularly difficult.<br />
The most common scenario for this kind of attack is a public computer<br />
that is used to access some private information (e.g., web<br />
mail, online bank account). If the user moves away from the computer<br />
without explicitly logging out and the session timeout is not<br />
implemented on the application, then an attacker could access<br />
to the same account by simply pressing the “back” button of the<br />
browser.<br />
How to Test<br />
Black Box testing<br />
The same approach seen in the Testing for logout functionality<br />
(OTG-SESS-006) section can be applied when measuring the timeout<br />
log out.<br />
The testing methodology is very similar. First, testers have to<br />
check whether a timeout exists, for instance, by logging in and<br />
waiting for the timeout log out to be triggered. As in the log out<br />
function, after the timeout has passed, all session tokens should<br />
be destroyed or be unusable.<br />
Then, if the timeout is configured, testers need to understand<br />
whether the timeout is enforced by the client or by the server (or<br />
both). If the session cookie is non-persistent (or, more in general,<br />
the session cookie does not store any data about the time), testers<br />
can assume that the timeout is enforced by the server. If the<br />
session cookie contains some time related data (e.g., log in time,<br />
or last access time, or expiration date for a persistent cookie), then<br />
it’s possible that the client is involved in the timeout enforcing. In<br />
this case, testers could try to modify the cookie (if it’s not cryptographically<br />
protected) and see what happens to the session. For<br />
instance, testers can set the cookie expiration date far in the future<br />
and see whether the session can be prolonged.<br />
As a general rule, everything should be checked server-side and it<br />
should not be possible, by re-setting the session cookies to previous<br />
values, to access the application again.<br />
Gray Box Testing<br />
The tester needs to check that:<br />
• The log out function effectively destroys all session token, or at<br />
least renders them unusable,<br />
• The server performs proper checks on the session state,<br />
disallowing an attacker to replay previously destroyed session<br />
identifiers<br />
• A timeout is enforced and it is properly enforced by the server.<br />
If the server uses an expiration time that is read from a session<br />
token that is sent by the client (but this is not advisable), then<br />
the token must be cryptographically protected from tampering.<br />
Note that the most important thing is for the application to invalidate<br />
the session on the server side. Generally this means that