SlideShare a Scribd company logo

Session Management: OWASP- USA 2010

Cenzic
Cenzic

Download this PDF to see the latest tips and tricks on how to secure your website and web applications against session management vulnerabilities. Information was presented at the OWASP 2010 USA National Conference in Irvine, CA on September 10, 2010.

Technology
1 of 30
Download to read offline
Session Management Security Tips and Tricks Lars Ewe CTO / VP of Eng. Cenzic lars@cenzic.com OWASP September, 2010 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
Agenda  What is HTTP Session Management?  Session Management Security  Assessment Techniques  Related Attack Vectors  Session Management Best Practices Q & A OWASP
What is HTTP Session Management?  Process of keeping track of a user's activity across sessions of interaction with the computer system (Wikipedia)  Used to make the stateless HTTP protocol support session state  Seamlessly identifies a user to the server – for every request – once he / she authenticated herself to the server OWASP
Source: Cenzic Q1-Q2, 2010 Application Trends Report OWASP
Source: Cenzic Q1-Q2, 2010 Application Trends Report OWASP
Source: Cenzic Q1-Q2, 2010 Application Trends Report OWASP
 Weak session randomness  Ineffective session termination  Session Fixation … Source: Cenzic Q1-Q2, 2010 Application Trends Report OWASP
 Brute force login  Unauthorized resource access  Privilege escalation … Source: Cenzic Q1-Q2, 2010 Application Trends Report OWASP
Source: Cenzic Q1-Q2, 2010 Application Trends Report OWASP
What Locked Door? OWASP
Session Management How is it usually im plem ented?  Session (and related) attacks are a key attack surface for HTTP web applications  Most common session / state mechanism for HTTP:  Unique session tokens in the form of HTTP cookies or URL parameters  HTTP authentication (basic, digest, NTLM) can be used for session management – but very rare usage  Applications can also use sessionless state mechanisms (like ASP.NET's ViewState), essentially keeping all state on the client  Tip: If you use ViewSate, make sure you enable hash via EnableViewStateMac="true"  Caution: ViewSate hash prevents state tampering, but hackers can still decode and view state information! OWASP
Session Management Security Session Tok ens / Cook ies  Session tokens often composed of: User info, account info, date/timestamp, email address, client IP address, etc.  Session tokens can also be based on concealed sequences, time dependencies, random number generation, etc.  Session tokens are often encoded: E.g. using Base64, XOR, hexadecimal representation using ASCII characters, etc.  Disclosure of tokens on the network: Network traffic eavesdropping  Use HTTPS for all content, incl. static content, help pages, pre-login-pages, images, etc. OWASP
Session Management Security Session Tok ens / Cook ies – contd.  Enable HTTPOnly & Secure cookie flags to disallow cookie access from JavaScript and force cookie transmission only via HTTPS, respectively  URL based session tokens can get revealed via various HTTP logs (e.g. Google for inurl:jsessionid). Note that the referrer/referrer header can contain session tokens  Hackers will try to capture your token by making you visit a site on a server they control (via referer header)  Ineffective or non-existing session termination/logout functionality (e.g. only deleting client-side cookie, but no session expiration on server) leaves session tokens vulnerable for exploitation OWASP
The Bottom Line… There a wide variety of different HTTP session management mechanisms due to the lack of strong native support. Always remember:  Not all of them are equally secure!  The strongest authentication mechanism won't help if the session management mechanism is vulnerable! OWASP
Assessment Techniques There are a wide variety of different assessment techniques for session management vulnerabilities. Assessment techniques:  Often use a combination of commercial scanners, basic tools (proxies, fuzzers, spiders, decoders, etc.) and manual testing and analysis  Comprehensive solutions / scanners: Cenzic Hailstorm  Basic tools: Burp Suite, Paros, WebScarab, Tamper Data  Attempt to map and analyze the application and identify the authentication & session management mechanisms (e.g. session tokens, login/logout pages, etc.)  Try to observe / analyze any encodings and obfuscations of session tokens in order to manipulate them OWASP
Assessment Techniques – Contd. Assessment techniques:  Often require one or more user accounts to compare behavior of the application before and after login (public vs. private pages) and between users with different access privileges  Test whether users can be fooled into using attacker supplied session tokens (session fixation)  Try to explore any related attack vectors, like XSS, CSRF, etc.  Also examine various other attack vectors, like: Token predictability, cookie scope (domain / path), insecure token transmission, log disclosures, insufficient session termination, etc. OWASP
Related Attack Vectors There are various session management related attack vectors, as well as some more loosely related ones, such as:  Session Fixation & Hijacking  Ineffective Session Termination  Weak passwords, vulnerable “forgot password” functionality, etc.  Authentication Bypass (SQL Injection), Authorization Boundary Vulnerabilities, Privilege Escalation  HTTPS/SSL Bypass Vulnerabilities (access with HTTP)  XSS / CSRF  And more… OWASP
Related Attack Vectors Cross-Site Request Forgery (CSRF)  What is it?: Basic Web Application session management behavior is exploited to make legitimate user requests without the user’s knowledge or consent.  Root Cause: Basic session id management that is vulnerable to exploitation (e.g. cookie-based).  Impact: Attackers can make legitimate Web requests from the victim’s browser without the victim’s knowledge or consent, allowing legitimate transactions in the user’s name. This can results in a broad variety of possible exploits.  Solution: Enhance session management by using non- predictable “nonce” or other unique one-time tokens in addition to common session identifiers, as well as the validation of HTTP Referrer headers. OWASP
SANS Las Vegas June 2008 19 OWASP
Be careful what you browse while you’re still logged into a sensitive application! SANS Las Vegas June 2008 20 OWASP
SANS Las Vegas June 2008 21 OWASP
CSRF Example Code <body> Welcome to hackerbank.com. It's been a pleasure doing business for you! <iframe id="hidden_iframe" width=0 height=0 scrolling=no src="Sell_Stock.htm"></iframe> </body> <body> <form name="form" id="form" method="post" action="http://localhost:8081/kelev/php/stock.php"> <input type="hidden" name="hUserId" value="7" /> <input type="hidden" name="symbol" value="GLO" /> <input type="hidden" name="values" value="30" /> <input type="hidden" name="numbersell" value="10" /> </form> <script>document.form.submit();</script> The browser sends session cookie along with the form data OWASP
OWASP
Session Management Best Practices  Use strong tokens with strong randomness  Only ever transfer tokens back to the server using HTTPS (don't forget about static content, help pages, images, pre- login pages, etc.)  Never use URL based session tokens, as that enables very easy session fixation attacks. If you have to (cookies disabled), use POSTs with hidden fields  Use HTTPOnly & Secure cookie flags  Implement strong logout functionality (with invalidation of session tokens & deletion of session & state on server)  Implement session expiration with same results as strong logout (after e.g. 5 or 10 minutes) OWASP
Session Management Best Practices – contd.  Consider implementing “per-page” tokens (also helps with CSRF)  Ideally do not allow concurrent logins  Terminate sessions when attacks are detected  (Temporarily) disable accounts after too many wrong session tokens / attacks (too slow down & frustrate hackers)  Log session related information on the server and audit logs regularly  Avoid weak passwords & weak change / forgot password mechanisms  Also defend against related attacks, like XSS, CSRF, etc.  Also see owasp.org and OWASP dev guide OWASP
Security In The Real World … It’s true, you might not be able to outrun the bear, but let’s not forget, all you have to do is outrun your competition! OWASP
Things to Remember  Attackers can be extremely creative and overcome various defense mechanisms  Never underestimate your opponent!  Always remember: The strongest authentication won't help if session management vulnerabilities exist! OWASP
Sophistication of Hackers … OWASP
Meets Unprepared Users … OWASP
OWASP

Recommended

Owasp testing guide owasp summit 2011 (matteo meucci)
Owasp testing guide owasp summit 2011 (matteo meucci) Owasp testing guide owasp summit 2011 (matteo meucci)
Owasp testing guide owasp summit 2011 (matteo meucci) Matteo Meucci
 
Franquicia de Telefonia Red21 Sucre
Franquicia de Telefonia Red21 SucreFranquicia de Telefonia Red21 Sucre
Franquicia de Telefonia Red21 Sucrevictor miranda
 
Proyecto ROTOPLAS en SyBase
Proyecto ROTOPLAS en SyBaseProyecto ROTOPLAS en SyBase
Proyecto ROTOPLAS en SyBaseAndreitap de Granda
 
Syllabus Latin American Cluster Winter 2012
Syllabus Latin American Cluster Winter 2012Syllabus Latin American Cluster Winter 2012
Syllabus Latin American Cluster Winter 2012Karen Yang
 
Volatilitatea macroeconomica si turbulentele din spatiul economic
Volatilitatea macroeconomica si turbulentele din spatiul economicVolatilitatea macroeconomica si turbulentele din spatiul economic
Volatilitatea macroeconomica si turbulentele din spatiul economiclucianisar
 
Us govt initiatives to promote us higher ed overseas
Us govt initiatives to promote us higher ed overseasUs govt initiatives to promote us higher ed overseas
Us govt initiatives to promote us higher ed overseasnafsaregion12
 
Monitoraggio di strutture complesse
Monitoraggio di strutture complesseMonitoraggio di strutture complesse
Monitoraggio di strutture complesseIRS srl
 
Gsugar Eeaflet
Gsugar EeafletGsugar Eeaflet
Gsugar EeafletJanak Shah
 

Recommended

Owasp testing guide owasp summit 2011 (matteo meucci)
Owasp testing guide owasp summit 2011 (matteo meucci) Owasp testing guide owasp summit 2011 (matteo meucci)
Owasp testing guide owasp summit 2011 (matteo meucci) Matteo Meucci
 
Franquicia de Telefonia Red21 Sucre
Franquicia de Telefonia Red21 SucreFranquicia de Telefonia Red21 Sucre
Franquicia de Telefonia Red21 Sucrevictor miranda
 
Proyecto ROTOPLAS en SyBase
Proyecto ROTOPLAS en SyBaseProyecto ROTOPLAS en SyBase
Proyecto ROTOPLAS en SyBaseAndreitap de Granda
 
Syllabus Latin American Cluster Winter 2012
Syllabus Latin American Cluster Winter 2012Syllabus Latin American Cluster Winter 2012
Syllabus Latin American Cluster Winter 2012Karen Yang
 
Volatilitatea macroeconomica si turbulentele din spatiul economic
Volatilitatea macroeconomica si turbulentele din spatiul economicVolatilitatea macroeconomica si turbulentele din spatiul economic
Volatilitatea macroeconomica si turbulentele din spatiul economiclucianisar
 
Us govt initiatives to promote us higher ed overseas
Us govt initiatives to promote us higher ed overseasUs govt initiatives to promote us higher ed overseas
Us govt initiatives to promote us higher ed overseasnafsaregion12
 
Monitoraggio di strutture complesse
Monitoraggio di strutture complesseMonitoraggio di strutture complesse
Monitoraggio di strutture complesseIRS srl
 
Gsugar Eeaflet
Gsugar EeafletGsugar Eeaflet
Gsugar EeafletJanak Shah
 
Overview on cisco catalyst 3750 switches,features, technology, intelligent sw...
Overview on cisco catalyst 3750 switches,features, technology, intelligent sw...Overview on cisco catalyst 3750 switches,features, technology, intelligent sw...
Overview on cisco catalyst 3750 switches,features, technology, intelligent sw...IT Tech
 
How to inno heat kick off
How to inno heat kick offHow to inno heat kick off
How to inno heat kick offSusanneKarringer
 
EVPs - Beyond the Theory: the challenges of EVP implementation
EVPs - Beyond the Theory: the challenges of EVP implementationEVPs - Beyond the Theory: the challenges of EVP implementation
EVPs - Beyond the Theory: the challenges of EVP implementationHavas People
 
Curs ORATÒRIA IV 2011
Curs ORATÒRIA IV 2011Curs ORATÒRIA IV 2011
Curs ORATÒRIA IV 2011Escola Soto
 
Izada bandera2015
Izada bandera2015Izada bandera2015
Izada bandera2015Richard Uribe
 
Volando por el mundo con el cóndor viajero
Volando por el mundo con el cóndor viajeroVolando por el mundo con el cóndor viajero
Volando por el mundo con el cóndor viajeroFundación Plagbol
 
overview of vedio conferencing
overview of vedio conferencingoverview of vedio conferencing
overview of vedio conferencingSQU
 
Emerging at Hyper-Speed: SXWi Preview
Emerging at Hyper-Speed: SXWi PreviewEmerging at Hyper-Speed: SXWi Preview
Emerging at Hyper-Speed: SXWi PreviewVectorform
 
Frases jessica
Frases jessicaFrases jessica
Frases jessicaJemmsy Alexandra Verdezoto Guastay
 
XP matsuri 2009 Workshop
XP matsuri 2009 WorkshopXP matsuri 2009 Workshop
XP matsuri 2009 WorkshopYasunobu Kawaguchi
 
Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityCenzic
 
How to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingHow to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingCenzic
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Ians cenzic webinar
Ians cenzic webinarIans cenzic webinar
Ians cenzic webinarCenzic
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Cenzic
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web ApplicationsHARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web ApplicationsCenzic
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 

More Related Content

Viewers also liked

Overview on cisco catalyst 3750 switches,features, technology, intelligent sw...
Overview on cisco catalyst 3750 switches,features, technology, intelligent sw...Overview on cisco catalyst 3750 switches,features, technology, intelligent sw...
Overview on cisco catalyst 3750 switches,features, technology, intelligent sw...IT Tech
 
EVPs - Beyond the Theory: the challenges of EVP implementation
EVPs - Beyond the Theory: the challenges of EVP implementationEVPs - Beyond the Theory: the challenges of EVP implementation
EVPs - Beyond the Theory: the challenges of EVP implementationHavas People
 
Curs ORATÒRIA IV 2011
Curs ORATÒRIA IV 2011Curs ORATÒRIA IV 2011
Curs ORATÒRIA IV 2011Escola Soto
 
Volando por el mundo con el cóndor viajero
Volando por el mundo con el cóndor viajeroVolando por el mundo con el cóndor viajero
Volando por el mundo con el cóndor viajeroFundación Plagbol
 
overview of vedio conferencing
overview of vedio conferencingoverview of vedio conferencing
overview of vedio conferencingSQU
 
Emerging at Hyper-Speed: SXWi Preview
Emerging at Hyper-Speed: SXWi PreviewEmerging at Hyper-Speed: SXWi Preview
Emerging at Hyper-Speed: SXWi PreviewVectorform
 

Viewers also liked (10)

Overview on cisco catalyst 3750 switches,features, technology, intelligent sw...
Overview on cisco catalyst 3750 switches,features, technology, intelligent sw...Overview on cisco catalyst 3750 switches,features, technology, intelligent sw...
Overview on cisco catalyst 3750 switches,features, technology, intelligent sw...
 
How to inno heat kick off
How to inno heat kick offHow to inno heat kick off
How to inno heat kick off
 
EVPs - Beyond the Theory: the challenges of EVP implementation
EVPs - Beyond the Theory: the challenges of EVP implementationEVPs - Beyond the Theory: the challenges of EVP implementation
EVPs - Beyond the Theory: the challenges of EVP implementation
 
Curs ORATÒRIA IV 2011
Curs ORATÒRIA IV 2011Curs ORATÒRIA IV 2011
Curs ORATÒRIA IV 2011
 
Izada bandera2015
Izada bandera2015Izada bandera2015
Izada bandera2015
 
Volando por el mundo con el cóndor viajero
Volando por el mundo con el cóndor viajeroVolando por el mundo con el cóndor viajero
Volando por el mundo con el cóndor viajero
 
overview of vedio conferencing
overview of vedio conferencingoverview of vedio conferencing
overview of vedio conferencing
 
Emerging at Hyper-Speed: SXWi Preview
Emerging at Hyper-Speed: SXWi PreviewEmerging at Hyper-Speed: SXWi Preview
Emerging at Hyper-Speed: SXWi Preview
 
Frases jessica
Frases jessicaFrases jessica
Frases jessica
 
XP matsuri 2009 Workshop
XP matsuri 2009 WorkshopXP matsuri 2009 Workshop
XP matsuri 2009 Workshop
 

More from Cenzic

Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityCenzic
 
How to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingHow to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingCenzic
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Ians cenzic webinar
Ians cenzic webinarIans cenzic webinar
Ians cenzic webinarCenzic
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Cenzic
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web ApplicationsHARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web ApplicationsCenzic
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 

More from Cenzic (9)

Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application Security
 
How to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingHow to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security Testing
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Ians cenzic webinar
Ians cenzic webinarIans cenzic webinar
Ians cenzic webinar
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web ApplicationsHARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert Threats
 

Recently uploaded

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 

Recently uploaded (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 

Session Management: OWASP- USA 2010

  • 1. Session Management Security Tips and Tricks Lars Ewe CTO / VP of Eng. Cenzic lars@cenzic.com OWASP September, 2010 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. Agenda  What is HTTP Session Management?  Session Management Security  Assessment Techniques  Related Attack Vectors  Session Management Best Practices Q & A OWASP
  • 3. What is HTTP Session Management?  Process of keeping track of a user's activity across sessions of interaction with the computer system (Wikipedia)  Used to make the stateless HTTP protocol support session state  Seamlessly identifies a user to the server – for every request – once he / she authenticated herself to the server OWASP
  • 4. Source: Cenzic Q1-Q2, 2010 Application Trends Report OWASP
  • 5. Source: Cenzic Q1-Q2, 2010 Application Trends Report OWASP
  • 6. Source: Cenzic Q1-Q2, 2010 Application Trends Report OWASP
  • 7.  Weak session randomness  Ineffective session termination  Session Fixation … Source: Cenzic Q1-Q2, 2010 Application Trends Report OWASP
  • 8.  Brute force login  Unauthorized resource access  Privilege escalation … Source: Cenzic Q1-Q2, 2010 Application Trends Report OWASP
  • 9. Source: Cenzic Q1-Q2, 2010 Application Trends Report OWASP
  • 11. Session Management How is it usually im plem ented?  Session (and related) attacks are a key attack surface for HTTP web applications  Most common session / state mechanism for HTTP:  Unique session tokens in the form of HTTP cookies or URL parameters  HTTP authentication (basic, digest, NTLM) can be used for session management – but very rare usage  Applications can also use sessionless state mechanisms (like ASP.NET's ViewState), essentially keeping all state on the client  Tip: If you use ViewSate, make sure you enable hash via EnableViewStateMac="true"  Caution: ViewSate hash prevents state tampering, but hackers can still decode and view state information! OWASP
  • 12. Session Management Security Session Tok ens / Cook ies  Session tokens often composed of: User info, account info, date/timestamp, email address, client IP address, etc.  Session tokens can also be based on concealed sequences, time dependencies, random number generation, etc.  Session tokens are often encoded: E.g. using Base64, XOR, hexadecimal representation using ASCII characters, etc.  Disclosure of tokens on the network: Network traffic eavesdropping  Use HTTPS for all content, incl. static content, help pages, pre-login-pages, images, etc. OWASP
  • 13. Session Management Security Session Tok ens / Cook ies – contd.  Enable HTTPOnly & Secure cookie flags to disallow cookie access from JavaScript and force cookie transmission only via HTTPS, respectively  URL based session tokens can get revealed via various HTTP logs (e.g. Google for inurl:jsessionid). Note that the referrer/referrer header can contain session tokens  Hackers will try to capture your token by making you visit a site on a server they control (via referer header)  Ineffective or non-existing session termination/logout functionality (e.g. only deleting client-side cookie, but no session expiration on server) leaves session tokens vulnerable for exploitation OWASP
  • 14. The Bottom Line… There a wide variety of different HTTP session management mechanisms due to the lack of strong native support. Always remember:  Not all of them are equally secure!  The strongest authentication mechanism won't help if the session management mechanism is vulnerable! OWASP
  • 15. Assessment Techniques There are a wide variety of different assessment techniques for session management vulnerabilities. Assessment techniques:  Often use a combination of commercial scanners, basic tools (proxies, fuzzers, spiders, decoders, etc.) and manual testing and analysis  Comprehensive solutions / scanners: Cenzic Hailstorm  Basic tools: Burp Suite, Paros, WebScarab, Tamper Data  Attempt to map and analyze the application and identify the authentication & session management mechanisms (e.g. session tokens, login/logout pages, etc.)  Try to observe / analyze any encodings and obfuscations of session tokens in order to manipulate them OWASP
  • 16. Assessment Techniques – Contd. Assessment techniques:  Often require one or more user accounts to compare behavior of the application before and after login (public vs. private pages) and between users with different access privileges  Test whether users can be fooled into using attacker supplied session tokens (session fixation)  Try to explore any related attack vectors, like XSS, CSRF, etc.  Also examine various other attack vectors, like: Token predictability, cookie scope (domain / path), insecure token transmission, log disclosures, insufficient session termination, etc. OWASP
  • 17. Related Attack Vectors There are various session management related attack vectors, as well as some more loosely related ones, such as:  Session Fixation & Hijacking  Ineffective Session Termination  Weak passwords, vulnerable “forgot password” functionality, etc.  Authentication Bypass (SQL Injection), Authorization Boundary Vulnerabilities, Privilege Escalation  HTTPS/SSL Bypass Vulnerabilities (access with HTTP)  XSS / CSRF  And more… OWASP
  • 18. Related Attack Vectors Cross-Site Request Forgery (CSRF)  What is it?: Basic Web Application session management behavior is exploited to make legitimate user requests without the user’s knowledge or consent.  Root Cause: Basic session id management that is vulnerable to exploitation (e.g. cookie-based).  Impact: Attackers can make legitimate Web requests from the victim’s browser without the victim’s knowledge or consent, allowing legitimate transactions in the user’s name. This can results in a broad variety of possible exploits.  Solution: Enhance session management by using non- predictable “nonce” or other unique one-time tokens in addition to common session identifiers, as well as the validation of HTTP Referrer headers. OWASP
  • 19. SANS Las Vegas June 2008 19 OWASP
  • 20. Be careful what you browse while you’re still logged into a sensitive application! SANS Las Vegas June 2008 20 OWASP
  • 21. SANS Las Vegas June 2008 21 OWASP
  • 22. CSRF Example Code <body> Welcome to hackerbank.com. It's been a pleasure doing business for you! <iframe id="hidden_iframe" width=0 height=0 scrolling=no src="Sell_Stock.htm"></iframe> </body> <body> <form name="form" id="form" method="post" action="http://localhost:8081/kelev/php/stock.php"> <input type="hidden" name="hUserId" value="7" /> <input type="hidden" name="symbol" value="GLO" /> <input type="hidden" name="values" value="30" /> <input type="hidden" name="numbersell" value="10" /> </form> <script>document.form.submit();</script> The browser sends session cookie along with the form data OWASP
  • 23. OWASP
  • 24. Session Management Best Practices  Use strong tokens with strong randomness  Only ever transfer tokens back to the server using HTTPS (don't forget about static content, help pages, images, pre- login pages, etc.)  Never use URL based session tokens, as that enables very easy session fixation attacks. If you have to (cookies disabled), use POSTs with hidden fields  Use HTTPOnly & Secure cookie flags  Implement strong logout functionality (with invalidation of session tokens & deletion of session & state on server)  Implement session expiration with same results as strong logout (after e.g. 5 or 10 minutes) OWASP
  • 25. Session Management Best Practices – contd.  Consider implementing “per-page” tokens (also helps with CSRF)  Ideally do not allow concurrent logins  Terminate sessions when attacks are detected  (Temporarily) disable accounts after too many wrong session tokens / attacks (too slow down & frustrate hackers)  Log session related information on the server and audit logs regularly  Avoid weak passwords & weak change / forgot password mechanisms  Also defend against related attacks, like XSS, CSRF, etc.  Also see owasp.org and OWASP dev guide OWASP
  • 26. Security In The Real World … It’s true, you might not be able to outrun the bear, but let’s not forget, all you have to do is outrun your competition! OWASP
  • 27. Things to Remember  Attackers can be extremely creative and overcome various defense mechanisms  Never underestimate your opponent!  Always remember: The strongest authentication won't help if session management vulnerabilities exist! OWASP
  • 30. OWASP