Академический Документы
Профессиональный Документы
Культура Документы
Session Management
o Web Authentication, Session Management, and Access Control
o A web session is a sequence of network HTTP request and response transaction
associated to the same user
o Session ID Properties - To keep the authenticated state and track the users progress within
the web application, application provide users with session identifier that assign at session
creation.
o Session ID Name Fingerprinting – the name used by session ID should not be
extremely descriptive nor offer unnecessary details about the purpose and meaning
of the ID
o Session ID Length – session ID must long enough to prevent brute force attacks,
where an attacker can go trough the whole range of id values and verify the
existence of valid session
o Session ID entropy – session ID must be unpredictable (random enough) to prevent
guessing attacks.
o Session ID Content (or Value) – must be meaningless to prevent information
disclosure attacks. The session ID must simply be an identifier on client side and it
must never include sensitive information.
o Session Management Implementation
o Built-in Session Management Implementation –
o Used vs. Accepted Session ID Exchange Mechanisms
o Transport Layer Security
Cookies
The session ID exchange mechanism based on cookies provides multiple security features
in form of cookie attribute that can be used to protect the exchange of the Session ID
o Secure Attribute
o Secure cookie attribute instructs web browsers to only send the cookie trough an
encrypted HTTPS(SSL/TLS) connection.
o This session protection mechanism is mandatory to prevent the disclosure of
session ID trough MitM (Man-in-the Middle)
o Attacker can intercept and manipulate the victim user traffic and inject an HTTP
unencrypted reference to the web application
o HttpOnly Attribute
o Instruct web browsers not to allow script an ability to access the cookies via the
DOM document.cookie object. This session ID protection is mandatory to prevent
session ID stealing trough XSS attacks.
o SameSite Attribute
o Allows a server to define a cookie attribute making it impossible to the browser
send this cookie along with cross-site request.
o Main goal is to mitigate the risk of cross-origin information leakage and provides
some protection against cross-site request forgery attacks.
o Domain and Path Attribute
o (___________________)
o Expire and Max-Age Attribute – if cookie present the Max-Age or Expires attribute, it will
be considered a persistent cookie and will be stored on disk by the web browser based until
the expiration time.
Session ID Life Cycle
o Session ID Generation and Verification: Permissive and Strict Session Management
o Permissive mechanism – allow the web application to initially accept any session
ID value set by the user as valid, create a new session for it.
o Strict mechanism enforces that the web application will only accept session ID
values that have been previously generated by the web application
o Manage Session ID as Any Other User Input
o Session IDs must be considered as untrusted, as any other user input processed by
the web application and they must thoroughly validate and verified.
o If web application does not validate and filter out invalid session ID values before
processing them, they can potentially be used to exploit other web vulnerabilities.
o Renew the Session ID After Any Privilege Level Change
o Session ID must be renewed or regenerated by the web application after any
privilege level change within the associated user session.
o Session ID regeneration is mandatory to prevent session fixation attacks where an
attacker sets the session ID on the victims’ user web browser instead of gathering
the victim’s session ID
o Considerations When Using Multiple Cookies
o Web application should try to avoid same cookie name for different paths or domain
scopes within the same web application, as this increases the complexity of the
solution and potentially introduces scoping issues
Session Expiration
Mandatory to set expiration timeouts for every session to minimize the time period an
attacker can launch attacks over active sessions and hijack them.
The shorter the session interval is, the lesser the time an attacker has to use valid session
ID
Common idle timeouts ranges are 2-5 minutes for high-value application and 15-30
minutes for low risk application
If the session expires, the web application must take active actions to invalidate the session
on both sides, client and server.
Automatic Session Expiration
o Idle Timeout
All session should be implementing an idle or inactivity timeout
Timeout defines the amount of time a session will remain active in case
there is no activity in the session, closing and invalidating the session upon
the defined idle period since the last HTTP request received by the web
application for given session ID
Idle timeout limits the chances an attacker has to guess and use a valid
session ID from another user.
o Absolute Timeout
All session should implement an absolute timeout, regardless of session
activities
This timeout defines the maximum amount of time s session can be active,
closing and invalidation the session
After invalidating the session, user is forced to (re)authenticated again in
the web application
The absolute session limits the amount of time an attacker can use a hijacked
session and impersonate the victim user
o Renewal Timeout
The session ID is automatically renewed in the middle of the user session
and independently of the session activity and therefore of the idle timeout
After a specific amount of time since the session was initially created, the
web application can regenerate a new ID for the user session and try to set
it, or renew it, on the client.
The previous session would also valid for some time.
Manual Session Expiration
o Logout Button
Web application must provide a visible an easily accessible logout button
that is available on the web application header or menu and reachable from
every web application
Web Content Caching
o Even after the session has been closed, it might be possible to access the private or
sensitive data exchange within the session trough the web browser cache.
Therefore, web application must use restrictive cache direction for all the web
traffic exchange trough HTTP and HTTPS.
Input Validation
Goal of input validation
o To ensure only properly formed data is entering the work flow in an information
system, preventing malformed data from persisting in the database and triggering
malfunction of various downstream component.
o Data from all untrusty source should be subject to input validation
o Input validation should not be used as the primary method preventing XSS, SQL
Injection and other attack.
Input validation strategies
o Input validation should be applied on both syntactical and semantic level
o Syntactic validation should enforce correct syntax of structured fields
o Semantic validation should enforce correctness of their values in specific business
context
o Input validation can be used to detect unauthorized input before it is processed by
application
Implementing input validation
Data type validators available natively in web application framework
Validation against JSON Schema and XML Schema (XSD) for input in these
formats
Type conversion with strict exception handling
Minimum and maximum value range check for numerical parameters and dates,
minimum and maximum length check for strings
Array allowed values for small sets of string parameters
Regular expression for any other structured data covering the whole input string
and not using “any character” wildcard
o Whitelisting vs blacklisting
Common mistake black list validation in order to try detect possibly
dangerous character and patterns like the apostrophe ‘ character, the string
1=1, or the <script> tag
This filter frequent prevent authorized input (like O’Brian)
White list validation is appropriate for all input fields by the user. Also, it
involves defining exactly what IS authorized and everything else not
authorized
o Validating free-form Unicode text
Normalization: Ensure canonical encoding is used across all the text and no
invalid character are present
Character category whitelisting: Unicode allows whitelisting categories
such as decimal or letter which not only covers the Latin Alphabet, but also
various other script used globally
Individual character whitelisting: If you allow letters and ideographs in
names and also want to allow apostrophe ' for Irish names, but don't want
to allow the whole punctuation category
o Regular expressions
Be applied to all input data, minimum
Define the allowed set of characters to be accepted
Defines a minimum and maximum length for data
White List Regular Expression Example
o Validating an U.S. Zip Code (5 digits plus optional -4)
^\d{5}(-\d{4})?$
o Validating U.S. State Selection form Drop-Down menu
^(AA|AE|AP|AL|AK|AS|AZ|AR|CA|CO|CT|DE|DC|FM|FL|GA|GU|
HI|ID|IL|IN|IA|KS|KY|LA|ME|MH|MD|MA|MI|MN|MS|MO|MT|NE|
NV|NH|NJ|NM|NY|NC|ND|MP|OH|OK|OR|PW|PA|PR|RI|SC|SD|TN|
TX|UT|VT|VI|VA|WA|WV|WI|WY) $
Logging
Purpose
o Identifying security incidents
o Monitoring policy violations
o Establishing baselines
o Assisting non-repudiation controls
o Providing information about problems and unusual conditions
o Contributing additional application-specific data for incident investigation which is
lacking in other log sources
o Helping defend against vulnerability identification and exploitation through attack
detection
Application logging might also be used to record other types of events too such as:
o Security events
o Business process monitoring e.g. sales process abandonment, transactions,
connections
o Anti-automation monitoring
o Audit trails e.g. data addition, modification and deletion, data exports
o Performance monitoring e.g. data load time, page timeouts
o Compliance monitoring
o Data for subsequent requests for information e.g. data subject access, freedom of
information, litigation, police and other regulatory investigations
o Legally sanctioned interception of data e.g. application-layer wire-tapping
o Other business-specific requirements
Design, implementation and testing
o Event data sources
Primary event data source is the application code itself
The application has the most information about the user and the context of
event and often this data is not available to either infrastructure devices, or
even closely-related application
Other sources of information about application usage that could also be
considered are:
Client software e.g. actions on desktop software and mobile devices
in local logs or using messaging technologies, JavaScript exception
handler via Ajax, web browser such as using Content Security
Policy (CSP) reporting mechanism
Embedded instrumentation code
Network firewalls
Network and host intrusion detection systems (NIDS and HIDS)
Closely-related applications e.g. filters built into web server
software, web server URL redirects/rewrites to scripted custom
error pages and handlers
Application firewalls e.g. filters, guards, XML gateways, database
firewalls, web application firewalls (WAFs)
Database applications e.g. automatic audit trails, trigger-based
actions
Reputation monitoring services e.g. uptime or malware monitoring
Other applications e.g. fraud monitoring, CRM
Operating system e.g. mobile platform
o Where to record event data
Application commonly write event log data to the file system or a data base.
Application installed on desktops and on mobile devices may use local
storage and local databases. As well as sending data to remote storage
When using the file system, it is preferable to use a separate partition than
those used by the operating system, other application files and user
generated content
For file-based logs, apply strict permissions concerning which users
can access the directories, and the permissions of files within the
directories
In web applications, the logs should not be exposed in web-
accessible locations, and if done so, should have restricted access
and be configured with a plain text MIME type (not HTML)
When using a database, it is preferable to utilize a separate database account
that is only used for writing log data and which has very restrictive database,
table, function and command permissions
Use standard formats over secure protocols to record and send event data,
or log files, to other systems e.g. Common Log File System (CLFS) or
Common Event Format (CEF) over syslog; standard formats facilitate
integration with centralized logging services