Академический Документы
Профессиональный Документы
Культура Документы
Session Management
Presented By
Mike Andrews
mike.andrews@foundstone.com
mike@mikeandrews.com
► Two methods
● Pass entire state back and forth between client and
server
● Have “identifier” that then is used to lookup state
► Attack patterns
● Session Fixation ● Weak tokens
● MITM hijacking ● Token reuse
● DOM hijacking
Session Fixation
► Attack Pattern
● Attacker “fixes” or “gives” victim session token
Cookie = 1234
bank.example.com
Cookie = 1234
Account
Homepage
bank.example.com
/login.asp
Info
Cookie = 1234
u=joe&p=asdf
Session Fixation
► Mitigation
● Always reissue session token after the following
− Authentication
− Role changes / before sensitive operation
► If
site is HTTP only (no HTTPS) consider other
methods
MITM Hijacking
► ASP – Web.config
<system.web>
...
<httpCookies httpOnlyCookies="true" requireSSL=“true"
domain="" />
...
</system.web>
► PHP - php.ini
session.cookie_secure = "1"
DOM Hijacking
► ASP – Web.config
<system.web>
...
<httpCookies httpOnlyCookies="true" requireSSL=“true"
domain="" />
...
</system.web>
► PHP - php.ini
session.cookie_httponly = "1"
Weak Tokens
► Have
to ensure that sessions are “expired”
when they are not needed
● On logout
● If session is unused for a given interval
Token reuse / expiration
► To Test
● Navigate application -> Capture request
● Logout or allow session to expire
● Replay request
► To mitigate
● Most frameworks support this natively (20 min default)
− PHP - session.gc_maxlifetime
− ASP.NET - <sessionState timeout="40" />
Conclusions