One of the OWASP Top 10 vulnerabilities is Weak Authentication and Session Management. This entry is not always clearly understood as it actually refers to two large categories of web-application vulnerabilities. In this article, we examine vulnerabilities related to Session Management.
What Is A Session ?
Since Hypertext Transfer Protocol (HTTP) is stateless, special provisions must be made outside of the protocol for the server to remember previous interactions with a user. In web-applications, a “session” refers to a data-structure stored on the server that is associated with a specific user during a limited time-period. A session is typically initiated by user authentication and is terminated when they logout (or otherwise terminate the session). The session associated with the user is identified through a “session token” that is originally generated by the server and is delivered to the browser as a cookie. The browser then returns the session token with subsequent requests, allowing the server to retrieve the corresponding session object and and thus maintain context with that user.
Protecting The Session Identifier Token
Since the session identifier is typically stored and transferred as a cookie, the cookie must be protected to avoid a potential attack called “session hijacking“. This is because anyone who knows the value of a session identifier that is currently in use has the potential to “steal” that conversation from the legitimate user and compromise their account.
So our first set of Session Management vulnerabilities relates to keeping the session identifier secret:
- Failure to use a cryptographically strong random value as the session identifier. If a session id value can be predicted, it need not be exposed for an attacker to hijack a session.
- Failure to protect the confidentiality of the session id cookie. The session id value must be considered sensitive information and any transfer of this information must be encrypted. Thus, Secure HTTP (HTTPS) must be used by applications employing sessions, and the “secure” flag must be set on the cookie to ensure it is never passed via HTTP.
- Failure to generate a new session identifier upon login. The conversation between the user and the application may begin before authentication occurs, but typically begins at the time of authentication. Using the same session id before and after authentication represents a vulnerability called “Session Fixation” that can also lead to Session Hijacking.
Proper Session Termination
The conversation between the user and the application ends upon user logout. Improper session termination can occur under the following scenarios:
- Failure to invalidate the session on the server when the user chooses to logout. The act of logging out should invalidate the session identifier cookie on the client browser as well as invalidated the session object on the server. Failure to do so will allow the session to be re-animated after logout.
- Failure to automatically terminate the session on the server after some predefined period of inactivity. Failure to do so means the application has no protection from an attacker resuming an abandoned user session.
- Failure to invalidate the session when the user closes the browser without logging out. Failure to do so will allow the session to be re-animated in a new browser session.
For insights into how to detect Session Management vulnerabilities, please see the article entitled “How To Test For Session Management Vulnerabilities“.
For insight into how to avoid or fix Session Management vulnerabilities, please see the article entitled “How To Prevent Session Management Vulnerabilities“.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.