Attacking Session Management Juliette Lessing Chapter 7 Attacking Session Management Juliette Lessing

Session management Enables the application to uniquely identify a given user across a number of different requests. Prime target for malicious attacks against application. Encountered defects. If an attacker can break an application’s session management, then she can effectively bypass its authentication controls ans masquerade as other application users without knowing their credentials. If an attacker compromises an administrative user in this way, then the attacker can own the entire application. There is a wide variety of defects that can commonly be found in session management functions and this chapter looks at all types of weakness that are encountered before.

Two types of weaknesses Weaknesses in Session Token Generation Weaknesses in the handling of session tokens throughout their lifecycle.

Weaknesses in Session Token Generation Meaningful tokens (1) Created using a transformation of the user’s user name or other info associated with them But actually: Session management mechanisms are often vulnerable to attack because tokens are generated in an unsafe manner that enables an attacker to identify the values of tokens that have been issued to other users. First: meaningful tokens: Some session tokens are created using a transformation of the user’s user- name or email address, or other information associated with them. This infor- mation may be encoded or obfuscated in some way, and may be combined with other data. For example, the following token may initially appear to be a long random string but when you run in through the right decoder it reveals the actual data.

Meaningful tokens (2) Exhibit some structure allowing an attacker to understand their function and means of generation. Components: User name E-mail address Client’s IP address Tokens that contain meaningful data often exhibit some structure which allows an attacker to understand their function and means of generation. Components that may be encountered within structured tokens include among others user name, e-mail address and client’s IP address

Meaningful tokens (3) Hack steps: Obtain single token from the application, modify it to determine validity. Change token’s value one byte at a time and check whether application is still accepted. Are some portions not required to be correct, exlude them. Log in as several different users at different times and record the tokens received from the server. Analyze the tokens for any correlations that appear to be related to the username and other user-controllable data. Analyze the tokens for any detectable encoding or obfuscation. If any meaning can be reverse engineered from the sample of session tokens, guess the tokens, find a page of the application that is session-dependent, and make large numbers of requests to this page using these guessed tokens. Monitor the results for any cases where the page is loaded correctly, indicating a valid session token. Obtain a single token from the application, and modify it in systematic ways to determine whether the entire token is validated, or whether some subcomponents of the token are ignored. Try changing the token’s value one byte at a time (or even one bit at a time) and submitting the modified token back to the application to determine whether it is still accepted. If you find that certain portions of the token are not actually required to be correct, you can exclude these from any further analysis, potentially reducing the amount of work that you need to perform. Log in as several different users at different times and record the tokens received from the server. If self-registration is available and you can choose your username, log in with a series of similar usernames contain- ing small variations between them, such as A, AA, AAA, AAAA, AAAB, AAAC, AABA, and so on. If other user-specific data is submitted at the login or stored in user profiles (such as an email address), perform a similar exercise to vary that data systematically and record the tokens received following login. Analyze the tokens for any detectable encoding or obfuscation. Where the username contains a sequence of the same character, look for a corre- sponding character sequence in the token, which may indicate the use of XOR obfuscation. Look for sequences in the token containing only hexa- decimal characters, which may indicate a hex-encoding of an ASCII string or other information. Look for sequences ending in an equals sign and/or only containing the other valid Base64 characters: a–z, A–Z, 0–9, +, and /. If any meaning can be reverse engineered from the sample of session tokens, consider whether you have sufficient information to attempt to guess the tokens recently issued to other application users. Find a page of the application that is session-dependent (e.g., one that returns an error message or a redirect elsewhere if accessed without a valid ses- sion), and use a tool such as Burp Intruder to make large numbers of requests to this page using guessed tokens. Monitor the results for any cases where the page is loaded correctly, indicating a valid session token.

Weaknesses in Session Token Generation Predictable tokens (1) Contain sequences or patterns Arise from 3 different sources: Concealed sequences Time dependency Weak random number generation Predictable tokens contain sequences or patterns that allow an attacker to extrapolate from a sample of tokens to find other valid tokens recently issued by the application. The authors’ experience in the field indicates that predictable session tokens commonly arise from three different sources which are Concealed sequences, Time dependency and Weak random number generation

Predictable tokens (2) Concealed sequences         Firstly, concealed sequences. It is common to encounter session tokens that cannot be trivially predicted when analyzed in their raw form but that contain sequences that reveal them- selves when the tokens are suitably decoded or unpacked. In the first serie of values, there is among others a + sign indicating we need a Base64 decoder. Next we encounter strange values, binary data. Rendering the decoded data as hexadecimal numbers we get the next serie of values. And in the end leading to the last values which reveals a concealed pattern. Transforming it then to using text-based protocol HTTP allows you to easily write a script to produce the series of tokens that the server will next produce, and the series that it produced prior to the captured sample.

Predictable tokens (2) 2. Time dependency  Attack: Start polling the server to obtain new session tokens in quick succession Monitor the increments in the first number. Increases more than one? Token has been issued by another user We know upper and lower bounds of second number which was issued to them brute-force attacks in order to successfully access a protected page Running this scripted attack continuously will enable us to capture the session token of every other application user. When an administrative user logs in, we will fully compromise the entire application. Some web servers and applications employ algorithms for generating session tokens that use the time of generation as an input to the token’s value. If insuf- ficient other entropy is incorporated into the algorithm, then you may be able to predict other users’ tokens. Although any given sequence of tokens on its own may appear to be completely random, the same sequence coupled with information about the time at which each token was generated may contain a discernible pattern. Start polling the server to obtain new session tokens in quick succession Monitor the increments in the first number. Increases more than one? Token has been issued by another user When a token has been issued to another user, we know the upper and lower bounds of the second number that was issued to them, because we possess the tokens that were issued immediately before and after theirs. Because we are obtaining new session tokens frequently, the range between these bounds will typically consist of only a few hun- dred values. Each time a token is issued to another user, we launch a brute-force attack to iterate through each number in the range, appending this to the missing incremental number that we know was issued to the other user. We attempt to access a protected page using each token we con- struct, until the attempt succeeds and we have compromised the user’s session.

Predictable tokens (3) 3. Weak random number generation This algorithm takes the last number generated, multiplies it by one constant, and adds another constant, to obtain the next number. The number is truncated to 48 bits, and the algorithm shifts the result to return the specific number of bits requested by the caller. Very little that occurs inside a computer is random. When a predictable pseudo-random number generator is used for produc- ing session tokens, the resulting tokens are vulnerable to sequencing by an attacker.

Weaknesses in Session Token Handling Disclosure of tokens on the network (1) Weaknesses occur when: Some applications elect to use HTTPS to protect the user’s credentials during login but then revert to HTTP for the remainder of the user’s session Some applications use HTTP for preauthenticated areas of the site, such as the site’s front page, but switch to HTTPS from the login page onwards. It doesnt matter whether sessions don’t contain any meaningful information if the tokens are not handled carefully after generation it is subject to attack anyway. There are a variety of ways in which an application’s unsafe handling of tokens can make it vulnerable to attack. Firstly via the disclosure of tokens on the network which arises when the session token is transmitted across the network in unencrypted form, enabling a suitably positioned eavesdrop- per to obtain the token and so masquerade as the legitimate user. Weaknesses occur when…..

Disclosure of tokens on the network (2) Hack steps: Walk through application in normal way and identify login functions and transitions between HTTP and HTTPS communications Are HTTP cookies used as transmission mechanism? Verify whether secure flag is set Determine whether session tokens are ever transmitted over an unencrypted connection. Yes? Regard them as vulnerable to interception Verify whether a new token is issued following login, or whether a token transmitted during the HTTP stage is still being used to track the user’s authenticed session Verify whether server is listening on port 80. If so, visit any HTTP URL directly from with an authenticated session and verify whether the session token is transmitted In cases where a token for an authenticated session is transmitted to the server over HTTP, verify whether that token continues to be valid or is immediately terminated by the server. Walk through application in normal way and identify login functions and transitions between HTTP and HTTPS communications Are HTTP cookies used as transmission mechanism? Verify whether secure flag is set, preventing them from ever being transmitted over unencrypted connections Determine whether, in the normal use of the application, session tokens are ever transmitted over an unencrypted connection. If so, they should be regarded as vulnerable to interception. Verify whether a new token is issued following login, or whether a token transmitted during the HTTP stage is still being used to track the user’s authenticed session Verify whether server is listening on port 80. If so, visit any HTTP URL directly from with an authenticated session and verify whether the session token is transmitted

Weaknesses in Session Token Handling Disclosure of tokens in logs causes of session tokens appearing in system logs An administrator, for example, may consult a log of recent sessions in the course of investigating a security breach. Often, this kind of monitoring and control functionality discloses the actual session token associated with each session. And often, the functionality is poorly protected, allowing unauthorized users to access the list of current session tokens, and thereby hijack the sessions of all application users. cause of session tokens appearing in system logs is where an application uses the URL query string as a mechanism for transmitting tokens, as opposed to using HTTP cookies or the body of POST requests

Weaknesses in Session Token Handling Vulnerable session termination (1) Some applications do not provide effective logout functionality: A log-out function is not implemented The logout function does not actually cause the server to invalidate the session When a user clicks Logout, this fact is not communi- cated to the server at all, and so the server performs no action whatsoever. Proper termination of sessions is important to reduce the window of opportunity within which an attacker may capture, guess, or misuse a valid session token. However, some applications do not provide effective logout functionality. This can be due to: No implementation of a logout funtion Logout funtions doesnt cause the server to terminate the session When a user clicks logout this is not communicated to the server at all

Vulnerable session termination (2) Hack steps: Investigate whether session expiration is implemented on the server side Determine whether a logout function exists and is prominently made available to users. If not, users are more vulnerable because they have no means of causing the application to invalidate their session. Where a logout function is provided, test its effectiveness. After logging out, attempt to reuse the old token and determine whether it is still valid. If so, users remain vulnerable to some session hijacking attacks even after they have “logged out.” investigate whether session expiration is implemented on the server side: (STEPS TO INVESTIGATE) Log in to the application to obtain a valid session token. Wait for a period without using this token, and then submit a request for a protected page (e.g., “my details”) using the token. If the page is displayed as normal, then the token is still active. Use trial and error to determine how long any session expiration time- out is, or whether a token can still be used days after the last request using it.

Weaknesses in Session Token Handling Client Exposure to Token Hijacking Hack steps (1): Identify any cross-site scripting vulnerabilities within the application and determine whether these can be exploited to capture the session tokens of other users If the application issues session tokens to unauthenticated, obtain a token and perform a login.

Hack steps (2): Check whether the application is willing to return to the login page eventhough you are already authenticated, sumbit another login as a different user using the same token. If it does not issue a fresh token, it is vulnerable to session fixation Identify the format of session tokens used by the application. Modify your token to an invented value that is validly formed, and attempt to login. If the application allows you to create an authenticated session using an invented token, then it is vulnerable to session fixation.

Securing Session Management In order to perform session management in a secure manner: Generate strong tokens Protect Tokens throughout Their Lifecycle should only ever be transmitted over HTTPS never be transmitted in the URL Logout functionality should be implemented Session expiration should be implemented after a suitable period of inactivity (e.g., 10 minutes). Etc. Firstly, generate strong tokens. The tokens used to re-identify a user between successive requests should be generated in a manner that does not provide any scope for an attacker who obtains a large sample of tokens from the application in the usual way to pre- dict or extrapolate the tokens issued to other users. The most effective token generation mechanisms are those that: - use an extremely large set of possible values, and contain a strong source of pseudo-randomness, ensuring an even and unpredictable spread of tokens across the range of possible values. Also, protect tokens throughout their lifecycle Having created a robust token whose value cannot be predicted, this token needs to be protected throughout its lifecycle from creation to disposal, to ensure that it is not disclosed to anyone other than the user to whom it is issued Should only ever be transmitted over HTTPS Never be transmitted in the URL Logout functionality should be implemented Session expiration should be implemented after a suitable period of inactivity (e.g., 10 minutes). And to defend session management mechanisms against attacks: -

Securing Session Management Per-page Tokens New page is created every time Prevents session fixation attacks a new page token is created every time a user requests an application page (as opposed to an image, for example) and is passed to the client in a cookie or a hidden field of an HTML form. Each time the user makes a request, the page token is validated against the last value issued, in addition to the normal validation of the main session token. In the case of a non-match, the entire session is terminated While the use of per-page tokens does impose some restrictions on navigation (for example, on use of the back and forward buttons and multi-window brows- ing), it effectively prevents session fixation attacks and ensures that the simulta- neous use of a hijacked session by a legitimate user and an attacker will quickly be blocked after both have made a single request