Ch. 7 -Attacking Session Management Latasha A. Gibbs CSCE 813 – Internet Security, Fall 2012 College of Engineering and Computing University of South Carolina.

Slides:



Advertisements
Similar presentations
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Advertisements

SEC835 OWASP Top Ten Project.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Attacking Session Management Juliette Lessing
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Security+ Guide to Network Security Fundamentals
Online Security Tuesday April 8, 2003 Maxence Crossley.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 6 Security & Privacy Web servers continue to be attractive target for hacker for variety of reasons –Most easy target –Personal satisfaction –Political.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Course 201 – Administration, Content Inspection and SSL VPN
OWASP Zed Attack Proxy Project Lead
HTTP and Server Security James Walden Northern Kentucky University.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Penetration Testing James Walden Northern Kentucky University.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
JavaScript, Fourth Edition
Web Programming Language Week 7 Dr. Ken Cosh Security, Sessions & Cookies.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
Chapter 8 Cookies And Security JavaScript, Third Edition.
CSCE 715: Network Systems Security
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Ram Santhanam Application Level Attacks - Session Hijacking & Defences
Session and Cookie Management in.Net Sandeep Kiran Shiva UIN:
Broken Authentication & Session Management. What is it ? Bad implementation of authentication and session management. If an attacker can get your session.
Network Security, CS6262 Richard G. Personal Information Masquerading, Profiling, Snooping.
Denial-of-Service, Address Ownership,and,Early Authentication in IPv6 World (An Approach) Aditya Vutukuri From article by Pekka Nikander Ericsson Research.
Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Web2.0 Secure Development Practice Bruce Xia
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.
Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales.
Sessions and cookies (part 2) MIS 3501, Fall 2015 Brad N Greenwood, PhD Department of MIS Fox School of Business Temple University 11/19/2015.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.
PHP: Further Skills 02 By Trevor Adams. Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Srinivas Balivada USC CSCE548 07/22/2016.  Cookies are generally set server-side using the ‘Set-Cookie’ HTTP header and sent to the client  In PHP to.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Security Testing Methods
100% Exam Passing Guarantee & Money Back Assurance
World Wide Web policy.
Securing the Network Perimeter with ISA 2004
CSC 495/583 Topics of Software Security Intro to Web Security
Presentation transcript:

Ch. 7 -Attacking Session Management Latasha A. Gibbs CSCE 813 – Internet Security, Fall 2012 College of Engineering and Computing University of South Carolina Adapted from The Web Application Hacker’s Handbook 2 nd Edition by Dafydd Stuttard and Marcus Pinto 1

OVERVIEW The Need Weaknesses of Token Generation Weaknesses of Session Token Handling Securing Session Management Summary 2

THE NEED Reminder: HTTP Protocol is stateless Majority of web “sites” are actually web applications The session management mechanism is a fundamental security component in most web applications 3

TRUE OR FALSE? If we use smartcards for authentication, a user’s session cannot be compromised without them? 4

SESSION MANAGEMENT VULNERABILITIES HTTPOnly Flag Not Set Secure Flag Not Set Session Porting Permitted Persistent Cookie Cookieless Sessions in Use Session Token Content Weaknesses Session Token Not Regenerated on Login Cookie Domain and Path not Restricted JUST A FEW VULNERABILITIES! 5

WHAT HAPPENS IF THE ATTACKER SUCCEEDS? 1.Attacker can bypass authentication 2.Attacker can masquerade as a legitimate user 3.Attacker can compromise an administrative user or own the entire application The list goes on… 6

OVERVIEW The Need Weaknesses of Token Generation Weaknesses of Session Token Handling Securing Session Management Summary 7

WEAKNESSES IN TOKEN GENERATION Meaningful Tokens Predictable Tokens Concealed Sequences Weak Random Number Generation 8

MEANINGFUL TOKENS Tokens containing account username, first or last names, date/time stamp, client IP, etc. Attackers can use a hexadecimal decoder to reveal the session token easily Examples of online decoders include: or d b d61646d696e3b d30312f31322f3131 User=daf;app=admin;date=10/09/11 9

WEAK RANDOM NUMBER GENERATION Predictable pseudorandom generator used After a visual inspection, a more rigorous approach to test the quality of randomness is necessary Burp Sequencer is a tool that will test randomness of web application tokens Obtaining a sample size of 20,000 tokens, will achieve compliance with FIPS test for randomness 10

OVERVIEW The Need Weaknesses of Token Generation Weaknesses of Session Token Handling Securing Session Management Summary 11

WEAKNESSES IN TOKEN HANDLING Disclosure of tokens on network Occurs when tokens are transmitted in an unencrypted form For example, a site that uses HTTPS to protect login, but reverts to HTTP for the remainder of the user session Disclosure of Tokens in System Logs An application may use the URL query string as a mechanism for transmitting tokens For example, google search inurl:jsessionid will produce a list of applications that transmit the Java platform session token 12

DO’S & DON’TS Tokens should only be transmitted over HTTPS Tokens should never be transmitted in the URL Visibility of session token for administrative or diagnostic purposes should be limited Logout functionality should be implemented Session expiration should be implemented Concurrent logins should be prevented Restrict domain and path scope of application should be restricted as much as possible 13

COMMON MYTHS “Our token is secure from disclosure to 3 rd -parties because we use SSL.” “Our token is generated by the platform using cryptographically sound technologies.” 14

OVERVIEW The Need Weaknesses of Token Generation Weaknesses of Session Token Handling Securing Session Management Summary 15

HOW CAN WE ENSURE SECURE SESSIONS? 16

SECURING SESSION MANAGEMENT Appears simple...as generating strong tokens and providing token protection throughout life cycle But…requires developers to have an in- depth understanding of protocols, algorithms, and black-hat community attacks 17

OVERVIEW The Need Weaknesses of Token Generation Weaknesses of Session Token Handling Securing Session Management Summary 18

SUMMARY Web Applications with Broken Session Management = Keys to the Kingdom Possible avenues of attack are endless Secure session management is necessary to protect web applications 19

FURTHER READING OWASP-Session Management Cheat Sheet Paper on Secure Session Management with Cookies Paper on Web Session Management Session Management for Clustered Applications html 20

Thanks and have a lovely evening… QUESTIONS? 21

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.