Presentation is loading. Please wait.

Presentation is loading. Please wait.

Session Management Security and Applied Reverse Benchmarking - Tom Stracener, Sr. Security Analyst, Cenzic Inc. November 2007.

Published byClifton Chandler Modified over 9 years ago

Similar presentations

Presentation on theme: "Session Management Security and Applied Reverse Benchmarking - Tom Stracener, Sr. Security Analyst, Cenzic Inc. November 2007."— Presentation transcript:

1 Session Management Security and Applied Reverse Benchmarking - Tom Stracener, Sr. Security Analyst, Cenzic Inc. November 2007

2 Cenzic Confidential2 Agenda Security Statistics Application Layer Basics Session Management Vulnerability Types Session Poisoning as a research area Reverse Benchmarking as applied to session management testing methods Q&A

3 Cenzic Confidential3 Web Vulnerabilities Source: Cenzic Q3 Application Trends Report

4 Cenzic Confidential4 Web vulnerabilities by Major Type Source: Cenzic Q3 Application Trends Report

5 Cenzic Confidential5 Web Browser Vulnerabilities Source: Cenzic Q3 Application Trends Report

6 Cenzic Confidential6 Percentage of Applications by Vulnerability Source: Cenzic Q3 Application Trends Report – Cenzic ClickToSecure Managed Services

7 Cenzic Confidential7 Incidents by Category Source: Cenzic Q3 Application Trends Report

8 Cenzic Confidential8 Incidents by Sector Source: Cenzic Q3 Application Trends Report

9 Cenzic Confidential9 Vulnerability by Class Source: Cenzic Q3 Application Trends Report

10 Cenzic Confidential10 Anatomy of a web application Single Factor Session Management UI Layer (Browser Logic) Server and Middleware (Session Management) Custom Applications Web Browser JavaScriptPlug-Ins/ API JavaDOMHTML/ DHTML Cookies HTTPSSLHTTP-SAuthenticationCertificates Digital Signatures Communication Layer (Protocol Layer) Web Server SW/HW J2EEPHPASP Java.NET Data Layer DatabasesSSIRaw DataCSS/XSLXML File System JavaScriptVB ScriptC/C++PHP/LAMP CGI

11 Cenzic Confidential11 Session Mgmt Overview  HTTP is a stateless protocol.  A Session identifies a user with a persistent (but changing) state within the application.  Web Applications must track and maintain state for a user across application boundaries over time.  99% of all session management mechanisms offer single- factor protection and were not designed for security.

12 Cenzic Confidential12 Session Mgmt Overview  Types of session management mechanisms Cookies (RFC 2109, HTML Hidden Field Values URL Tokens Ex. http://eBiz/Cart/checkout.php?session_id=2006011617415164.60.1 23.42&pid=&cat_id=&attrib

13 Cenzic Confidential13 3 Challenges of Session Mgmt Security 1.Web Applications must maintain state securely User session data must individuate one user from another so that state information does not overlap, for the purpose of enforcing proper user privileges and roles. Ex. User 2Pac (registered user), 50Cent (Admin), Master P (anonymous) have access to different pages and functions within the application.

14 Cenzic Confidential14 3 Challenges of Session Mgmt Security 2. Distributed Components within Web Applications must share user session information securely User session data must be shared and validated by application components that process user requests and information associated with a user. Ex. Shopping Cart (Add/remove items), Wish List (Add/Remove items), Checkout & Transaction (SSL), Confirmation of Order (SSL), Reciept (SSL)

15 Cenzic Confidential15 3 Challenges of Session Mgmt Security 3. State maintaining mechanisms must handle state transitions securely as the user moves between functional hierarchies. As the user’s privilege level changes within the application, state tracking must securely handle these transitions without data leaks or exposures. Ex. Spot (anonymous) authenticates and adds several items to his wishlist (registered) and then makes a purchase (SSL-cart) by selecting an item and performing the transaction (SSL-cart). The transaction details are stored in Spots purchase history (SSL- cart).

16 Cenzic Confidential16 Misconceptions Regarding Session Security  “Our Sessions are Secure”  “There really aren’t any exploits”  “Our Session IDs aren’t predictable so we are safe.”

17 Cenzic Confidential17 Cookie Security Flaws Cookie Tampering Cookie Persistence and Expiration Types of Cookie Security Flaws Cookie Theft/Hijacking (single factor attack) Cross-Site Cooking (Cookie Based Session Fixation)

18 Cenzic Confidential18 Cookie Security Flaws Session Replay Attacks\Expiration Session Poisoning (New) Types of Session ID Flaws Session Hijacking (single factor attack) Session Tampering\Prediction

19 Cenzic Confidential19 Session Vulnerabilities and Examples  Insecure Session Teardown/Session Timeout The Session IDs used during a session are not removed following termination or inactivity of a session, allowing the Session IDs to be reused by an attacker to access the previous users session. (non-concurrent attack) S1…………S1…………..L1……….S1 T1………….T2………….T3…………T4 Reuse of S1 following Logout L1

20 Cenzic Confidential20 Session Vulnerabilities and Examples  Session Replay Attacks Session information persistently stored by an intermediate server or application is reused to access a users session. 1.Caching Proxies 2.Web Proxies\Reverse Proxies 3.Internet Gateways 4.Logging Servers/Webtrends, etc. URL-based Session IDs can be cached in web logs, Proxy Servers, logged in HTTP Referrer Fields. A Session replay attack involves uses these credentials to gain access to the application to take over an existing session.

21 Cenzic Confidential21 Session Vulnerabilities and Examples  Session ID Prediction Generating Sequential Session IDs is dangerous, as an attacker can predict the next value and take over a concurrent session. Using static information like the data and IP addresses in Session IDs can allow an attacker to analyze and break down the session ID, making it easier to brute force valid session tokens. /Cart/checkout.php?session_id=2006011617415164.60.123.42&pid=&cat_id=&attrib /Cart/checkout.php?session_id=2006011617416164.60.123.42&pid=&cat_id=&attrib /Cart/checkout.php?session_id=2006011617417164.60.123.42&pid=&cat_id=&attrib /Cart/checkout.php?session_id=2006011617418164.60.123.42&pid=&cat_id=&attrib

22 Cenzic Confidential22 Session Vulnerabilities and Examples  Session ID Prediction (Example)

23 Cenzic Confidential23 Session Vulnerabilities and Examples  Session Hijacking Attacker submits a concurrent request with a valid session ID for a current user and gains access to their web session. The attack can involve combinations of other attacks to capture a live Session ID, or could capture unencrypted Session Tokens from the LAN.  Brute Force attacks against Session IDs.  Local Sniffer-based attacks  Cookie Reuse.  URL Session ID Harvesting/logging via proxy or XSS.

24 Cenzic Confidential24 Session Vulnerabilities and Examples  Session Fixation Attacker fixes the user’s session ID prior to authentication, so that the Session ID supplied by the attacker is used by the application. Depends upon the application trusting the session ID supplied by the client. The ability to generate or predict Session IDS that are valid for the Session Token syntax makes the attack more likely to succeed.

25 Cenzic Confidential25 Session Vulnerabilities and Examples  Session ID Poisoning (New Research Area) Attacker appends arbitrary data to a users session ID, resulting in potentially unsafe content being propagated via the Session ID mechanism. Depends upon the application sanitizing the session ID.  Session_id=ghzdkfl11020003 maliciouscontent

26 Cenzic Confidential26 Hailstorm Overview  Session Poisoning Attack Example ttp://www.internet.com/forums/viewtopic.php?p=36660&sid=1517 0326da8f83631f59d120a6dea3f8 alert(document.cookie) Characteristics of the attack 1.Malicious Content “Piggiebacks” on a session ID 2.Content is innocuous to the attacked application 3.Malicious Content logged by intermediaries 4.Malicious Content executed (reflected) by an intermediary (e.g. a web proxy server).

27 Cenzic Confidential27 Hailstorm Overview  Session Poisoning Attack Example Characteristics of the attack 1.Malicious Content “Piggiebacks” on a session ID 2.Content is innocuous to the attacked application 3.Malicious Content logged by intermediaries 4.Malicious Content executed (reflected) by an intermediary (e.g. a web proxy server).

28 Cenzic Confidential28  Versions of PHP are vulnerable when used in conjunction with software that relies on PHP Session Management mechanisms.  Verified on Apache/2.0.55 (Win32) PHP/5.1.2

29 Cenzic Confidential29 Reverse Benchmarking & Session Management Security Testing Procedures. (A scanner darkly)

30 Cenzic Confidential30 Analyzing Application Security Scanners  Security Assessment Methods and Quality- based Criteria Functionality (Black vs White Box) Ergonomics & Usability Performance Feature Sets Bling Accuracy False Positive Rates i.e. Signal to Noise

31 Cenzic Confidential31 Analyzing Application Security Scanners  Benchmarking Concepts Benchmarking black box scanners is ultimately a systematic comparison Most common Benchmarking technique is ‘positive’ or ‘comparative’ benchmarking The goal is to see which scanner does the best against a selected application

32 Cenzic Confidential32 Positive and Negative Accuracy concepts Detection Metrics Matrix

33 Cenzic Confidential33 What is Reverse Benchmarking? It’s a type of passive Reverse Engineering. Taxonomic understanding of False Positives Causes Massive False Positives Understanding vulnerability detection methods Think of it as Detection Logic Fuzzing  Exposes poor coding, faulty detection logic  Reveals Security Testing design flaws  Confuses Stateless Testing Mechanisms

34 Cenzic Confidential34 Rationale for Reverse Benchmarking Most of the Common False Positive Types have been around since 1999-2000 Most testing mechanisms are entirely stateless and have evolved little Very little is known about False Positives, as a science There are no taxonomies or Top 10 lists for Common False Positive Types

35 Cenzic Confidential35 Reverse Benchmark Target Web Application Scanner Enumerates and Categorizes False Positive Types Reveals Vacuous or Meaningless results Reveals Semantic flaws in vulnerability Categorization Reveals systemic flaws in application spider technology

36 Cenzic Confidential36 Positive and Negative Accuracy concepts Detection Metrics Matrix

37 Cenzic Confidential37 Positive and Negative Accuracy concepts Detection Metrics Matrix

38 Cenzic Confidential38 Positive and Negative Accuracy concepts Detection Metrics Matrix

39 Cenzic Confidential39 Hailstorm Overview  Reverse Benchmarking Example 4 page test target Generated over 57,000 False Positives.

40 Cenzic Confidential40 Session Hijacking SmartAttack

41 Cenzic Confidential41 Session Hijacking SmartAttack

42 Cenzic Confidential42 Reverse Benchmarking Methodology Active False Positive Solicitation and Reverse Fault Injection via a sample web application. R everse benchmarking target can be used to model a production application, thereby decreasing the semantic gap between triggered false positives and false positives found within the production environment

43 Cenzic Confidential43 Reverse Benchmarking Goals The goal of Reverse Benchmarking is not to malign vendors, but to aid the security community and help developers avoid the same mistakes with each new generation of technology Systematically performed, Reverse Benchmarking can help security practioners learn to quickly distinguish false positives from valid security issues, as they will learn the conditions under which the technology they are using fails. Based on the type of trigger that elicits the false positive, a taxonomy of false positive types can be developed. A set of common causes or contributing factors for each type can be outlined.

44 Cenzic Confidential44 Out of Session Faults Detection of session management security issues under the mistaken assumption that a session exists when in fact it does not, or the scanner has lost state with the application. In Session parameters In Session Progression Stateless Progression Common Causes of False Positives

45 Cenzic Confidential45 Partial Match Problems Detection strings may be a subset of existing content and triggered by the presence of unrelated words or elements within the HTML or DOM GET /search.pl~bak July 2007 200 OK Common Causes of False Positives

46 Cenzic Confidential46 Parameter Echoing Parameter values may be echoed back in places within a web application, and this can trigger false positives.  <?php  // get the form data  $field1 = $_POST['comments'];  // Echo the value of the comments parameter  echo "Backacha Biatch: $field1";  ?> 

47 Cenzic Confidential47 Mistaken Identity Some security tests look for vulnerability conditions so general that the vulnerability reported must be disambiguated in order to be verified. Many types of PHP forum software, Calendars, Blogs reuse a common code base and so overlapping URI and application responses GET /search.pl Alibaba Search OverflowPaul’s Search SQL InjXn YABB Search.pl XSS

48 Cenzic Confidential48 Semantic Ambiguity Signature-based detection is often relies on signatures that are generic and thus are neither necessary nor sufficient for the vulnerability to be present. [Microsoft][ODBC SQL Server Driver] Many false positives arise because the vulnerability is more complex than the vulnerability conditions checked for by the signatures.

49 Cenzic Confidential49 Response Timing Slow, unresponsive, or delayed server-side processing can trigger security checks that are timing dependent Some SQL injection tests use a wait_for_delay expression and measure the timing.

50 Cenzic Confidential50 Custom 404 Pages Simple file scanning routines and other security tests will trigger erroneously in the presence of custom 404 pages. Some signatures are based on 302 Redirects GET /search.pl~bak 302 200

51 Cenzic Confidential51 Custom 404 Pages Simple file scanning routines and other security tests will trigger erroneously in the presence of custom 404 pages. Some signatures are based on 302 Redirects GET /search.pl~bak 302 200

52 Cenzic Confidential52 Creating a Reverse Benchmark target Nature of the target will depend on your goals as a researcher Reverse Engineering 1.Emphasis on exposing as much of the signature base and rule set as possible without inspecting datafiles or code. Clear generic cases that will likely impact the largest portion of the rule base 2.Focus on generic trigger signatures, including available open source scanners. (i.e. use of Nikto detections strings in response data.

53 Cenzic Confidential53 Creating a Reverse Benchmark target Nature of the target will depend on your goals as a researcher Bakeoffs/Comparisons 1.Emphasis on exposing false positives or signature flaws of all varieties, including the uncommon or essoteric. Use of non-standard or overly difficult application configuration to stress test the scanner. 2.Focus on unusual or non-standard trigger signatures. i.e. Javascript or Flash road test

54 Cenzic Confidential54 Creating a Reverse Benchmark target Nature of the target will depend on your goals as a researcher Reverse Engineering 1.Emphasis on exposing as much of the signature base and rule set as possible without inspecting datafiles or code. 2.Focus on generic trigger signatures

55 Cenzic Confidential55 Open Reverse Benchmarking Project Nature of the target will depend on your goals as a researcher 1.Emphasis on exposing as much of the signature base and rule set as possible without inspecting datafiles or code. 2.Focus on generic trigger signatures

56 Cenzic Confidential56 Backatcha Roadtest Results Overview Took 4 popular blackbox web application security scanners Ran their default policies against the target reverse benchmarking application Put the results into high level buckets Generated a few graphs with the results

57 Cenzic Confidential57

58 Cenzic Confidential58 Out of 4 scanners, 1 scanner generated 92% of the false positive volume Roughly 9000 false positives total 3 other scanners came in at 2%, 2% and 4%. In terms of numbers, our 3 page application generated 180, 180, and 360 false positives in the remaining scanners

59 Cenzic Confidential59

60 Cenzic Confidential60

61 Cenzic Confidential61

62 Cenzic Confidential62

63 Cenzic Confidential63 Further Research Improve reverse benchmarking target Add more tests Improve testing methodology Test with more scanners Partner with OWASP Help develop Reverse Benchmarking Module for SiteGenerator

64 Cenzic Confidential64 Hailstorm Overview  SmartAttack Library provides for robust testing and analysis of Session Security  Session Management SmartAttacks target a wide-range of Session-Based vulnerabilities.  Session Hijacking  Privilege Escalation  Authorization Boundary

65 Cenzic Confidential65 Session Hijacking SmartAttack

66 Cenzic Confidential66 Privilege Escalation SmartAttack  The SmartAttack gathers session credentials from a previous user and injects them in a more privileged user’s session. Pages accessible only by the privileged user should not be accessible using the gathered session credentials if the sessions are maintained correctly

67 Cenzic Confidential67 Privilege Escalation SmartAttack

68 Cenzic Confidential68 Session Expiration  The SmartAttack gathers session credentials from a previous user and injects them into a different session once the first user logs out. Pages accessible with these credentials are vulnerable to session id/cookie reuse- based attacks.

69 Cenzic Confidential69 Authorization Boundary  The SmartAttack takes an application traversal by a previous user and attempts to access pages restricted to that user by suppressing session credentials. Tests for authentication/authorization boundaries within an application, and also detects fail open bugs in session management.

70 Cenzic Confidential70 Authorization Boundary  The SmartAttack takes an application traversal by a previous user and attempts to access pages restricted to that user by suppressing session credentials. Tests for authentication/authorization boundaries within an application, and also detects fail open bugs in session management.

71 Cenzic Confidential71  Thank You for Your Time!  Tom Stracener  For more info: tom@cenzic.com or 1-866-4-CENZIC (1-866-423-6942)tom@cenzic.com

72 Cenzic Confidential72 Questions & Answers

Download ppt "Session Management Security and Applied Reverse Benchmarking - Tom Stracener, Sr. Security Analyst, Cenzic Inc. November 2007."

Similar presentations

High level QA strategy for SQL Server enforcer

High level QA strategy for SQL Server enforcer
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
Vulnerability Assessment Course Applications Assessment.

Vulnerability Assessment Course Applications Assessment.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Introduction to Web Application Security

Introduction to Web Application Security
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.

1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.
Web App Access Control Design

Web App Access Control Design
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training

Similar presentations

Ads by Google