Session ID and its Predictablilty :Authentication Bypass

Session ID and its Predictablilty :Authentication Bypass

Add Comment Edit
Session ID
The stateless nature of HTTP requires a  solution for uniquely tracking a visitor on a web-base application. Various methods for  managing a user's session have been proposed and used, but the most popular method is through the use of unique session IDs.  
Unfortunately, many time we have seen that  session ID management  applied by sites are poorly managed making those site prone to attacks.


As  managing user's state information through session IDs directly related to authentication process . However it is  possible to force a user  provide authentication information(its form user-name & password) for each “restricted” page or data submission, but as obvious it would soon become cumbersome and tedious process both at server and client side . Thus more focus should be given on generation of secure session IDs which will be  used to uniquely identify an authenticated user – thereby indirectly regulating access to site content or information.
Designing  session management policy 
Following question has to be raised while designing session management policy
  1. How  clients are  expected to utilize the  application
  2. At what stage it is really needed to manage the state of a client’s session?
  3. What level of damage can be done  to a legitimate client  if  an attacker able to impersonate and hijack their account?
  4. How much time is must be given to a valid session,in short session expire time ?
  5. How will the application identify real hijacking attempts? 
  6. How to  generate  a secure session?

Maintaining State

Application developers have generally use  three methods to allocate and receive session ID information:
  • Session ID information embedded in the URL
  • Session ID information stored within the fields of a form as hidden field  submitted  back with each consecutive  HTTP POST command.
  • Through the use of cookies.
Each method has certain advantages and disadvantages, and one may be more appropriate than another. Selection of one method over another is largely dependent upon the type of service the web application is to deliver and the intended audience.We will discuss about each of the above method with its pros and cons

1.Passing session id through URL? 
Look at the url below
http://www.example.com/dashboard;sessionid=abc09876

Adavantage:-
a)Can be used even if the client  has disabled the use of cookies.
 
Disadvantage.:-
1. If the web application is using UN-encrypted communication then critical URL will leak over network,thereby makes user's account vulnerable to attack
2.Can leak in HTTP REFERER
3.Can be cached by browsers,which attacker on same machine can re-use it if server side management of session is not secure.
4.if Randomness of session is not high then attacker might tamper the session id on url with other to predict other valid session(A video related to the issue is also shown in the post below)
2.Session id stored in hidden fields of form

<form method="post" action="/executeAction">

  <input type="hidden" name="sessiId" value="axzsdfghjkloiuyt" />
  <input type="hidden" name="action" value="navigateTodashboard" />
</form

Advantages:-
a)As it is clear that now URL doesn't contain the session id ,no browser caching
b)Less prone to CSRF attack as Session Identifier will not travel in Cookie 
c) can be used in environment where cookies are disabled

 Disadvantages:-
 1) if caching is not disabled then session id can be cached by browser
  2)As session id is part of every response send thereby increase the size of reponse
  3)Again session randomness plays a important role here

3.Session id in cookie:-
Set-Cookie: sessionID=”axdfg60012219”; path=”/”; domain=”www.app.com”; expires=”2013-06-01 00:00:00GMT”; version=0


Advantages:

    a)Persistent and session cookies can be used to regulate access to the web application     b) session ID timeouts can be controlled(A video related to the issue is also shown in the post below)
Disadvantages:

  a) if cookies are not marked HTTPONLY and application is vulnerable to XSS then attacker could extract the session cookie .  
b)Again session randomness plays a important role here (A video related to the issue is also shown in the post below)

Quality of session id for  strong session management 
1.Session Randmness
2.Session ID length


 Session Randomness
It is important that the session ID is unpredictable and the application utilities a strong method of generating random ID’s. Ideally the session ID should be a random value. Do not use  predictable variables .

To this end, the session ID should fulfill the following criteria:
  • It must look random
  • It must be unpredictable 
  • It cannot be reliably reproduce
Session ID Length
It is important that the session ID be of a sufficient length to make it infeasible that a brute force method could be used to successfully derive a valid ID within a usable time frame. 

So now Lets move to our excersie?

Challenge:it is all about predicting the right session id of other users and make an authentocation bypass



Consider an application which normally allows users to logged in as 'GUEST', but now as an attacker it is our task to make the authentication bypass by predicting the session id issued to other authentciated users.



Challenge link:-
http://pentesteracademylab.appspot.com/lab/webapp/sid/2

Solution video
SHARE
  • Image
  • Image
  • Image
  • Image
  • Image
    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment

Subscribe to: Post Comments ( Atom )