Web Application Security 101 - 07 Session Management

50 %
50 %
Information about Web Application Security 101 - 07 Session Management

Published on July 24, 2014

Author: websecurify

Source: slideshare.net


In part 7 of Web Application Security 101 we will explore the various security aspects of modern session management systems. We will particularly explore vulnerabilities such as weak session management and more. We will also look into session bruteforce attacks

Session Management Attacking the post-logging state management system.

Background HTTP is stateless protocol. Cookies were introduced to keep state. But state can be tracked with other tools too.

Session Management Machinery Client Server GET /resource Set­Cookie: cookie Cookie: cookie Cookie: cookie

Common Attacks Session Guessing Session Hijacking Session Fixation Cross-site Request Forgery (CSRF)

Session Guessing Cryptographically week. Improper use of cryptography. Not enough entropy. Attacks Analyzing the session entropy. Finding session collisions.

Which Is The Weakest? Set-Cookie: SESID=1328802552... Set-Cookie: SESID=31b0b3ff82776a18a081973be4f8dd76... Set-Cookie: SESID=04ee313c76d3b90087bd333fe041b5c8f6dd19eb...

Session Hijacking Sessions are sent over HTTP. Lack of secure flag. Lack of HTTPOnly flag. Attacks Sniffing network traffic. Hijacking the session via XSS.

Sniffing The Network sudo tcpdump -i en1 -w session.pcap tcpdump -r session.pcap -A | grep ‘Set-Cookie:’ tcpflow -i en1

Session Fixation The session is created before login. The session is never expired. The session is user controlled. Attacks Obtain a valid session and send it for the victim to authenticate.

Session Fixation In Action 1. Ask for Cookie 2. Here is a Cookie Attacker App Victim 3. Set the Cookie 4. Use the Cookie

Cross-site Request Forgery Cookies are sent automatically. Attacks Forging of client-side requests.

CSRF In Action Attacker Victim App 1. Authenticate 2. Visits Site 3. Sends Payload

Security Controls Strong Session Token Correct Same Origin Policy Secure Flag HTTPOnly Flag Reduced Persistence

Lab Let's do some session management attacks.

Add a comment

Related presentations

Speaker: Matt Stine Developing for the Cloud Track Marc Andressen has famou...

This presentation explains how to develop a Web API in Java using (JAX-RS or Restl...

1 App,

1 App,

November 10, 2014

How to bring innovation to your organization by streamlining the deployment proces...

Cisco Call-control solutions can handle voice, video and data

Nathan Sharp of Siemens Energy recently spoke at the SAP Project Management in Atl...

Related pages


The Open Web Application Security Project (OWASP) is a 501(c)(3) ...
Read more

Learn Web Application Security

Increase your knowledge of web security technologies, ... Check out the materials for our Web Application Security 101 course. ToC; Blog; Campaigns ...
Read more

Session (computer science) - Wikipedia, the free encyclopedia

The development of interactive enterprise applications required session management, ... Functional and Security Testing of Web Applications and Web ...
Read more

Ramping up ASP.NET session security - André N. Klingsheim

Ramping up ASP.NET session security ... and session management is so difficult to get right ... most important parts of web application security.
Read more

Top 10 2013-Top 10 - OWASP

Top 10 2013-Top 10. ... Application functions related to authentication and session management are often not ... Many web applications do not ...
Read more

App Security 101: List of top 10 vulnerabilities ...

Home / Blog / App Security 101: ... you should apply the web application Best Practices for session ... and Information Security Management System ...
Read more

Videos - Citrix

Enterprise Mobility Management. XenMobile; File Sync and Sharing. ShareFile; Networking. NetScaler ADC; NetScaler Gateway; NetScaler AppFirewall; CloudBridge;
Read more

Introduction to IIS Architectures : The Official Microsoft ...

Introduction to IIS Architectures. ... functions for the application and Web server roles ... Web.Security.RoleManagerModule. Session.
Read more

Chapter 21: Designing Web Applications

Avoid server affinity when designing Web applications if possible ... session management in a Web farm unless ... Web Application Security: ...
Read more