Published on July 24, 2014
Session Management Attacking the post-logging state management system.
Background HTTP is stateless protocol. Cookies were introduced to keep state. But state can be tracked with other tools too.
Session Management Machinery Client Server GET /resource SetCookie: cookie Cookie: cookie Cookie: cookie
Common Attacks Session Guessing Session Hijacking Session Fixation Cross-site Request Forgery (CSRF)
Session Guessing Cryptographically week. Improper use of cryptography. Not enough entropy. Attacks Analyzing the session entropy. Finding session collisions.
Which Is The Weakest? Set-Cookie: SESID=1328802552... Set-Cookie: SESID=31b0b3ff82776a18a081973be4f8dd76... Set-Cookie: SESID=04ee313c76d3b90087bd333fe041b5c8f6dd19eb...
Session Hijacking Sessions are sent over HTTP. Lack of secure flag. Lack of HTTPOnly flag. Attacks Sniffing network traffic. Hijacking the session via XSS.
Sniffing The Network sudo tcpdump -i en1 -w session.pcap tcpdump -r session.pcap -A | grep ‘Set-Cookie:’ tcpflow -i en1
Session Fixation The session is created before login. The session is never expired. The session is user controlled. Attacks Obtain a valid session and send it for the victim to authenticate.
Session Fixation In Action 1. Ask for Cookie 2. Here is a Cookie Attacker App Victim 3. Set the Cookie 4. Use the Cookie
Cross-site Request Forgery Cookies are sent automatically. Attacks Forging of client-side requests.
CSRF In Action Attacker Victim App 1. Authenticate 2. Visits Site 3. Sends Payload
Security Controls Strong Session Token Correct Same Origin Policy Secure Flag HTTPOnly Flag Reduced Persistence
Lab Let's do some session management attacks.
Speaker: Matt Stine Developing for the Cloud Track Marc Andressen has famou...
This presentation explains how to develop a Web API in Java using (JAX-RS or Restl...
How to bring innovation to your organization by streamlining the deployment proces...
Cisco Call-control solutions can handle voice, video and data
Nathan Sharp of Siemens Energy recently spoke at the SAP Project Management in Atl...
The Open Web Application Security Project (OWASP) is a 501(c)(3) ...
Increase your knowledge of web security technologies, ... Check out the materials for our Web Application Security 101 course. ToC; Blog; Campaigns ...
The development of interactive enterprise applications required session management, ... Functional and Security Testing of Web Applications and Web ...
Ramping up ASP.NET session security ... and session management is so difficult to get right ... most important parts of web application security.
Top 10 2013-Top 10. ... Application functions related to authentication and session management are often not ... Many web applications do not ...
Home / Blog / App Security 101: ... you should apply the web application Best Practices for session ... and Information Security Management System ...
Enterprise Mobility Management. XenMobile; File Sync and Sharing. ShareFile; Networking. NetScaler ADC; NetScaler Gateway; NetScaler AppFirewall; CloudBridge;
Introduction to IIS Architectures. ... functions for the application and Web server roles ... Web.Security.RoleManagerModule. Session.
Avoid server affinity when designing Web applications if possible ... session management in a Web farm unless ... Web Application Security: ...