Secure those cookies
OWASP lists “Broken Authentication and Session Management” as the second most exploited vulnerability, and suggest testing your application for weak session management. The session management implementation is the process of tracking the user’s activity in the form of cookies across the users’ interaction with the system/ web application.
Session and Cookie Management
While developing an application with secure session management, cookie management plays a vital role which would require understanding of cookies details like attributes (Secure Flag, Connection type, Session expiration time, etc.), Unique values (session ID) and to under-stand how the attackers exploit the weak session management vulnerabilities.
- Session Hijacking: A malicious user acquires a valid session identifier after it has been assigned to an individual and inherits that individual’s permissions
- Session Fixation: Attacker fixing the session even before the legitimate user accesses the application and thus tracks all the things the user is accessing
- Session Predication: Technique / Attack where attacker has possibility of hijacking the session of a legitimate user in order to gain the access of User2 (user).Cookie Poisoning / Tampering: Cookie poisoning is the modification of a cookie by an attacker to gain unauthorized information about the user
- Session Sniffing: The attacker uses a sniffer to capture a valid token session and then he uses the valid token session to gain unauthorized access to the web server
- Test for meaning: Cookies and Session IDs should not be meaningful like containing account username, first or last names, date/time stamp, client IP, etc
- Test for predictability: Cookie values and Session IDs should be random and should not be in sequential order
- Check for insecure transmission: Session IDs should be transmit-ted over HTTPS
- Check for log information: Information regarding the cookies which holds the Session ID should not get stored in system logs which may open the doors for session hijacking attack
- Check for session termination and expiration: Application’s session expiry should set properly for a certain idle time of the application
- Test for session fixation: Session IDs should be random enough and should not be guessed which may lead for session fixation attacks
Market / Business Impacts:
- Privilege escalation – Unauthorized access to Web site functionality
- Circumvent licensing and payments
- Confidentiality breach
Do’s and Don’ts:
- Don’t expose data, validate throughout session, invalidate on expi-ration (log out, time out).
- Tokens should only be transmitted over HTTPS and should be encrypted. Tokens should never be transmitted in the URL
- Re-authenticate when performing critical functions
- Do not allow concurrent logins with the same user ID
- Never display or store the password in clear text
- Session IDs should be random
Tool to Test:
Open Source Software: Burp Suite, OWASP ZAP.
Browser Add-Ons: Cookie Editor, Tamper Data.