62,242
社区成员
发帖
与我相关
我的任务
分享AppScan -- Security Risk: Session identifier not updated.
最近在用AppScan软件做安全方面的测试 其中报了这样一个bug
AppScan -- Security Risk: Session identifier not updated.
Possible Causes
Insecure web application programming or configuration
Technical Description
According to WASC:
"Session Fixation is an attack technique that forces a user's session ID to an explicit value. Depending on the functionality of the target web site, a number of techniques can be utilized to "fix" the session ID value. These techniques range from Cross-site Scripting exploits to peppering the web site with previously made HTTP requests. After a user's session ID has been fixed, the attacker waits for the user to login, and then uses the predefined session ID value to assume the user's online identity.
In general, there are two types of session management systems for ID values. The first type is "permissive" systems, that allow web browsers to specify any ID. The second type is "strict" systems, that only accept server-side generated values. With permissive systems, arbitrary session IDs are maintained without contact with the web site. Strict systems require that the attacker maintain the "trap-session", with periodic web site contact, preventing inactivity timeouts.
Without active protection against session fixation, the attack can be mounted against any web site using sessions to identify authenticated users. Web sites using session IDs are normally cookie-based, but URLs and hidden form-fields are used as well. Unfortunately, cookie-based sessions are the easiest to attack. Most of the currently identified attack methods are aimed toward the fixation of cookies.
In contrast to stealing a user's session ID after they have logged into a web site, session fixation provides a much wider window of opportunity. The active part of the attack takes place before the user logs in.
The session fixation attack is normally a three step process:
1) Session Set-Up
The attacker sets up a "trap-session" for the target web site and obtains that session's ID, or the attacker may select an arbitrary session ID used in the attack. In some cases, the established trap session value must be maintained with repeated web site contact.
2) Session Fixation
The attacker introduces the trap session value into the user's browser and fixes the user's session ID.
3) Session Entrance
The attacker waits until the user logs into the target web site, and then, when the fixed session ID value is used, the attacker may take over."
----------------------------------------------
If a session management system accepts session IDs in the form of a URL parameter, the following request may force the session ID to the value of the URL parameter.
Code Snippet:
http://example/login.php?PHPSESSID=1234
According to WASC:
"Issuing a new session ID cookie value using a client-side script
-------------------------------------------------------------------------------------------
A Cross-Site Scripting vulnerability on any web site in the domain can be used to modify the current cookie value.
Code Snippet:
http://example/<script>document.cookie="sessionid=1234; domain=.example.dom";</script>
Another similar example (using META tag injection):
http://example/<meta http-equiv=Set-Cookie content="sessionid=1234; domain=.example.dom">
Issuing a cookie using an HTTP response header
-----------------------------------------------------------------------
The attacker forces the target web site, or any other site in the domain, to issue a session ID cookie. This can be achieved in many ways:
- Breaking into a web server in the domain (e.g., a poorly maintained WAP server)
- Poisoning a user's DNS server, effectively adding the attacker's web server to the domain
- Setting up a malicious web server in the domain (e.g., on a workstation in Windows 2000 domain, all workstations are also in the DNS domain)
- Exploiting an HTTP response splitting attack"
----------------------------------------------
Comparison of the session identifiers before and after the login process revealed they were not updated, which means that user impersonation may be possible. Preliminary knowledge of the session identifier value may enable a remote attacker to pose as a logged-in legitimate user.
The session identifier value can be obtained by utilizing a Cross-Site Scripting vulnerability, causing the victim's browser to use a predefined session identifier when contacting the vulnerable site, or by launching a Session Fixation attack that will cause the site to present a predefined session identifier to the victim's browser.
Affected Products
This issue may affect different types of products.
References and Relevant Links
"Session Fixation Vulnerability in Web-based Applications", By Mitja Kolsek - Acros Security
PHP Manual, Session Handling Functions, Sessions and security
© Copyright IBM Corp. 2000, 2007. All Rights Reserved.
Here is the fix recommendation from AppScan:
--------------------------------------------------------------------------------
General
Always generate a new session to which the user will log in if successfully authenticated.
Prevent user ability to manipulate session ID.
Do not accept session IDs provided by the user's browser at login
© Copyright IBM Corp. 2000, 2007. All Rights Reserved.
AppScan给了推荐的解决方案。我的问题是
1.Always generate a new session to which the user will log in if successfully authenticated.
如何总是生成一个新session如果log in成功的话?
2.Prevent user ability to manipulate session ID.
怎么阻止用户使用session ID
3.Do not accept session IDs provided by the user's browser at login
如何禁止使用用户浏览器体统的session ID?
每个问题200分,回答对了另开新贴给分
AppScan -- Security Risk: Session identifier not updated.
Possible Causes
Insecure web application programming or configuration
Technical Description
According to WASC:
"Session Fixation is an attack technique that forces a user's session ID to an explicit value. Depending on the functionality of the target web site, a number of techniques can be utilized to "fix" the session ID value. These techniques range from Cross-site Scripting exploits to peppering the web site with previously made HTTP requests. After a user's session ID has been fixed, the attacker waits for the user to login, and then uses the predefined session ID value to assume the user's online identity.
In general, there are two types of session management systems for ID values. The first type is "permissive" systems, that allow web browsers to specify any ID. The second type is "strict" systems, that only accept server-side generated values. With permissive systems, arbitrary session IDs are maintained without contact with the web site. Strict systems require that the attacker maintain the "trap-session", with periodic web site contact, preventing inactivity timeouts.
Without active protection against session fixation, the attack can be mounted against any web site using sessions to identify authenticated users. Web sites using session IDs are normally cookie-based, but URLs and hidden form-fields are used as well. Unfortunately, cookie-based sessions are the easiest to attack. Most of the currently identified attack methods are aimed toward the fixation of cookies.
In contrast to stealing a user's session ID after they have logged into a web site, session fixation provides a much wider window of opportunity. The active part of the attack takes place before the user logs in.
The session fixation attack is normally a three step process:
1) Session Set-Up
The attacker sets up a "trap-session" for the target web site and obtains that session's ID, or the attacker may select an arbitrary session ID used in the attack. In some cases, the established trap session value must be maintained with repeated web site contact.
2) Session Fixation
The attacker introduces the trap session value into the user's browser and fixes the user's session ID.
3) Session Entrance
The attacker waits until the user logs into the target web site, and then, when the fixed session ID value is used, the attacker may take over."
----------------------------------------------
If a session management system accepts session IDs in the form of a URL parameter, the following request may force the session ID to the value of the URL parameter.
Code Snippet:
http://example/login.php?PHPSESSID=1234
According to WASC:
"Issuing a new session ID cookie value using a client-side script
-------------------------------------------------------------------------------------------
A Cross-Site Scripting vulnerability on any web site in the domain can be used to modify the current cookie value.
Code Snippet:
http://example/<script>document.cookie="sessionid=1234; domain=.example.dom";</script>
Another similar example (using META tag injection):
http://example/<meta http-equiv=Set-Cookie content="sessionid=1234; domain=.example.dom">
Issuing a cookie using an HTTP response header
-----------------------------------------------------------------------
The attacker forces the target web site, or any other site in the domain, to issue a session ID cookie. This can be achieved in many ways:
- Breaking into a web server in the domain (e.g., a poorly maintained WAP server)
- Poisoning a user's DNS server, effectively adding the attacker's web server to the domain
- Setting up a malicious web server in the domain (e.g., on a workstation in Windows 2000 domain, all workstations are also in the DNS domain)
- Exploiting an HTTP response splitting attack"
----------------------------------------------
Comparison of the session identifiers before and after the login process revealed they were not updated, which means that user impersonation may be possible. Preliminary knowledge of the session identifier value may enable a remote attacker to pose as a logged-in legitimate user.
The session identifier value can be obtained by utilizing a Cross-Site Scripting vulnerability, causing the victim's browser to use a predefined session identifier when contacting the vulnerable site, or by launching a Session Fixation attack that will cause the site to present a predefined session identifier to the victim's browser.
Affected Products
This issue may affect different types of products.
References and Relevant Links
"Session Fixation Vulnerability in Web-based Applications", By Mitja Kolsek - Acros Security
PHP Manual, Session Handling Functions, Sessions and security
© Copyright IBM Corp. 2000, 2007. All Rights Reserved.
Here is the fix recommendation from AppScan:
--------------------------------------------------------------------------------
General
Always generate a new session to which the user will log in if successfully authenticated.
Prevent user ability to manipulate session ID.
Do not accept session IDs provided by the user's browser at login
© Copyright IBM Corp. 2000, 2007. All Rights Reserved.
AppScan给了推荐的解决方案。我的问题是
1.Always generate a new session to which the user will log in if successfully authenticated.
如何总是生成一个新session如果log in成功的话?
2.Prevent user ability to manipulate session ID.
怎么阻止用户使用session ID
3.Do not accept session IDs provided by the user's browser at login
如何禁止使用用户浏览器体统的session ID?
每个问题200分,回答对了另开新贴给分
...全文
请发表友善的回复…
发表回复
justformygame 2011-07-13
- 打赏
- 举报
1. HttpRequest有个属性Session, 可以通过request.setSession(new session)方式
2. 英文的意思是说阻止用户操作或者修改set Session ID,一般地,只用在应用中不显示通过request.getSession.setSessionID(**) 这种方式,用户是无法操作SESSION ID的
3. 是说在用户登陆之前,别搭理HTTP Request中的Session ID
一般这些工作中的很大一部分都是应用服务做的,所以要搞明白这个问题,得先搞明白应用服务是
如何接收HTTP REQUEST,以及如何创建匹配Session的,不同服务器细节不尽相同。
2. 英文的意思是说阻止用户操作或者修改set Session ID,一般地,只用在应用中不显示通过request.getSession.setSessionID(**) 这种方式,用户是无法操作SESSION ID的
3. 是说在用户登陆之前,别搭理HTTP Request中的Session ID
一般这些工作中的很大一部分都是应用服务做的,所以要搞明白这个问题,得先搞明白应用服务是
如何接收HTTP REQUEST,以及如何创建匹配Session的,不同服务器细节不尽相同。
武哥博文 2009-04-17
- 打赏
- 举报
顶起来
ralpha08 2009-04-15
- 打赏
- 举报
顶起来
满衣兄 2009-04-14
- 打赏
- 举报
我英语奇烂,不知道理解的对不对。你这段话的意思好象说的是伪造session?
只要你的程序写的不是奇烂,是不会出现这个问题的。
只要你的程序写的不是奇烂,是不会出现这个问题的。
ralpha08 2009-04-14
- 打赏
- 举报
具体我也不知道怎么盗取 但是Appscan里边提到了session的盗取步骤 只有大概的描述 所以看起来也比较晕
The session fixation attack is normally a three step process:
1) Session Set-Up
The attacker sets up a "trap-session" for the target web site and obtains that session's ID, or the attacker may select an arbitrary session ID used in the attack. In some cases, the established trap session value must be maintained with repeated web site contact.
2) Session Fixation
The attacker introduces the trap session value into the user's browser and fixes the user's session ID.
3) Session Entrance
The attacker waits until the user logs into the target web site, and then, when the fixed session ID value is used, the attacker may take over."
The session fixation attack is normally a three step process:
1) Session Set-Up
The attacker sets up a "trap-session" for the target web site and obtains that session's ID, or the attacker may select an arbitrary session ID used in the attack. In some cases, the established trap session value must be maintained with repeated web site contact.
2) Session Fixation
The attacker introduces the trap session value into the user's browser and fixes the user's session ID.
3) Session Entrance
The attacker waits until the user logs into the target web site, and then, when the fixed session ID value is used, the attacker may take over."
满衣兄 2009-04-14
- 打赏
- 举报
[Quote=引用 5 楼 ralpha08 的回复:]
session是存在服务器端的 但是出于安全性方面的考虑
用户有可能盗取别人的session id
[/Quote]
好象不好盗吧?session是一个会话,当你的页面关闭了session就消失了,多个session之间是独立的。
能讲一下怎么盗吗?学习了!
session是存在服务器端的 但是出于安全性方面的考虑
用户有可能盗取别人的session id
[/Quote]
好象不好盗吧?session是一个会话,当你的页面关闭了session就消失了,多个session之间是独立的。
能讲一下怎么盗吗?学习了!
ralpha08 2009-04-14
- 打赏
- 举报
session是存在服务器端的 但是出于安全性方面的考虑
用户有可能盗取别人的session id
用户有可能盗取别人的session id
满衣兄 2009-04-14
- 打赏
- 举报
[Quote=引用 3 楼 ralpha08 的回复:]
大牛们出来帮帮忙啊 请不要关注于APPscan产生的信息
请关注于我的问题
1.如何在log in的时候总是生成一个新session?
2.怎么阻止用户使用session ID
3.如何禁止使用用户浏览器产生的session ID?
[/Quote]
啊,session是存在服务器端的啊,我怎么感觉你说的这3个问题不太符合逻辑?
第一个问题就是session["key"]="..."这样啊。。。
大牛们出来帮帮忙啊 请不要关注于APPscan产生的信息
请关注于我的问题
1.如何在log in的时候总是生成一个新session?
2.怎么阻止用户使用session ID
3.如何禁止使用用户浏览器产生的session ID?
[/Quote]
啊,session是存在服务器端的啊,我怎么感觉你说的这3个问题不太符合逻辑?
第一个问题就是session["key"]="..."这样啊。。。
ralpha08 2009-04-14
- 打赏
- 举报
大牛们出来帮帮忙啊 请不要关注于APPscan产生的信息
请关注于我的问题
1.如何在log in的时候总是生成一个新session?
2.怎么阻止用户使用session ID
3.如何禁止使用用户浏览器产生的session ID?
请关注于我的问题
1.如何在log in的时候总是生成一个新session?
2.怎么阻止用户使用session ID
3.如何禁止使用用户浏览器产生的session ID?
满衣兄 2009-04-14
- 打赏
- 举报
没用过,UP一下
ralpha08 2009-04-14
- 打赏
- 举报
顶起来
