Myself and Asanka Fernandopulle conducted corporate level workshop on Application Security. This workshop covered areas such as application security treats, secure cording practices, application penetration testing and web application exploitations. Workshop mainly consisted with practical sessions and demonstrations. You can find all the presentations here.
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Session Hijacking
1. SESSION Hijacking
HOW VULNERABLE IS MY WEB APPLICATION
FROM A DEVELOPER’S ANGLE…
Dilan Warnakulasooriya Asanka Fernandopulle
Information Security Engineer Senior Software Engineer
99X Technology 99X Technology
2. Overview
Many Details about the session including
Session.Id lifecycle
Session.Abandon
The session cookie
Attacking the session
Fixes
January 1, 2013 99X Technology(c) 2
3. ASP.NET Session Background
Session.Id is established when?
If ASP.Net receives any session Id, it will USE IT.
Does Session.Abandon remove this cookie?
NO – Why?
○ This session could be shared across sites. Why?
Session.IsNewSession is true when
When asp.net has no record of the current session
First new reques to a web server generally means
IsNewSession=true
If a session Id is provided by client, IsNewSession = true first
request, false for subsequent requests.
Session cookies are HttpOnly
Which means JavaScript cannot read the session cookies but it
can still SET the cookie
January 1, 2013 99X Technology(c) 3
5. The client wants a NEW
Session Id of 12345678?
No Problem
Cookie sent to server
SessionId = 12345678
January 1, 2013 99X Technology(c) 5
6. How can sessions be attacked?
Session Ids can be attacked
Network traffic can be sniffed
Man in the middle attack(easy to test via proxy configuration)
Session Fixation Demo
January 1, 2013 99X Technology(c) 6
7. Preventing session attacks
Force SSL for the entire site
Ensure authentication and session timeouts are in sync!
Session could timeout before forms auth timeout, thus allowing takeover of session
Remove the session cookie and kill the session upon logout AND
page load
Session.Abandon(); //Expires the session
Response.Cookies[“ASP.NET_SessionId”].Expires = DateTime.Now.AddYears(-
30);
Avoid cookieless sessions (where Id is on the url)
EXTRA EXTRA secure… (Kind of Advanced Topic )
Create your own Session Id Provider to generate and validate ids.
Note these are called for EVERY request (images,etc…) in Integrated Pipeline
Mode
Store Session Id in Auth cookie
January 1, 2013 99X Technology(c) 7
8. Session timeouts/Forms Auth timeouts
Scenario
Session timeout 20 minutes, forms auth timeout 20 minutes
Also session can expire when app pool reset. Forms auth token still valid
Minutes Session timeout Forms Auth Token
Expires
12:02 12:22 Still 12:20
12:04 12:24 Still 12:20
12:06 12:26 Still 12:20
12:15 12:35 12:35
12:30 App pool shuts NO SESSION 12:35
down, reset, etc
January 1, 2013 99X Technology(c) 8