What is a Session?
A session is the period of time, post login, that the application is in communication with a user without requiring the user to re-authenticate. The typical mechanism used for this is to assign an HTTP Cookie unique to the session, hence attacks on sessions are also known as Cookie Hijacking or TCP Session Hijacking.
What is Session Hijacking?
Session hijacking occurs when an attacker exploits an application’s web session control mechanism to gain unauthorized access to an active users session. By using the already authorized session, the attacker bypasses authentication and authorization and can perform functions as the hijacked user.
What Sort of Bugs can be Present?
Exploitable flaws can occur in either token generation or handling and can include:
- Insufficient session time out when there is no user activity
- Lack of hard time out even after a day or more
- Insufficient session randomness so the cookie is predictable
- Insufficient integrity checking so the cookie can be modified by an attacker
- Insufficient session encryption so any information within the cookie can be accessed by an attacker
- Insufficient security flags so the cookie can be accessed by an attacker
What Exploit Methods
A variety of techniques can be used to exploit these flaws. The main ones include:
- Session Sniffing
Uses packet sniffing to read network traffic between two parties to capture a valid Session ID.
- Cross-site Scripting (XSS)
Malicious payloads trick the victim’s browser into executing dangerous commands that then harvest the session cookie and send it to the attacker.
- Predictable Session Tokens
This involves predicting session ID values that permit an attacker to bypass the authentication schema of an application.
- Session Collision
When, due to logic flaws, in the web application or database code one user can access the data of another user due race conditions. Attackers can make many request very quickly and access data from the currently active users including sometimes the users actual session tokens
RedShield Secure Session Management
The RedShield Secure Session Shield Pack provides state of the art defences against session hijacking attacks.
RedShield can secure session management passing through the RedShield cloud platform with no code changes required in the application.
- Substitute the session cookie to ensure it is unpredictable
Session cookies generated by the application are extracted from the application response and stored. This allows for transformation back to an application compatible cookie in future application requests from the client.
Cryptographically random RedShield tokens are generated and associated with each application session token. The RedShield tokens are not predictable and any information that is sent within the original session cookie is separated from the session token.
- Secure the session cookie to forbid reuse through session sniffing or XSS
The RedShield tokens are sent to the client to identify their session with the correct security flags set (HTTPOnly and Secure) to prevent cross site scripting attacks gaining access to the session token.
The RedShield tokens have an inactivity timeout and a maximum lifetime both of which are configurable to meet customer use cases
- Resolving session collisions when applicable
This requires application specific logic transformation. RedShield have successfully resolved this for a number of customers through a combination of: unpredictable cookies, implementing session timeouts, throttling of initial login and enforcing correct application workflow.
RedShield Session Management
If you have more questions, please contact: Sales@RedShield.co