[REVS] Session Fixation Vulnerability in Web-based Applications

From: support@securiteam.com
Date: 12/27/02

  • Next message: support@securiteam.com: "[EXPL] PUTTY SSH-Client Exploit" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 27 Dec 2002 20:58:03 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Session Fixation Vulnerability in Web-based Applications
    ------------------------------------------------------------------------

    SUMMARY

    Web based application security vulnerabilities are very common in most web
    sites found on the Internet. The vulnerabilities range from product
    specific to application specific. The following article will try to
    illustrate such a vulnerability that can be found in both products and
    applications written for the web.

    The vulnerability will allow an attacker to cause a user to use a known
    Session identifier. The attacker knowing the Session can use it to
    impersonate the legitimate user.

    DETAILS

    Abstract:
    Many web-based applications employ some kind of session management to
    create a user-friendly environment. Sessions are stored on server and
    associated with respective users by session identifiers (IDs). Naturally,
    session IDs present an attractive target for attackers, who, by obtaining
    them, effectively hijack user's identities. Knowing that, web servers are
    employing techniques for protecting session IDs from three classes of
    attacks: interception, prediction and brute-force attacks. This paper
    reveals a fourth class of attacks against session IDs: session fixation
    attacks. In a session fixation attack, the attacker fixes the user's
    session ID before the user even logs into the target server, there by
    eliminating the need to obtain the user's session ID afterwards. There are
    many ways for the attacker to perform a session fixation attack, depending
    on the session ID transport mechanism (URL arguments, hidden form fields,
    cookies) and the vulnerabilities available in the target system or its
    immediate environment. The paper provides detailed information about
    exploiting vulnerable systems as well as recommendations for protecting
    them against session fixation attacks.

    ADDITIONAL INFORMATION

    The entire article can be found at:
     <http://www.acros.si/papers/session_fixation.pdf>
    http://www.acros.si/papers/session_fixation.pdf

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages