https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Simon+WatersOWASP - User contributions [en]2026-04-23T23:35:59ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Session_Management_Cheat_Sheet&diff=231494Session Management Cheat Sheet2017-07-10T09:27:34Z<p>Simon Waters: s/weak/permissive/ for clarity</p>
<hr />
<div> __NOTOC__<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
= Introduction =<br />
__TOC__{{TOC hidden}}<br />
<br />
'''Web Authentication, Session Management, and Access Control''' <br />
<br />
A web session is a sequence of network HTTP request and response transactions associated to the same user. Modern and complex web applications require the retaining of information or status about each user for the duration of multiple requests. Therefore, sessions provide the ability to establish variables – such as access rights and localization settings – which will apply to each and every interaction a user has with the web application for the duration of the session. <br />
<br />
Web applications can create sessions to keep track of anonymous users after the very first user request. An example would be maintaining the user language preference. Additionally, web applications will make use of sessions once the user has authenticated. This ensures the ability to identify the user on any subsequent requests as well as being able to apply security access controls, authorized access to the user private data, and to increase the usability of the application. Therefore, current web applications can provide session capabilities both pre and post authentication. <br />
<br />
Once an authenticated session has been established, the session ID (or token) is temporarily equivalent to the strongest authentication method used by the application, such as username and password, passphrases, one-time passwords (OTP), client-based digital certificates, smartcards, or biometrics (such as fingerprint or eye retina). See the OWASP Authentication Cheat Sheet: https://www.owasp.org/index.php/Authentication_Cheat_Sheet. <br />
<br />
HTTP is a stateless protocol (RFC2616 [5]), where each request and response pair is independent of other web interactions. Therefore, in order to introduce the concept of a session, it is required to implement session management capabilities that link both the authentication and access control (or authorization) modules commonly available in web applications: <br />
<br />
[[Image:Session-Management-Diagram Cheat-Sheet.png|center|Session-Management-Diagram Cheat-Sheet.png]] <br> The session ID or token binds the user authentication credentials (in the form of a user session) to the user HTTP traffic and the appropriate access controls enforced by the web application. The complexity of these three components (authentication, session management, and access control) in modern web applications, plus the fact that its implementation and binding resides on the web developer’s hands (as web development framework do not provide strict relationships between these modules), makes the implementation of a secure session management module very challenging. <br />
<br />
The disclosure, capture, prediction, brute force, or fixation of the session ID will lead to session hijacking (or sidejacking) attacks, where an attacker is able to fully impersonate a victim user in the web application. Attackers can perform two types of session hijacking attacks, targeted or generic. In a targeted attack, the attacker’s goal is to impersonate a specific (or privileged) web application victim user. For generic attacks, the attacker’s goal is to impersonate (or get access as) any valid or legitimate user in the web application. <br />
<br />
<br> <br />
<br />
= Session ID Properties =<br />
<br />
In order to keep the authenticated state and track the users progress within the web application, applications provide users with a session identifier (session ID or token) that is assigned at session creation time, and is shared and exchanged by the user and the web application for the duration of the session (it is sent on every HTTP request). The session ID is a “name=value” pair. <br />
<br />
With the goal of implementing secure session IDs, the generation of identifiers (IDs or tokens) must meet the following properties: <br />
<br />
== Session ID Name Fingerprinting ==<br />
<br />
The name used by the session ID should not be extremely descriptive nor offer unnecessary details about the purpose and meaning of the ID. <br />
<br />
The session ID names used by the most common web application development frameworks can be easily fingerprinted [0], such as PHPSESSID (PHP), JSESSIONID (J2EE), CFID &amp; CFTOKEN (ColdFusion), ASP.NET_SessionId (ASP .NET), etc. Therefore, the session ID name can disclose the technologies and programming languages used by the web application. <br />
<br />
It is recommended to change the default session ID name of the web development framework to a generic name, such as “id”. <br />
<br />
== Session ID Length ==<br />
<br />
The session ID must be long enough to prevent brute force attacks, where an attacker can go through the whole range of ID values and verify the existence of valid sessions. <br />
<br />
The session ID length must be at least 128 bits (16 bytes).<br />
<br />
'''''NOTE''''': The session ID length of 128 bits is provided as a reference based on the assumptions made on the next section "Session ID Entropy". However, this number should not be considered as an absolute minimum value, as other implementation factors might influence its strength. For example, there are well-known implementations, such as Microsoft ASP.NET, making use of 120-bit random numbers for its session IDs (represented by 20-character strings [10]) that can provide a very good effective entropy, and as a result, can be considered long enough to avoid guessing or brute force attacks.<br />
<br />
== Session ID Entropy ==<br />
<br />
The session ID must be unpredictable (random enough) to prevent guessing attacks, where an attacker is able to guess or predict the ID of a valid session through statistical analysis techniques. For this purpose, a good PRNG (Pseudo Random Number Generator) must be used. <br />
<br />
The session ID value must provide at least 64 bits of entropy (if a good PRNG is used, this value is estimated to be half the length of the session ID).<br> <br />
<br />
'''''NOTE''''': The session ID entropy is really affected by other external and difficult to measure factors, such as the number of concurrent active sessions the web application commonly has, the absolute session expiration timeout, the amount of session ID guesses per second the attacker can make and the target web application can support, etc [2]. If a session ID with an entropy of 64 bits is used, it will take an attacker at least 292 years to successfully guess a valid session ID, assuming the attacker can try 10,000 guesses per second with 100,000 valid simultaneous sessions available in the web application [2]. <br />
<br />
== Session ID Content (or Value) ==<br />
<br />
The session ID content (or value) must be meaningless to prevent information disclosure attacks, where an attacker is able to decode the contents of the ID and extract details of the user, the session, or the inner workings of the web application. <br />
<br />
The session ID must simply be an identifier on the client side, and its value must never include sensitive information (or PII). The meaning and business or application logic associated to the session ID must be stored on the server side, and specifically, in session objects or in a session management database or repository. The stored information can include the client IP address, User-Agent, e-mail, username, user ID, role, privilege level, access rights, language preferences, account ID, current state, last login, session timeouts, and other internal session details. If the session objects and properties contain sensitive information, such as credit card numbers, it is required to duly encrypt and protect the session management repository. <br />
<br />
It is recommended to create cryptographically strong session IDs through the usage of cryptographic hash functions such as SHA1 (160 bits). <br />
<br />
<br> <br />
<br />
= Session Management Implementation =<br />
<br />
The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID. There are multiple mechanisms available in HTTP to maintain session state within web applications, such as cookies (standard HTTP header), URL parameters (URL rewriting – RFC 2396), URL arguments on GET requests, body arguments on POST requests, such as hidden form fields (HTML forms), or proprietary HTTP headers. <br />
<br />
The preferred session ID exchange mechanism should allow defining advanced token properties, such as the token expiration date and time, or granular usage constraints. This is one of the reasons why cookies (RFCs 2109 &amp; 2965 &amp; 6265 [1]) are one of the most extensively used session ID exchange mechanisms, offering advanced capabilities not available in other methods. <br />
<br />
The usage of specific session ID exchange mechanisms, such as those where the ID is included in the URL, might disclose the session ID (in web links and logs, web browser history and bookmarks, the Referer header or search engines), as well as facilitate other attacks, such as the manipulation of the ID or session fixation attacks [3]. <br />
<br />
== Built-in Session Management Implementations ==<br />
<br />
Web development frameworks, such as J2EE, ASP .NET, PHP, and others, provide their own session management features and associated implementation. It is recommended to use these built-in frameworks versus building a home made one from scratch, as they are used worldwide on multiple web environments and have been tested by the web application security and development communities over time. <br />
<br />
However, be advised that these frameworks have also presented vulnerabilities and weaknesses in the past, so it is always recommended to use the latest version available, that potentially fixes all the well-known vulnerabilities, as well as review and change the default configuration to enhance its security by following the recommendations described along this document. <br />
<br />
The storage capabilities or repository used by the session management mechanism to temporarily save the session IDs must be secure, protecting the session IDs against local or remote accidental disclosure or unauthorized access. <br />
<br />
== Used vs. Accepted Session ID Exchange Mechanisms ==<br />
<br />
A web application should make use of cookies for session ID exchange management. If a user submits a session ID through a different exchange mechanism, such as a URL parameter, the web application should avoid accepting it as part of a defensive strategy to stop session fixation.<br />
<br />
'''''NOTE''''': Even if a web application makes use of cookies as its default session ID exchange mechanism, it might accept other exchange mechanisms too. It is therefore required to confirm via thorough testing all the different mechanisms currently accepted by the web application when processing and managing session IDs, and limit the accepted session ID tracking mechanisms to just cookies. In the past, some web applications used URL parameters, or even switched from cookies to URL parameters (via automatic URL rewriting), if certain conditions are met (for example, the identification of web clients without support for cookies or not accepting cookies due to user privacy concerns).<br />
<br />
== Transport Layer Security ==<br />
<br />
In order to protect the session ID exchange from active eavesdropping and passive disclosure in the network traffic, it is mandatory to use an encrypted HTTPS (SSL/TLS) connection for the entire web session, not only for the authentication process where the user credentials are exchanged. <br />
<br />
Additionally, the “Secure” cookie attribute (see below) must be used to ensure the session ID is only exchanged through an encrypted channel. The usage of an encrypted communication channel also protects the session against some session fixation attacks where the attacker is able to intercept and manipulate the web traffic to inject (or fix) the session ID on the victims web browser [4]. <br />
<br />
The following set of HTTPS (SSL/TLS) best practices are focused on protecting the session ID (specifically when cookies are used) and helping with the integration of HTTPS within the web application: <br />
<br />
*Web applications should never switch a given session from HTTP to HTTPS, or viceversa, as this will disclose the session ID in the clear through the network. <br />
*Web applications should not mix encrypted and unencrypted contents (HTML pages, images, CSS, Javascript files, etc) on the same host (or even domain - see the “domain” cookie attribute), as the request of any web object over an unencrypted channel might disclose the session ID. <br />
*Web applications, in general, should not offer public unencrypted contents and private encrypted contents from the same host. It is recommended to instead use two different hosts, such as www.example.com over HTTP (unencrypted) for the public contents, and secure.example.com over HTTPS (encrypted) for the private and sensitive contents (where sessions exist). The former host only has port TCP/80 open, while the later only has port TCP/443 open. <br />
*Web applications should avoid the extremely common HTTP to HTTPS redirection on the home page (using a 30x HTTP response), as this single unprotected HTTP request/response exchange can be used by an attacker to gather (or fix) a valid session ID.<br />
* Web applications should make use of “HTTP Strict Transport Security (HSTS)” (previously called STS) to enforce HTTPS connections.<br />
<br />
See the OWASP Transport Layer Protection Cheat Sheet: https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet. <br />
<br />
It is important to emphasize that SSL/TLS (HTTPS) does not protect against session ID prediction, brute force, client-side tampering or fixation. Yet, session ID disclosure and capture from the network traffic is one of the most prevalent attack vectors even today. <br />
<br />
<br> <br />
<br />
= Cookies =<br />
<br />
The session ID exchange mechanism based on cookies provides multiple security features in the form of cookie attributes that can be used to protect the exchange of the session ID: <br />
<br />
== Secure Attribute ==<br />
<br />
The “Secure” cookie attribute instructs web browsers to only send the cookie through an encrypted HTTPS (SSL/TLS) connection. This session protection mechanism is mandatory to prevent the disclosure of the session ID through MitM (Man-in-the-Middle) attacks. It ensures that an attacker cannot simply capture the session ID from web browser traffic. <br />
<br />
Forcing the web application to only use HTTPS for its communication (even when port TCP/80, HTTP, is closed in the web application host) does not protect against session ID disclosure if the “Secure” cookie has not been set - the web browser can be deceived to disclose the session ID over an unencrypted HTTP connection. The attacker can intercept and manipulate the victim user traffic and inject an HTTP unencrypted reference to the web application that will force the web browser to submit the session ID in the clear.<br />
<br />
See also: [https://www.owasp.org/index.php/SecureFlag SecureFlag]<br />
<br />
== HttpOnly Attribute ==<br />
<br />
The “HttpOnly” cookie attribute instructs web browsers not to allow scripts (e.g. JavaScript or VBscript) an ability to access the cookies via the DOM document.cookie object. This session ID protection is mandatory to prevent session ID stealing through XSS attacks. <br />
<br />
See the OWASP XSS Prevention Cheat Sheet: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.<br />
<br />
See also: [https://www.owasp.org/index.php/HttpOnly HttpOnly]<br />
<br />
== SameSite Attribute ==<br />
SameSite allows a server define a cookie attribute making it impossible to the browser send this cookie along with cross-site requests. The main goal is mitigate the risk of cross-origin information leakage, and provides some protection against cross-site request forgery attacks.<br />
<br />
See also: [https://www.owasp.org/index.php/SameSite SameSite]<br />
<br />
== Domain and Path Attributes ==<br />
<br />
The “Domain” cookie attribute instructs web browsers to only send the cookie to the specified domain and all subdomains. If the attribute is not set, by default the cookie will only be sent to the origin server. The “Path” cookie attribute instructs web browsers to only send the cookie to the specified directory or subdirectories (or paths or resources) within the web application. If the attribute is not set, by default the cookie will only be sent for the directory (or path) of the resource requested and setting the cookie. <br />
<br />
It is recommended to use a narrow or restricted scope for these two attributes. In this way, the “Domain” attribute should not be set (restricting the cookie just to the origin server) and the “Path” attribute should be set as restrictive as possible to the web application path that makes use of the session ID. <br />
<br />
Setting the “Domain” attribute to a too permissive value, such as “example.com” allows an attacker to launch attacks on the session IDs between different hosts and web applications belonging to the same domain, known as cross-subdomain cookies. For example, vulnerabilities in www.example.com might allow an attacker to get access to the session IDs from secure.example.com. <br />
<br />
Additionally, it is recommended not to mix web applications of different security levels on the same domain. Vulnerabilities in one of the web applications would allow an attacker to set the session ID for a different web application on the same domain by using a permissive “Domain” attribute (such as “example.com”) which is a technique that can be used in session fixation attacks [4]. <br />
<br />
Although the “Path” attribute allows the isolation of session IDs between different web applications using different paths on the same host, it is highly recommended not to run different web applications (especially from different security levels or scopes) on the same host. Other methods can be used by these applications to access the session IDs, such as the “document.cookie” object. Also, any web application can set cookies for any path on that host. <br />
<br />
Cookies are vulnerable to DNS spoofing/hijacking/poisoning attacks, where an attacker can manipulate the DNS resolution to force the web browser to disclose the session ID for a given host or domain. <br />
<br />
== Expire and Max-Age Attributes ==<br />
<br />
Session management mechanisms based on cookies can make use of two types of cookies, non-persistent (or session) cookies, and persistent cookies. If a cookie presents the “Max-Age” (that has preference over “Expires”) or “Expires” attributes, it will be considered a persistent cookie and will be stored on disk by the web browser based until the expiration time. Typically, session management capabilities to track users after authentication make use of non-persistent cookies. This forces the session to disappear from the client if the current web browser instance is closed. Therefore, it is highly recommended to use non-persistent cookies for session management purposes, so that the session ID does not remain on the web client cache for long periods of time, from where an attacker can obtain it. <br />
<br />
* Ensure that sensitive information is not comprised, by ensuring that sensitive information is not persistent / encrypting / stored on a need basis for the duration of the need<br />
<br />
* Ensure that unauthorized activities cannot take place via cookie manipulation<br />
<br />
* Ensure secure flag is set to prevent accidental transmission over “the wire” in a non-secure manner<br />
<br />
* Determine if all state transitions in the application code properly check for the cookies and enforce their use<br />
<br />
* Ensure entire cookie should be encrypted if sensitive data is persisted in the cookie<br />
<br />
* Define all cookies being used by the application, their name and why they are needed<br />
<br />
<br />
<br><br />
<br />
= Session ID Life Cycle =<br />
<br />
== Session ID Generation and Verification: Permissive and Strict Session Management ==<br />
<br />
There are two types of session management mechanisms for web applications, permissive and strict, related to session fixation vulnerabilities. The permissive mechanism allow the web application to initially accept any session ID value set by the user as valid, creating a new session for it, while the strict mechanism enforces that the web application will only accept session ID values that have been previously generated by the web application. <br />
<br />
The session tokens should be handled by the web server if possible or generated via a cryptographically secure random number generator.<br />
<br />
Although the most common mechanism in use today is the strict one (more secure, [https://wiki.php.net/rfc/session-use-strict-mode PHP defaults to permissive]). Developers must ensure that the web application does not use a permissive mechanism under certain circumstances. Web applications should never accept a session ID they have never generated, and in case of receiving one, they should generate and offer the user a new valid session ID. Additionally, this scenario should be detected as a suspicious activity and an alert should be generated. <br />
<br />
== Manage Session ID as Any Other User Input ==<br />
<br />
Session IDs must be considered untrusted, as any other user input processed by the web application, and they must be thoroughly validated and verified. Depending on the session management mechanism used, the session ID will be received in a GET or POST parameter, in the URL or in an HTTP header (e.g. cookies). If web applications do not validate and filter out invalid session ID values before processing them, they can potentially be used to exploit other web vulnerabilities, such as SQL injection if the session IDs are stored on a relational database, or persistent XSS if the session IDs are stored and reflected back afterwards by the web application. <br />
<br />
== Renew the Session ID After Any Privilege Level Change ==<br />
<br />
The session ID must be renewed or regenerated by the web application after any privilege level change within the associated user session. The most common scenario where the session ID regeneration is mandatory is during the authentication process, as the privilege level of the user changes from the unauthenticated (or anonymous) state to the authenticated state. Other common scenarios must also be considered, such as password changes, permission changes or switching from a regular user role to an administrator role within the web application. For all these web application critical pages, previous session IDs have to be ignored, a new session ID must be assigned to every new request received for the critical resource, and the old or previous session ID must be destroyed. <br />
<br />
The most common web development frameworks provide session functions and methods to renew the session ID, such as “request.getSession(true) &amp; HttpSession.invalidate()” (J2EE), “Session.Abandon() &amp; Response.Cookies.Add(new…)“ (ASP .NET), or “session_start() &amp; session_regenerate_id(true)” (PHP). <br />
<br />
The session ID regeneration is mandatory to prevent session fixation attacks [3], where an attacker sets the session ID on the victims user web browser instead of gathering the victims session ID, as in most of the other session-based attacks, and independently of using HTTP or HTTPS. This protection mitigates the impact of other web-based vulnerabilities that can also be used to launch session fixation attacks, such as HTTP response splitting or XSS [4]. <br />
<br />
A complementary recommendation is to use a different session ID or token name (or set of session IDs) pre and post authentication, so that the web application can keep track of anonymous users and authenticated users without the risk of exposing or binding the user session between both states. <br />
<br />
== Considerations When Using Multiple Cookies ==<br />
<br />
If the web application uses cookies as the session ID exchange mechanism, and multiple cookies are set for a given session, the web application must verify all cookies (and enforce relationships between them) before allowing access to the user session. <br />
<br />
It is very common for web applications to set a user cookie pre-authentication over HTTP to keep track of unauthenticated (or anonymous) users. Once the user authenticates in the web application, a new post-authentication secure cookie is set over HTTPS, and a binding between both cookies and the user session is established. If the web application does not verify both cookies for authenticated sessions, an attacker can make use of the pre-authentication unprotected cookie to get access to the authenticated user session [4]. <br />
<br />
Web applications should try to avoid the same cookie name for different paths or domain scopes within the same web application, as this increases the complexity of the solution and potentially introduces scoping issues.<br />
<br />
<br><br />
<br />
= Session Expiration =<br />
<br />
In order to minimize the time period an attacker can launch attacks over active sessions and hijack them, it is mandatory to set expiration timeouts for every session, establishing the amount of time a session will remain active. Insufficient session expiration by the web application increases the exposure of other session-based attacks, as for the attacker to be able to reuse a valid session ID and hijack the associated session, it must still be active. <br />
<br />
The shorter the session interval is, the lesser the time an attacker has to use the valid session ID. The session expiration timeout values must be set accordingly with the purpose and nature of the web application, and balance security and usability, so that the user can comfortably complete the operations within the web application without his session frequently expiring. Both the idle and absolute timeout values are highly dependent on how critical the web application and its data are. Common idle timeouts ranges are 2-5 minutes for high-value applications and 15- 30 minutes for low risk applications. <br />
<br />
When a session expires, the web application must take active actions to invalidate the session on both sides, client and server. The latter is the most relevant and mandatory from a security perspective. <br />
<br />
For most session exchange mechanisms, client side actions to invalidate the session ID are based on clearing out the token value. For example, to invalidate a cookie it is recommended to provide an empty (or invalid) value for the session ID, and set the “Expires” (or “Max-Age”) attribute to a date from the past (in case a persistent cookie is being used): <br />
<pre>Set-Cookie: id=; Expires=Friday, 17-May-03 18:45:00 GMT </pre> <br />
In order to close and invalidate the session on the server side, it is mandatory for the web application to take active actions when the session expires, or the user actively logs out, by using the functions and methods offered by the session management mechanisms, such as “HttpSession.invalidate()” (J2EE), “Session.Abandon()“ (ASP .NET) or “session_destroy()/unset()“ (PHP). <br />
<br />
== Automatic Session Expiration ==<br />
<br />
=== Idle Timeout ===<br />
<br />
All sessions should implement an idle or inactivity timeout. This timeout defines the amount of time a session will remain active in case there is no activity in the session, closing and invalidating the session upon the defined idle period since the last HTTP request received by the web application for a given session ID. <br />
<br />
The idle timeout limits the chances an attacker has to guess and use a valid session ID from another user. However, if the attacker is able to hijack a given session, the idle timeout does not limit the attacker’s actions, as he can generate activity on the session periodically to keep the session active for longer periods of time. <br />
<br />
Session timeout management and expiration must be enforced server-side. If the client is used to enforce the session timeout, for example using the session token or other client parameters to track time references (e.g. number of minutes since login time), an attacker could manipulate these to extend the session duration. <br />
<br />
=== Absolute Timeout ===<br />
<br />
All sessions should implement an absolute timeout, regardless of session activity. This timeout defines the maximum amount of time a session can be active, closing and invalidating the session upon the defined absolute period since the given session was initially created by the web application. After invalidating the session, the user is forced to (re)authenticate again in the web application and establish a new session. <br />
<br />
The absolute session limits the amount of time an attacker can use a hijacked session and impersonate the victim user. <br />
<br />
=== Renewal Timeout ===<br />
<br />
Alternatively, the web application can implement an additional renewal timeout after which the session ID is automatically renewed, in the middle of the user session, and independently of the session activity and, therefore, of the idle timeout. <br />
<br />
After a specific amount of time since the session was initially created, the web application can regenerate a new ID for the user session and try to set it, or renew it, on the client. The previous session ID value would still be valid for some time, accommodating a safety interval, before the client is aware of the new ID and starts using it. At that time, when the client switches to the new ID inside the current session, the application invalidates the previous ID.<br />
<br />
This scenario minimizes the amount of time a given session ID value, potentially obtained by an attacker, can be reused to hijack the user session, even when the victim user session is still active. The user session remains alive and open on the legitimate client, although its associated session ID value is transparently renewed periodically during the session duration, every time the renewal timeout expires. Therefore, the renewal timeout complements the idle and absolute timeouts, specially when the absolute timeout value extends significantly over time (e.g. it is an application requirement to keep the user sessions opened for long periods of time).<br />
<br />
Depending of the implementation, potentially there could be a race condition where the attacker with a still valid previous session ID sends a request before the victim user, right after the renewal timeout has just expired, and obtains first the value for the renewed session ID. At least in this scenario, the victim user might be aware of the attack as her session will be suddenly terminated because her associated session ID is not valid anymore.<br />
<br />
<br />
== Manual Session Expiration ==<br />
<br />
Web applications should provide mechanisms that allow security aware users to actively close their session once they have finished using the web application. <br />
<br />
=== Logout Button ===<br />
<br />
Web applications must provide a visible an easily accessible logout (logoff, exit, or close session) button that is available on the web application header or menu and reachable from every web application resource and page, so that the user can manually close the session at any time. As described [[Session_Management_Cheat_Sheet#Session_Expiration|above]], the web application must invalidate the session at least on server side.<br />
<br />
'''NOTE''': Unfortunately, not all web applications facilitate users to close their current session. Thus, client-side enhancements such as the PopUp LogOut Firefox add-on [9] allow conscientious users to protect their sessions by helping to close them diligently.<br />
<br />
== Web Content Caching ==<br />
<br />
Even after the session has been closed, it might be possible to access the private or sensitive data exchanged within the session through the web browser cache. Therefore, web applications must use restrictive cache directives for all the web traffic exchanged through HTTP and HTTPS, such as the “Cache-Control: no-cache,no-store” and “Pragma: no-cache” HTTP headers [5], and/or equivalent META tags on all or (at least) sensitive web pages. <br />
<br />
Independently of the cache policy defined by the web application, if caching web application contents is allowed, the session IDs must never be cached, so it is highly recommended to use the “Cache-Control: no-cache="Set-Cookie, Set-Cookie2"” directive, to allow web clients to cache everything except the session ID. <br />
<br />
<br> <br />
<br />
= Additional Client-Side Defenses for Session Management =<br />
<br />
Web applications can complement the previously described session management defenses with additional countermeasures on the client side. Client-side protections, typically in the form of JavaScript checks and verifications, are not bullet proof and can easily be defeated by a skilled attacker, but can introduce another layer of defense that has to be bypassed by intruders. <br />
<br />
== Initial Login Timeout ==<br />
<br />
Web applications can use JavaScript code in the login page to evaluate and measure the amount of time since the page was loaded and a session ID was granted. If a login attempt is tried after a specific amount of time, the client code can notify the user that the maximum amount of time to log in has passed and reload the login page, hence retrieving a new session ID. <br />
<br />
This extra protection mechanism tries to force the renewal of the session ID pre-authentication, avoiding scenarios where a previously used (or manually set) session ID is reused by the next victim using the same computer, for example, in session fixation attacks. <br />
<br />
== Force Session Logout On Web Browser Window Close Events ==<br />
<br />
Web applications can use JavaScript code to capture all the web browser tab or window close (or even back) events and take the appropriate actions to close the current session before closing the web browser, emulating that the user has manually closed the session via the logout button. <br />
<br />
== Disable Web Browser Cross-Tab Sessions ==<br />
<br />
Web applications can use JavaScript code once the user has logged in and a session has been established to force the user to re-authenticate if a new web browser tab or window is opened against the same web application. The web application does not want to allow multiple web browser tabs or windows to share the same session. Therefore, the application tries to force the web browser to not share the same session ID simultaneously between them. <br />
<br />
'''''NOTE''''': This mechanism cannot be implemented if the session ID is exchanged through cookies, as cookies are shared by all web browser tabs/windows.&nbsp; <br />
<br />
== Automatic Client Logout ==<br />
<br />
JavaScript code can be used by the web application in all (or critical) pages to automatically logout client sessions after the idle timeout expires, for example, by redirecting the user to the logout page (the same resource used by the logout button mentioned previously). <br />
<br />
The benefit of enhancing the server-side idle timeout functionality with client-side code is that the user can see that the session has finished due to inactivity, or even can be notified in advance that the session is about to expire through a count down timer and warning messages. This user-friendly approach helps to avoid loss of work in web pages that require extensive input data due to server-side silently expired sessions.<br />
<br />
<br> <br />
<br />
= Session Attacks Detection =<br />
<br />
== Session ID Guessing and Brute Force Detection ==<br />
<br />
If an attacker tries to guess or brute force a valid session ID, he needs to launch multiple sequential requests against the target web application using different session IDs from a single (or set of) IP address(es). Additionally, if an attacker tries to analyze the predictability of the session ID (e.g. using statistical analysis), he needs to launch multiple sequential requests from a single (or set of) IP address(es) against the target web application to gather new valid session IDs. <br />
<br />
Web applications must be able to detect both scenarios based on the number of attempts to gather (or use) different session IDs and alert and/or block the offending IP address(es). <br />
<br />
== Detecting Session ID Anomalies ==<br />
<br />
Web applications should focus on detecting anomalies associated to the session ID, such as its manipulation. The OWASP AppSensor Project [7] provides a framework and methodology to implement built-in intrusion detection capabilities within web applications focused on the detection of anomalies and unexpected behaviors, in the form of detection points and response actions. Instead of using external protection layers, sometimes the business logic details and advanced intelligence are only available from inside the web application, where it is possible to establish multiple session related detection points, such as when an existing cookie is modified or deleted, a new cookie is added, the session ID from another user is reused, or when the user location or User-Agent changes in the middle of a session. <br />
<br />
== Binding the Session ID to Other User Properties ==<br />
<br />
With the goal of detecting (and, in some scenarios, protecting against) user misbehaviors and session hijacking, it is highly recommended to bind the session ID to other user or client properties, such as the client IP address, User-Agent, or client-based digital certificate. If the web application detects any change or anomaly between these different properties in the middle of an established session, this is a very good indicator of session manipulation and hijacking attempts, and this simple fact can be used to alert and/or terminate the suspicious session. <br />
<br />
Although these properties cannot be used by web applications to trustingly defend against session attacks, they significantly increase the web application detection (and protection) capabilities. However, a skilled attacker can bypass these controls by reusing the same IP address assigned to the victim user by sharing the same network (very common in NAT environments, like Wi-Fi hotspots) or by using the same outbound web proxy (very common in corporate environments), or by manually modifying his User-Agent to look exactly as the victim users does. <br />
<br />
== Logging Sessions Life Cycle: Monitoring Creation, Usage, and Destruction of Session IDs ==<br />
<br />
Web applications should increase their logging capabilities by including information regarding the full life cycle of sessions. In particular, it is recommended to record session related events, such as the creation, renewal, and destruction of session IDs, as well as details about its usage within login and logout operations, privilege level changes within the session, timeout expiration, invalid session activities (when detected), and critical business operations during the session. <br />
<br />
The log details might include a timestamp, source IP address, web target resource requested (and involved in a session operation), HTTP headers (including the User-Agent and Referer), GET and POST parameters, error codes and messages, username (or user ID), plus the session ID (cookies, URL, GET, POST…). Sensitive data like the session ID should not be included in the logs in order to protect the session logs against session ID local or remote disclosure or unauthorized access. However, some kind of session-specific information must be logged into order to correlate log entries to specific sessions. It is recommended to log a salted-hash of the session ID instead of the session ID itself in order to allow for session-specific log correlation without exposing the session ID.<br />
<br />
In particular, web applications must thoroughly protect administrative interfaces that allow to manage all the current active sessions. Frequently these are used by support personnel to solve session related issues, or even general issues, by impersonating the user and looking at the web application as the user does.<br />
<br />
The session logs become one of the main web application intrusion detection data sources, and can also be used by intrusion protection systems to automatically terminate sessions and/or disable user accounts when (one or many) attacks are detected. If active protections are implemented, these defensive actions must be logged too.<br />
<br />
== Simultaneous Session Logons ==<br />
<br />
It is the web application design decision to determine if multiple simultaneous logons from the same user are allowed from the same or from different client IP addresses. If the web application does not want to allow simultaneous session logons, it must take effective actions after each new authentication event, implicitly terminating the previously available session, or asking the user (through the old, new or both sessions) about the session that must remain active. <br />
<br />
It is recommended for web applications to add user capabilities that allow checking the details of active sessions at any time, monitor and alert the user about concurrent logons, provide user features to remotely terminate sessions manually, and track account activity history (logbook) by recording multiple client details such as IP address, User-Agent, login date and time, idle time, etc. <br />
<br />
<br> <br />
<br />
= Session Management WAF Protections =<br />
<br />
There are situations where the web application source code is not available or cannot be modified, or when the changes required to implement the multiple security recommendations and best practices detailed above imply a full redesign of the web application architecture, and therefore, cannot be easily implemented in the short term. In these scenarios, or to complement the web application defenses, and with the goal of keeping the web application as secure as possible, it is recommended to use external protections such as Web Application Firewalls (WAFs) that can mitigate the session management threats already described. <br />
<br />
Web Application Firewalls offer detection and protection capabilities against session based attacks. On the one hand, it is trivial for WAFs to enforce the usage of security attributes on cookies, such as the “Secure” and “HttpOnly” flags, applying basic rewriting rules on the “Set-Cookie” header for all the web application responses that set a new cookie. On the other hand, more advanced capabilities can be implemented to allow the WAF to keep track of sessions, and the corresponding session IDs, and apply all kind of protections against session fixation (by renewing the session ID on the client-side when privilege changes are detected), enforcing sticky sessions (by verifying the relationship between the session ID and other client properties, like the IP address or User-Agent), or managing session expiration (by forcing both the client and the web application to finalize the session). <br />
<br />
The open-source ModSecurity WAF, plus the OWASP Core Rule Set [6], provide capabilities to detect and apply security cookie attributes, countermeasures against session fixation attacks, and session tracking features to enforce sticky sessions. <br />
<br />
<br> <br />
<br />
= Related Articles =<br />
<br />
[0] '''OWASP Cookies Database. OWASP.''' https://www.owasp.org/index.php/Category:OWASP_Cookies_Database <br />
<br />
[1] '''"HTTP State Management Mechanism". RFC 6265. IETF.''' http://tools.ietf.org/html/rfc6265 <br />
<br />
[2] '''Insufficient Session-ID Length. OWASP.''' https://www.owasp.org/index.php/Insufficient_Session-ID_Length <br />
<br />
[3] '''Session Fixation. Mitja Kolšek. 2002.''' http://www.acrossecurity.com/papers/session_fixation.pdf <br />
<br />
[4] '''"SAP: Session (Fixation) Attacks and Protections (in Web Applications)". Raul Siles. BlackHat EU 2011.''' <br />
<br />
https://media.blackhat.com/bh-eu-11/Raul_Siles/BlackHat_EU_2011_Siles_SAP_Session-Slides.pdf <br />
<br />
https://media.blackhat.com/bh-eu-11/Raul_Siles/BlackHat_EU_2011_Siles_SAP_Session-WP.pdf <br />
<br />
[5] '''"Hypertext Transfer Protocol -- HTTP/1.1". RFC2616. IETF.''' http://tools.ietf.org/html/rfc2616 <br />
<br />
[6] '''OWASP ModSecurity Core Rule Set (CSR) Project. OWASP.''' https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project <br />
<br />
[7] '''OWASP AppSensor Project. OWASP.''' https://www.owasp.org/index.php/Category:OWASP_AppSensor_Project <br />
<br />
[8] '''HttpOnly Session ID in URL and Page Body | Cross Site Scripting''' http://seckb.yehg.net/2012/06/httponly-session-id-in-url-and-page.html<br />
<br />
[9] '''PopUp LogOut Firefox add-on''' https://addons.mozilla.org/en-US/firefox/addon/popup-logout/ & http://popuplogout.iniqua.com<br />
<br />
[10] '''How and why session IDs are reused in ASP.NET''' https://support.microsoft.com/en-us/kb/899918<br />
<br />
= Authors and Primary Editors =<br />
<br />
Raul Siles (DinoSec) - raul[at]dinosec.com <br />
<br />
== Other Cheatsheets ==<br />
<br />
{{Cheatsheet_Navigation_Body}}<br />
<br />
|}<br />
<br />
[[Category:Cheatsheets]]</div>Simon Watershttps://wiki.owasp.org/index.php?title=Session_Management_Cheat_Sheet&diff=231493Session Management Cheat Sheet2017-07-10T09:26:25Z<p>Simon Waters: Add link to PHP vote against defaulting to strict session management, to make it clear that whilst "strict" is more common in terms of systems, many many permissive systems exist.</p>
<hr />
<div> __NOTOC__<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
= Introduction =<br />
__TOC__{{TOC hidden}}<br />
<br />
'''Web Authentication, Session Management, and Access Control''' <br />
<br />
A web session is a sequence of network HTTP request and response transactions associated to the same user. Modern and complex web applications require the retaining of information or status about each user for the duration of multiple requests. Therefore, sessions provide the ability to establish variables – such as access rights and localization settings – which will apply to each and every interaction a user has with the web application for the duration of the session. <br />
<br />
Web applications can create sessions to keep track of anonymous users after the very first user request. An example would be maintaining the user language preference. Additionally, web applications will make use of sessions once the user has authenticated. This ensures the ability to identify the user on any subsequent requests as well as being able to apply security access controls, authorized access to the user private data, and to increase the usability of the application. Therefore, current web applications can provide session capabilities both pre and post authentication. <br />
<br />
Once an authenticated session has been established, the session ID (or token) is temporarily equivalent to the strongest authentication method used by the application, such as username and password, passphrases, one-time passwords (OTP), client-based digital certificates, smartcards, or biometrics (such as fingerprint or eye retina). See the OWASP Authentication Cheat Sheet: https://www.owasp.org/index.php/Authentication_Cheat_Sheet. <br />
<br />
HTTP is a stateless protocol (RFC2616 [5]), where each request and response pair is independent of other web interactions. Therefore, in order to introduce the concept of a session, it is required to implement session management capabilities that link both the authentication and access control (or authorization) modules commonly available in web applications: <br />
<br />
[[Image:Session-Management-Diagram Cheat-Sheet.png|center|Session-Management-Diagram Cheat-Sheet.png]] <br> The session ID or token binds the user authentication credentials (in the form of a user session) to the user HTTP traffic and the appropriate access controls enforced by the web application. The complexity of these three components (authentication, session management, and access control) in modern web applications, plus the fact that its implementation and binding resides on the web developer’s hands (as web development framework do not provide strict relationships between these modules), makes the implementation of a secure session management module very challenging. <br />
<br />
The disclosure, capture, prediction, brute force, or fixation of the session ID will lead to session hijacking (or sidejacking) attacks, where an attacker is able to fully impersonate a victim user in the web application. Attackers can perform two types of session hijacking attacks, targeted or generic. In a targeted attack, the attacker’s goal is to impersonate a specific (or privileged) web application victim user. For generic attacks, the attacker’s goal is to impersonate (or get access as) any valid or legitimate user in the web application. <br />
<br />
<br> <br />
<br />
= Session ID Properties =<br />
<br />
In order to keep the authenticated state and track the users progress within the web application, applications provide users with a session identifier (session ID or token) that is assigned at session creation time, and is shared and exchanged by the user and the web application for the duration of the session (it is sent on every HTTP request). The session ID is a “name=value” pair. <br />
<br />
With the goal of implementing secure session IDs, the generation of identifiers (IDs or tokens) must meet the following properties: <br />
<br />
== Session ID Name Fingerprinting ==<br />
<br />
The name used by the session ID should not be extremely descriptive nor offer unnecessary details about the purpose and meaning of the ID. <br />
<br />
The session ID names used by the most common web application development frameworks can be easily fingerprinted [0], such as PHPSESSID (PHP), JSESSIONID (J2EE), CFID &amp; CFTOKEN (ColdFusion), ASP.NET_SessionId (ASP .NET), etc. Therefore, the session ID name can disclose the technologies and programming languages used by the web application. <br />
<br />
It is recommended to change the default session ID name of the web development framework to a generic name, such as “id”. <br />
<br />
== Session ID Length ==<br />
<br />
The session ID must be long enough to prevent brute force attacks, where an attacker can go through the whole range of ID values and verify the existence of valid sessions. <br />
<br />
The session ID length must be at least 128 bits (16 bytes).<br />
<br />
'''''NOTE''''': The session ID length of 128 bits is provided as a reference based on the assumptions made on the next section "Session ID Entropy". However, this number should not be considered as an absolute minimum value, as other implementation factors might influence its strength. For example, there are well-known implementations, such as Microsoft ASP.NET, making use of 120-bit random numbers for its session IDs (represented by 20-character strings [10]) that can provide a very good effective entropy, and as a result, can be considered long enough to avoid guessing or brute force attacks.<br />
<br />
== Session ID Entropy ==<br />
<br />
The session ID must be unpredictable (random enough) to prevent guessing attacks, where an attacker is able to guess or predict the ID of a valid session through statistical analysis techniques. For this purpose, a good PRNG (Pseudo Random Number Generator) must be used. <br />
<br />
The session ID value must provide at least 64 bits of entropy (if a good PRNG is used, this value is estimated to be half the length of the session ID).<br> <br />
<br />
'''''NOTE''''': The session ID entropy is really affected by other external and difficult to measure factors, such as the number of concurrent active sessions the web application commonly has, the absolute session expiration timeout, the amount of session ID guesses per second the attacker can make and the target web application can support, etc [2]. If a session ID with an entropy of 64 bits is used, it will take an attacker at least 292 years to successfully guess a valid session ID, assuming the attacker can try 10,000 guesses per second with 100,000 valid simultaneous sessions available in the web application [2]. <br />
<br />
== Session ID Content (or Value) ==<br />
<br />
The session ID content (or value) must be meaningless to prevent information disclosure attacks, where an attacker is able to decode the contents of the ID and extract details of the user, the session, or the inner workings of the web application. <br />
<br />
The session ID must simply be an identifier on the client side, and its value must never include sensitive information (or PII). The meaning and business or application logic associated to the session ID must be stored on the server side, and specifically, in session objects or in a session management database or repository. The stored information can include the client IP address, User-Agent, e-mail, username, user ID, role, privilege level, access rights, language preferences, account ID, current state, last login, session timeouts, and other internal session details. If the session objects and properties contain sensitive information, such as credit card numbers, it is required to duly encrypt and protect the session management repository. <br />
<br />
It is recommended to create cryptographically strong session IDs through the usage of cryptographic hash functions such as SHA1 (160 bits). <br />
<br />
<br> <br />
<br />
= Session Management Implementation =<br />
<br />
The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID. There are multiple mechanisms available in HTTP to maintain session state within web applications, such as cookies (standard HTTP header), URL parameters (URL rewriting – RFC 2396), URL arguments on GET requests, body arguments on POST requests, such as hidden form fields (HTML forms), or proprietary HTTP headers. <br />
<br />
The preferred session ID exchange mechanism should allow defining advanced token properties, such as the token expiration date and time, or granular usage constraints. This is one of the reasons why cookies (RFCs 2109 &amp; 2965 &amp; 6265 [1]) are one of the most extensively used session ID exchange mechanisms, offering advanced capabilities not available in other methods. <br />
<br />
The usage of specific session ID exchange mechanisms, such as those where the ID is included in the URL, might disclose the session ID (in web links and logs, web browser history and bookmarks, the Referer header or search engines), as well as facilitate other attacks, such as the manipulation of the ID or session fixation attacks [3]. <br />
<br />
== Built-in Session Management Implementations ==<br />
<br />
Web development frameworks, such as J2EE, ASP .NET, PHP, and others, provide their own session management features and associated implementation. It is recommended to use these built-in frameworks versus building a home made one from scratch, as they are used worldwide on multiple web environments and have been tested by the web application security and development communities over time. <br />
<br />
However, be advised that these frameworks have also presented vulnerabilities and weaknesses in the past, so it is always recommended to use the latest version available, that potentially fixes all the well-known vulnerabilities, as well as review and change the default configuration to enhance its security by following the recommendations described along this document. <br />
<br />
The storage capabilities or repository used by the session management mechanism to temporarily save the session IDs must be secure, protecting the session IDs against local or remote accidental disclosure or unauthorized access. <br />
<br />
== Used vs. Accepted Session ID Exchange Mechanisms ==<br />
<br />
A web application should make use of cookies for session ID exchange management. If a user submits a session ID through a different exchange mechanism, such as a URL parameter, the web application should avoid accepting it as part of a defensive strategy to stop session fixation.<br />
<br />
'''''NOTE''''': Even if a web application makes use of cookies as its default session ID exchange mechanism, it might accept other exchange mechanisms too. It is therefore required to confirm via thorough testing all the different mechanisms currently accepted by the web application when processing and managing session IDs, and limit the accepted session ID tracking mechanisms to just cookies. In the past, some web applications used URL parameters, or even switched from cookies to URL parameters (via automatic URL rewriting), if certain conditions are met (for example, the identification of web clients without support for cookies or not accepting cookies due to user privacy concerns).<br />
<br />
== Transport Layer Security ==<br />
<br />
In order to protect the session ID exchange from active eavesdropping and passive disclosure in the network traffic, it is mandatory to use an encrypted HTTPS (SSL/TLS) connection for the entire web session, not only for the authentication process where the user credentials are exchanged. <br />
<br />
Additionally, the “Secure” cookie attribute (see below) must be used to ensure the session ID is only exchanged through an encrypted channel. The usage of an encrypted communication channel also protects the session against some session fixation attacks where the attacker is able to intercept and manipulate the web traffic to inject (or fix) the session ID on the victims web browser [4]. <br />
<br />
The following set of HTTPS (SSL/TLS) best practices are focused on protecting the session ID (specifically when cookies are used) and helping with the integration of HTTPS within the web application: <br />
<br />
*Web applications should never switch a given session from HTTP to HTTPS, or viceversa, as this will disclose the session ID in the clear through the network. <br />
*Web applications should not mix encrypted and unencrypted contents (HTML pages, images, CSS, Javascript files, etc) on the same host (or even domain - see the “domain” cookie attribute), as the request of any web object over an unencrypted channel might disclose the session ID. <br />
*Web applications, in general, should not offer public unencrypted contents and private encrypted contents from the same host. It is recommended to instead use two different hosts, such as www.example.com over HTTP (unencrypted) for the public contents, and secure.example.com over HTTPS (encrypted) for the private and sensitive contents (where sessions exist). The former host only has port TCP/80 open, while the later only has port TCP/443 open. <br />
*Web applications should avoid the extremely common HTTP to HTTPS redirection on the home page (using a 30x HTTP response), as this single unprotected HTTP request/response exchange can be used by an attacker to gather (or fix) a valid session ID.<br />
* Web applications should make use of “HTTP Strict Transport Security (HSTS)” (previously called STS) to enforce HTTPS connections.<br />
<br />
See the OWASP Transport Layer Protection Cheat Sheet: https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet. <br />
<br />
It is important to emphasize that SSL/TLS (HTTPS) does not protect against session ID prediction, brute force, client-side tampering or fixation. Yet, session ID disclosure and capture from the network traffic is one of the most prevalent attack vectors even today. <br />
<br />
<br> <br />
<br />
= Cookies =<br />
<br />
The session ID exchange mechanism based on cookies provides multiple security features in the form of cookie attributes that can be used to protect the exchange of the session ID: <br />
<br />
== Secure Attribute ==<br />
<br />
The “Secure” cookie attribute instructs web browsers to only send the cookie through an encrypted HTTPS (SSL/TLS) connection. This session protection mechanism is mandatory to prevent the disclosure of the session ID through MitM (Man-in-the-Middle) attacks. It ensures that an attacker cannot simply capture the session ID from web browser traffic. <br />
<br />
Forcing the web application to only use HTTPS for its communication (even when port TCP/80, HTTP, is closed in the web application host) does not protect against session ID disclosure if the “Secure” cookie has not been set - the web browser can be deceived to disclose the session ID over an unencrypted HTTP connection. The attacker can intercept and manipulate the victim user traffic and inject an HTTP unencrypted reference to the web application that will force the web browser to submit the session ID in the clear.<br />
<br />
See also: [https://www.owasp.org/index.php/SecureFlag SecureFlag]<br />
<br />
== HttpOnly Attribute ==<br />
<br />
The “HttpOnly” cookie attribute instructs web browsers not to allow scripts (e.g. JavaScript or VBscript) an ability to access the cookies via the DOM document.cookie object. This session ID protection is mandatory to prevent session ID stealing through XSS attacks. <br />
<br />
See the OWASP XSS Prevention Cheat Sheet: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.<br />
<br />
See also: [https://www.owasp.org/index.php/HttpOnly HttpOnly]<br />
<br />
== SameSite Attribute ==<br />
SameSite allows a server define a cookie attribute making it impossible to the browser send this cookie along with cross-site requests. The main goal is mitigate the risk of cross-origin information leakage, and provides some protection against cross-site request forgery attacks.<br />
<br />
See also: [https://www.owasp.org/index.php/SameSite SameSite]<br />
<br />
== Domain and Path Attributes ==<br />
<br />
The “Domain” cookie attribute instructs web browsers to only send the cookie to the specified domain and all subdomains. If the attribute is not set, by default the cookie will only be sent to the origin server. The “Path” cookie attribute instructs web browsers to only send the cookie to the specified directory or subdirectories (or paths or resources) within the web application. If the attribute is not set, by default the cookie will only be sent for the directory (or path) of the resource requested and setting the cookie. <br />
<br />
It is recommended to use a narrow or restricted scope for these two attributes. In this way, the “Domain” attribute should not be set (restricting the cookie just to the origin server) and the “Path” attribute should be set as restrictive as possible to the web application path that makes use of the session ID. <br />
<br />
Setting the “Domain” attribute to a too permissive value, such as “example.com” allows an attacker to launch attacks on the session IDs between different hosts and web applications belonging to the same domain, known as cross-subdomain cookies. For example, vulnerabilities in www.example.com might allow an attacker to get access to the session IDs from secure.example.com. <br />
<br />
Additionally, it is recommended not to mix web applications of different security levels on the same domain. Vulnerabilities in one of the web applications would allow an attacker to set the session ID for a different web application on the same domain by using a permissive “Domain” attribute (such as “example.com”) which is a technique that can be used in session fixation attacks [4]. <br />
<br />
Although the “Path” attribute allows the isolation of session IDs between different web applications using different paths on the same host, it is highly recommended not to run different web applications (especially from different security levels or scopes) on the same host. Other methods can be used by these applications to access the session IDs, such as the “document.cookie” object. Also, any web application can set cookies for any path on that host. <br />
<br />
Cookies are vulnerable to DNS spoofing/hijacking/poisoning attacks, where an attacker can manipulate the DNS resolution to force the web browser to disclose the session ID for a given host or domain. <br />
<br />
== Expire and Max-Age Attributes ==<br />
<br />
Session management mechanisms based on cookies can make use of two types of cookies, non-persistent (or session) cookies, and persistent cookies. If a cookie presents the “Max-Age” (that has preference over “Expires”) or “Expires” attributes, it will be considered a persistent cookie and will be stored on disk by the web browser based until the expiration time. Typically, session management capabilities to track users after authentication make use of non-persistent cookies. This forces the session to disappear from the client if the current web browser instance is closed. Therefore, it is highly recommended to use non-persistent cookies for session management purposes, so that the session ID does not remain on the web client cache for long periods of time, from where an attacker can obtain it. <br />
<br />
* Ensure that sensitive information is not comprised, by ensuring that sensitive information is not persistent / encrypting / stored on a need basis for the duration of the need<br />
<br />
* Ensure that unauthorized activities cannot take place via cookie manipulation<br />
<br />
* Ensure secure flag is set to prevent accidental transmission over “the wire” in a non-secure manner<br />
<br />
* Determine if all state transitions in the application code properly check for the cookies and enforce their use<br />
<br />
* Ensure entire cookie should be encrypted if sensitive data is persisted in the cookie<br />
<br />
* Define all cookies being used by the application, their name and why they are needed<br />
<br />
<br />
<br><br />
<br />
= Session ID Life Cycle =<br />
<br />
== Session ID Generation and Verification: Permissive and Strict Session Management ==<br />
<br />
There are two types of session management mechanisms for web applications, permissive and strict, related to session fixation vulnerabilities. The permissive mechanism allow the web application to initially accept any session ID value set by the user as valid, creating a new session for it, while the strict mechanism enforces that the web application will only accept session ID values that have been previously generated by the web application. <br />
<br />
The session tokens should be handled by the web server if possible or generated via a cryptographically secure random number generator.<br />
<br />
Although the most common mechanism in use today is the strict one (more secure, [https://wiki.php.net/rfc/session-use-strict-mode PHP defaults to weak]). Developers must ensure that the web application does not use a permissive mechanism under certain circumstances. Web applications should never accept a session ID they have never generated, and in case of receiving one, they should generate and offer the user a new valid session ID. Additionally, this scenario should be detected as a suspicious activity and an alert should be generated. <br />
<br />
== Manage Session ID as Any Other User Input ==<br />
<br />
Session IDs must be considered untrusted, as any other user input processed by the web application, and they must be thoroughly validated and verified. Depending on the session management mechanism used, the session ID will be received in a GET or POST parameter, in the URL or in an HTTP header (e.g. cookies). If web applications do not validate and filter out invalid session ID values before processing them, they can potentially be used to exploit other web vulnerabilities, such as SQL injection if the session IDs are stored on a relational database, or persistent XSS if the session IDs are stored and reflected back afterwards by the web application. <br />
<br />
== Renew the Session ID After Any Privilege Level Change ==<br />
<br />
The session ID must be renewed or regenerated by the web application after any privilege level change within the associated user session. The most common scenario where the session ID regeneration is mandatory is during the authentication process, as the privilege level of the user changes from the unauthenticated (or anonymous) state to the authenticated state. Other common scenarios must also be considered, such as password changes, permission changes or switching from a regular user role to an administrator role within the web application. For all these web application critical pages, previous session IDs have to be ignored, a new session ID must be assigned to every new request received for the critical resource, and the old or previous session ID must be destroyed. <br />
<br />
The most common web development frameworks provide session functions and methods to renew the session ID, such as “request.getSession(true) &amp; HttpSession.invalidate()” (J2EE), “Session.Abandon() &amp; Response.Cookies.Add(new…)“ (ASP .NET), or “session_start() &amp; session_regenerate_id(true)” (PHP). <br />
<br />
The session ID regeneration is mandatory to prevent session fixation attacks [3], where an attacker sets the session ID on the victims user web browser instead of gathering the victims session ID, as in most of the other session-based attacks, and independently of using HTTP or HTTPS. This protection mitigates the impact of other web-based vulnerabilities that can also be used to launch session fixation attacks, such as HTTP response splitting or XSS [4]. <br />
<br />
A complementary recommendation is to use a different session ID or token name (or set of session IDs) pre and post authentication, so that the web application can keep track of anonymous users and authenticated users without the risk of exposing or binding the user session between both states. <br />
<br />
== Considerations When Using Multiple Cookies ==<br />
<br />
If the web application uses cookies as the session ID exchange mechanism, and multiple cookies are set for a given session, the web application must verify all cookies (and enforce relationships between them) before allowing access to the user session. <br />
<br />
It is very common for web applications to set a user cookie pre-authentication over HTTP to keep track of unauthenticated (or anonymous) users. Once the user authenticates in the web application, a new post-authentication secure cookie is set over HTTPS, and a binding between both cookies and the user session is established. If the web application does not verify both cookies for authenticated sessions, an attacker can make use of the pre-authentication unprotected cookie to get access to the authenticated user session [4]. <br />
<br />
Web applications should try to avoid the same cookie name for different paths or domain scopes within the same web application, as this increases the complexity of the solution and potentially introduces scoping issues.<br />
<br />
<br><br />
<br />
= Session Expiration =<br />
<br />
In order to minimize the time period an attacker can launch attacks over active sessions and hijack them, it is mandatory to set expiration timeouts for every session, establishing the amount of time a session will remain active. Insufficient session expiration by the web application increases the exposure of other session-based attacks, as for the attacker to be able to reuse a valid session ID and hijack the associated session, it must still be active. <br />
<br />
The shorter the session interval is, the lesser the time an attacker has to use the valid session ID. The session expiration timeout values must be set accordingly with the purpose and nature of the web application, and balance security and usability, so that the user can comfortably complete the operations within the web application without his session frequently expiring. Both the idle and absolute timeout values are highly dependent on how critical the web application and its data are. Common idle timeouts ranges are 2-5 minutes for high-value applications and 15- 30 minutes for low risk applications. <br />
<br />
When a session expires, the web application must take active actions to invalidate the session on both sides, client and server. The latter is the most relevant and mandatory from a security perspective. <br />
<br />
For most session exchange mechanisms, client side actions to invalidate the session ID are based on clearing out the token value. For example, to invalidate a cookie it is recommended to provide an empty (or invalid) value for the session ID, and set the “Expires” (or “Max-Age”) attribute to a date from the past (in case a persistent cookie is being used): <br />
<pre>Set-Cookie: id=; Expires=Friday, 17-May-03 18:45:00 GMT </pre> <br />
In order to close and invalidate the session on the server side, it is mandatory for the web application to take active actions when the session expires, or the user actively logs out, by using the functions and methods offered by the session management mechanisms, such as “HttpSession.invalidate()” (J2EE), “Session.Abandon()“ (ASP .NET) or “session_destroy()/unset()“ (PHP). <br />
<br />
== Automatic Session Expiration ==<br />
<br />
=== Idle Timeout ===<br />
<br />
All sessions should implement an idle or inactivity timeout. This timeout defines the amount of time a session will remain active in case there is no activity in the session, closing and invalidating the session upon the defined idle period since the last HTTP request received by the web application for a given session ID. <br />
<br />
The idle timeout limits the chances an attacker has to guess and use a valid session ID from another user. However, if the attacker is able to hijack a given session, the idle timeout does not limit the attacker’s actions, as he can generate activity on the session periodically to keep the session active for longer periods of time. <br />
<br />
Session timeout management and expiration must be enforced server-side. If the client is used to enforce the session timeout, for example using the session token or other client parameters to track time references (e.g. number of minutes since login time), an attacker could manipulate these to extend the session duration. <br />
<br />
=== Absolute Timeout ===<br />
<br />
All sessions should implement an absolute timeout, regardless of session activity. This timeout defines the maximum amount of time a session can be active, closing and invalidating the session upon the defined absolute period since the given session was initially created by the web application. After invalidating the session, the user is forced to (re)authenticate again in the web application and establish a new session. <br />
<br />
The absolute session limits the amount of time an attacker can use a hijacked session and impersonate the victim user. <br />
<br />
=== Renewal Timeout ===<br />
<br />
Alternatively, the web application can implement an additional renewal timeout after which the session ID is automatically renewed, in the middle of the user session, and independently of the session activity and, therefore, of the idle timeout. <br />
<br />
After a specific amount of time since the session was initially created, the web application can regenerate a new ID for the user session and try to set it, or renew it, on the client. The previous session ID value would still be valid for some time, accommodating a safety interval, before the client is aware of the new ID and starts using it. At that time, when the client switches to the new ID inside the current session, the application invalidates the previous ID.<br />
<br />
This scenario minimizes the amount of time a given session ID value, potentially obtained by an attacker, can be reused to hijack the user session, even when the victim user session is still active. The user session remains alive and open on the legitimate client, although its associated session ID value is transparently renewed periodically during the session duration, every time the renewal timeout expires. Therefore, the renewal timeout complements the idle and absolute timeouts, specially when the absolute timeout value extends significantly over time (e.g. it is an application requirement to keep the user sessions opened for long periods of time).<br />
<br />
Depending of the implementation, potentially there could be a race condition where the attacker with a still valid previous session ID sends a request before the victim user, right after the renewal timeout has just expired, and obtains first the value for the renewed session ID. At least in this scenario, the victim user might be aware of the attack as her session will be suddenly terminated because her associated session ID is not valid anymore.<br />
<br />
<br />
== Manual Session Expiration ==<br />
<br />
Web applications should provide mechanisms that allow security aware users to actively close their session once they have finished using the web application. <br />
<br />
=== Logout Button ===<br />
<br />
Web applications must provide a visible an easily accessible logout (logoff, exit, or close session) button that is available on the web application header or menu and reachable from every web application resource and page, so that the user can manually close the session at any time. As described [[Session_Management_Cheat_Sheet#Session_Expiration|above]], the web application must invalidate the session at least on server side.<br />
<br />
'''NOTE''': Unfortunately, not all web applications facilitate users to close their current session. Thus, client-side enhancements such as the PopUp LogOut Firefox add-on [9] allow conscientious users to protect their sessions by helping to close them diligently.<br />
<br />
== Web Content Caching ==<br />
<br />
Even after the session has been closed, it might be possible to access the private or sensitive data exchanged within the session through the web browser cache. Therefore, web applications must use restrictive cache directives for all the web traffic exchanged through HTTP and HTTPS, such as the “Cache-Control: no-cache,no-store” and “Pragma: no-cache” HTTP headers [5], and/or equivalent META tags on all or (at least) sensitive web pages. <br />
<br />
Independently of the cache policy defined by the web application, if caching web application contents is allowed, the session IDs must never be cached, so it is highly recommended to use the “Cache-Control: no-cache="Set-Cookie, Set-Cookie2"” directive, to allow web clients to cache everything except the session ID. <br />
<br />
<br> <br />
<br />
= Additional Client-Side Defenses for Session Management =<br />
<br />
Web applications can complement the previously described session management defenses with additional countermeasures on the client side. Client-side protections, typically in the form of JavaScript checks and verifications, are not bullet proof and can easily be defeated by a skilled attacker, but can introduce another layer of defense that has to be bypassed by intruders. <br />
<br />
== Initial Login Timeout ==<br />
<br />
Web applications can use JavaScript code in the login page to evaluate and measure the amount of time since the page was loaded and a session ID was granted. If a login attempt is tried after a specific amount of time, the client code can notify the user that the maximum amount of time to log in has passed and reload the login page, hence retrieving a new session ID. <br />
<br />
This extra protection mechanism tries to force the renewal of the session ID pre-authentication, avoiding scenarios where a previously used (or manually set) session ID is reused by the next victim using the same computer, for example, in session fixation attacks. <br />
<br />
== Force Session Logout On Web Browser Window Close Events ==<br />
<br />
Web applications can use JavaScript code to capture all the web browser tab or window close (or even back) events and take the appropriate actions to close the current session before closing the web browser, emulating that the user has manually closed the session via the logout button. <br />
<br />
== Disable Web Browser Cross-Tab Sessions ==<br />
<br />
Web applications can use JavaScript code once the user has logged in and a session has been established to force the user to re-authenticate if a new web browser tab or window is opened against the same web application. The web application does not want to allow multiple web browser tabs or windows to share the same session. Therefore, the application tries to force the web browser to not share the same session ID simultaneously between them. <br />
<br />
'''''NOTE''''': This mechanism cannot be implemented if the session ID is exchanged through cookies, as cookies are shared by all web browser tabs/windows.&nbsp; <br />
<br />
== Automatic Client Logout ==<br />
<br />
JavaScript code can be used by the web application in all (or critical) pages to automatically logout client sessions after the idle timeout expires, for example, by redirecting the user to the logout page (the same resource used by the logout button mentioned previously). <br />
<br />
The benefit of enhancing the server-side idle timeout functionality with client-side code is that the user can see that the session has finished due to inactivity, or even can be notified in advance that the session is about to expire through a count down timer and warning messages. This user-friendly approach helps to avoid loss of work in web pages that require extensive input data due to server-side silently expired sessions.<br />
<br />
<br> <br />
<br />
= Session Attacks Detection =<br />
<br />
== Session ID Guessing and Brute Force Detection ==<br />
<br />
If an attacker tries to guess or brute force a valid session ID, he needs to launch multiple sequential requests against the target web application using different session IDs from a single (or set of) IP address(es). Additionally, if an attacker tries to analyze the predictability of the session ID (e.g. using statistical analysis), he needs to launch multiple sequential requests from a single (or set of) IP address(es) against the target web application to gather new valid session IDs. <br />
<br />
Web applications must be able to detect both scenarios based on the number of attempts to gather (or use) different session IDs and alert and/or block the offending IP address(es). <br />
<br />
== Detecting Session ID Anomalies ==<br />
<br />
Web applications should focus on detecting anomalies associated to the session ID, such as its manipulation. The OWASP AppSensor Project [7] provides a framework and methodology to implement built-in intrusion detection capabilities within web applications focused on the detection of anomalies and unexpected behaviors, in the form of detection points and response actions. Instead of using external protection layers, sometimes the business logic details and advanced intelligence are only available from inside the web application, where it is possible to establish multiple session related detection points, such as when an existing cookie is modified or deleted, a new cookie is added, the session ID from another user is reused, or when the user location or User-Agent changes in the middle of a session. <br />
<br />
== Binding the Session ID to Other User Properties ==<br />
<br />
With the goal of detecting (and, in some scenarios, protecting against) user misbehaviors and session hijacking, it is highly recommended to bind the session ID to other user or client properties, such as the client IP address, User-Agent, or client-based digital certificate. If the web application detects any change or anomaly between these different properties in the middle of an established session, this is a very good indicator of session manipulation and hijacking attempts, and this simple fact can be used to alert and/or terminate the suspicious session. <br />
<br />
Although these properties cannot be used by web applications to trustingly defend against session attacks, they significantly increase the web application detection (and protection) capabilities. However, a skilled attacker can bypass these controls by reusing the same IP address assigned to the victim user by sharing the same network (very common in NAT environments, like Wi-Fi hotspots) or by using the same outbound web proxy (very common in corporate environments), or by manually modifying his User-Agent to look exactly as the victim users does. <br />
<br />
== Logging Sessions Life Cycle: Monitoring Creation, Usage, and Destruction of Session IDs ==<br />
<br />
Web applications should increase their logging capabilities by including information regarding the full life cycle of sessions. In particular, it is recommended to record session related events, such as the creation, renewal, and destruction of session IDs, as well as details about its usage within login and logout operations, privilege level changes within the session, timeout expiration, invalid session activities (when detected), and critical business operations during the session. <br />
<br />
The log details might include a timestamp, source IP address, web target resource requested (and involved in a session operation), HTTP headers (including the User-Agent and Referer), GET and POST parameters, error codes and messages, username (or user ID), plus the session ID (cookies, URL, GET, POST…). Sensitive data like the session ID should not be included in the logs in order to protect the session logs against session ID local or remote disclosure or unauthorized access. However, some kind of session-specific information must be logged into order to correlate log entries to specific sessions. It is recommended to log a salted-hash of the session ID instead of the session ID itself in order to allow for session-specific log correlation without exposing the session ID.<br />
<br />
In particular, web applications must thoroughly protect administrative interfaces that allow to manage all the current active sessions. Frequently these are used by support personnel to solve session related issues, or even general issues, by impersonating the user and looking at the web application as the user does.<br />
<br />
The session logs become one of the main web application intrusion detection data sources, and can also be used by intrusion protection systems to automatically terminate sessions and/or disable user accounts when (one or many) attacks are detected. If active protections are implemented, these defensive actions must be logged too.<br />
<br />
== Simultaneous Session Logons ==<br />
<br />
It is the web application design decision to determine if multiple simultaneous logons from the same user are allowed from the same or from different client IP addresses. If the web application does not want to allow simultaneous session logons, it must take effective actions after each new authentication event, implicitly terminating the previously available session, or asking the user (through the old, new or both sessions) about the session that must remain active. <br />
<br />
It is recommended for web applications to add user capabilities that allow checking the details of active sessions at any time, monitor and alert the user about concurrent logons, provide user features to remotely terminate sessions manually, and track account activity history (logbook) by recording multiple client details such as IP address, User-Agent, login date and time, idle time, etc. <br />
<br />
<br> <br />
<br />
= Session Management WAF Protections =<br />
<br />
There are situations where the web application source code is not available or cannot be modified, or when the changes required to implement the multiple security recommendations and best practices detailed above imply a full redesign of the web application architecture, and therefore, cannot be easily implemented in the short term. In these scenarios, or to complement the web application defenses, and with the goal of keeping the web application as secure as possible, it is recommended to use external protections such as Web Application Firewalls (WAFs) that can mitigate the session management threats already described. <br />
<br />
Web Application Firewalls offer detection and protection capabilities against session based attacks. On the one hand, it is trivial for WAFs to enforce the usage of security attributes on cookies, such as the “Secure” and “HttpOnly” flags, applying basic rewriting rules on the “Set-Cookie” header for all the web application responses that set a new cookie. On the other hand, more advanced capabilities can be implemented to allow the WAF to keep track of sessions, and the corresponding session IDs, and apply all kind of protections against session fixation (by renewing the session ID on the client-side when privilege changes are detected), enforcing sticky sessions (by verifying the relationship between the session ID and other client properties, like the IP address or User-Agent), or managing session expiration (by forcing both the client and the web application to finalize the session). <br />
<br />
The open-source ModSecurity WAF, plus the OWASP Core Rule Set [6], provide capabilities to detect and apply security cookie attributes, countermeasures against session fixation attacks, and session tracking features to enforce sticky sessions. <br />
<br />
<br> <br />
<br />
= Related Articles =<br />
<br />
[0] '''OWASP Cookies Database. OWASP.''' https://www.owasp.org/index.php/Category:OWASP_Cookies_Database <br />
<br />
[1] '''"HTTP State Management Mechanism". RFC 6265. IETF.''' http://tools.ietf.org/html/rfc6265 <br />
<br />
[2] '''Insufficient Session-ID Length. OWASP.''' https://www.owasp.org/index.php/Insufficient_Session-ID_Length <br />
<br />
[3] '''Session Fixation. Mitja Kolšek. 2002.''' http://www.acrossecurity.com/papers/session_fixation.pdf <br />
<br />
[4] '''"SAP: Session (Fixation) Attacks and Protections (in Web Applications)". Raul Siles. BlackHat EU 2011.''' <br />
<br />
https://media.blackhat.com/bh-eu-11/Raul_Siles/BlackHat_EU_2011_Siles_SAP_Session-Slides.pdf <br />
<br />
https://media.blackhat.com/bh-eu-11/Raul_Siles/BlackHat_EU_2011_Siles_SAP_Session-WP.pdf <br />
<br />
[5] '''"Hypertext Transfer Protocol -- HTTP/1.1". RFC2616. IETF.''' http://tools.ietf.org/html/rfc2616 <br />
<br />
[6] '''OWASP ModSecurity Core Rule Set (CSR) Project. OWASP.''' https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project <br />
<br />
[7] '''OWASP AppSensor Project. OWASP.''' https://www.owasp.org/index.php/Category:OWASP_AppSensor_Project <br />
<br />
[8] '''HttpOnly Session ID in URL and Page Body | Cross Site Scripting''' http://seckb.yehg.net/2012/06/httponly-session-id-in-url-and-page.html<br />
<br />
[9] '''PopUp LogOut Firefox add-on''' https://addons.mozilla.org/en-US/firefox/addon/popup-logout/ & http://popuplogout.iniqua.com<br />
<br />
[10] '''How and why session IDs are reused in ASP.NET''' https://support.microsoft.com/en-us/kb/899918<br />
<br />
= Authors and Primary Editors =<br />
<br />
Raul Siles (DinoSec) - raul[at]dinosec.com <br />
<br />
== Other Cheatsheets ==<br />
<br />
{{Cheatsheet_Navigation_Body}}<br />
<br />
|}<br />
<br />
[[Category:Cheatsheets]]</div>Simon Watershttps://wiki.owasp.org/index.php?title=HTTP_Strict_Transport_Security&diff=200170HTTP Strict Transport Security2015-09-07T16:14:02Z<p>Simon Waters: /* Problems */</p>
<hr />
<div><br><br />
== Description ==<br />
<br />
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.<br />
<br />
The specification has been released and published end of 2012 as RFC 6797 (HTTP Strict Transport Security (HSTS)) by the IETF. (Reference see in the links at the bottom.)<br />
<br />
== Threats ==<br />
<br />
HSTS addresses the following threats:<br />
* User bookmarks or manually types http://example.com and is subject to a man-in-the-middle attacker<br />
** HSTS automatically redirects HTTP requests to HTTPS for the target domain<br />
* Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP<br />
** HSTS automatically redirects HTTP requests to HTTPS for the target domain<br />
* A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate<br />
** HSTS does not allow a user to override the invalid certificate message<br />
<br />
== Examples ==<br />
<br />
Simple example, using a long (1 year) max-age:<br />
<br />
Strict-Transport-Security: max-age=31536000<br />
<br />
If all present and future subdomains will be HTTPS:<br />
<br />
Strict-Transport-Security: max-age=31536000; includeSubDomains<br />
<br />
'''Recommended:''' If the site owner would like their domain to be included in the [https://hstspreload.appspot.com/ HSTS preload list] maintained by Chrome (and used by Firefox and Safari), then use:<br />
<br />
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload<br />
<br />
The `preload` flag indicates the site owner's consent to have their domain preloaded. The site owner still needs to then go and submit the domain to the list.<br />
<br />
== Problems ==<br />
<br />
Site owners can use HSTS to identify users without cookies. This can lead to a significant privacy leak[http://www.leviathansecurity.com/blog/the-double-edged-sword-of-hsts-persistence-and-privacy].<br />
<br />
Cookies can be manipulated from sub-domains, so omitting the include "includeSubDomains" option permits a broad range of cookie-related attacks that HSTS would otherwise prevent by requiring a valid certificate for a subdomain. Ensuring the "Secure Flag" is set on all cookies will also prevent, some, but not all, of the same attacks.<br />
<br />
== Browser Support ==<br />
<br />
{| width="400" cellspacing="1" cellpadding="1" border="1"<br />
|-<br />
| '''Browser'''<br><br />
| '''Support Introduced'''<br><br />
|-<br />
| Internet Explorer <br><br />
| Internet Explorer 11 on Windows 8.1 and Windows 7[http://blogs.windows.com/msedgedev/2015/06/09/http-strict-transport-security-comes-to-internet-explorer-11-on-windows-8-1-and-windows-7/]<br><br />
|-<br />
| Firefox<br><br />
| 4<br><br />
|-<br />
| Opera<br><br />
| 12<br><br />
|-<br />
| Safari<br><br />
| Mavericks (Mac OS X 10.9)<br><br />
|-<br />
| Chrome<br><br />
| 4.0.211.0<br><br />
|}<br />
<br />
<br><br />
A detailed overview of supporting browsers can be found at [http://caniuse.com/#feat=stricttransportsecurity caniuse.com]. There is also a [https://badssl.com/ TLS Browser Test Page] to check whether your current browser supports HSTS.<br />
<br />
== Links ==<br />
* [http://www.youtube.com/watch?v=zEV3HOuM_Vw&feature=youtube_gdata AppSecTutorial Series - Episode 4]<br />
* [http://dev.chromium.org/sts Chromium Projects/HSTS]<br />
* [http://tools.ietf.org/html/rfc6797 HSTS Spec]<br />
* [http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security Wikipedia]<br />
* [https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security Mozilla Developer Network]<br />
* [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet OWASP TLS Protection Cheat Sheet]<br />
* [https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security Firefox STS Support]<br />
* [http://lists.w3.org/Archives/Public/public-webapps/2009JulSep/1148.html Google Chrome STS Support]<br />
* [http://www.thoughtcrime.org/software/sslstrip/ Moxie Marlinspike's Black Hat 2009 talk on sslstrip, that demonstrates why you need HSTS]<br />
<br />
[[Category:Control|Control]]</div>Simon Watershttps://wiki.owasp.org/index.php?title=HTTP_Strict_Transport_Security&diff=200169HTTP Strict Transport Security2015-09-07T16:12:42Z<p>Simon Waters: /* Problems */ Added reference that the non-overlap of HSTS and Cookie scope re-enables a number of cookie attacks which would otherwise be presented.</p>
<hr />
<div><br><br />
== Description ==<br />
<br />
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.<br />
<br />
The specification has been released and published end of 2012 as RFC 6797 (HTTP Strict Transport Security (HSTS)) by the IETF. (Reference see in the links at the bottom.)<br />
<br />
== Threats ==<br />
<br />
HSTS addresses the following threats:<br />
* User bookmarks or manually types http://example.com and is subject to a man-in-the-middle attacker<br />
** HSTS automatically redirects HTTP requests to HTTPS for the target domain<br />
* Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP<br />
** HSTS automatically redirects HTTP requests to HTTPS for the target domain<br />
* A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate<br />
** HSTS does not allow a user to override the invalid certificate message<br />
<br />
== Examples ==<br />
<br />
Simple example, using a long (1 year) max-age:<br />
<br />
Strict-Transport-Security: max-age=31536000<br />
<br />
If all present and future subdomains will be HTTPS:<br />
<br />
Strict-Transport-Security: max-age=31536000; includeSubDomains<br />
<br />
'''Recommended:''' If the site owner would like their domain to be included in the [https://hstspreload.appspot.com/ HSTS preload list] maintained by Chrome (and used by Firefox and Safari), then use:<br />
<br />
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload<br />
<br />
The `preload` flag indicates the site owner's consent to have their domain preloaded. The site owner still needs to then go and submit the domain to the list.<br />
<br />
== Problems ==<br />
<br />
Site owners can use HSTS to identify users without cookies. This can lead to a significant privacy leak[http://www.leviathansecurity.com/blog/the-double-edged-sword-of-hsts-persistence-and-privacy].<br />
<br />
Cookies can be manipulated from sub-domains, so omitting the include "includeSubDomains" option permits a broad range of cookie-related attacks that HSTS would otherwise prevents by requiring a valid certificate for a subdomain. Ensuring the "Secure Flag" is set on all cookies will also prevent, some, but not all, of the same attacks.<br />
<br />
== Browser Support ==<br />
<br />
{| width="400" cellspacing="1" cellpadding="1" border="1"<br />
|-<br />
| '''Browser'''<br><br />
| '''Support Introduced'''<br><br />
|-<br />
| Internet Explorer <br><br />
| Internet Explorer 11 on Windows 8.1 and Windows 7[http://blogs.windows.com/msedgedev/2015/06/09/http-strict-transport-security-comes-to-internet-explorer-11-on-windows-8-1-and-windows-7/]<br><br />
|-<br />
| Firefox<br><br />
| 4<br><br />
|-<br />
| Opera<br><br />
| 12<br><br />
|-<br />
| Safari<br><br />
| Mavericks (Mac OS X 10.9)<br><br />
|-<br />
| Chrome<br><br />
| 4.0.211.0<br><br />
|}<br />
<br />
<br><br />
A detailed overview of supporting browsers can be found at [http://caniuse.com/#feat=stricttransportsecurity caniuse.com]. There is also a [https://badssl.com/ TLS Browser Test Page] to check whether your current browser supports HSTS.<br />
<br />
== Links ==<br />
* [http://www.youtube.com/watch?v=zEV3HOuM_Vw&feature=youtube_gdata AppSecTutorial Series - Episode 4]<br />
* [http://dev.chromium.org/sts Chromium Projects/HSTS]<br />
* [http://tools.ietf.org/html/rfc6797 HSTS Spec]<br />
* [http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security Wikipedia]<br />
* [https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security Mozilla Developer Network]<br />
* [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet OWASP TLS Protection Cheat Sheet]<br />
* [https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security Firefox STS Support]<br />
* [http://lists.w3.org/Archives/Public/public-webapps/2009JulSep/1148.html Google Chrome STS Support]<br />
* [http://www.thoughtcrime.org/software/sslstrip/ Moxie Marlinspike's Black Hat 2009 talk on sslstrip, that demonstrates why you need HSTS]<br />
<br />
[[Category:Control|Control]]</div>Simon Watershttps://wiki.owasp.org/index.php?title=HTTP_Strict_Transport_Security&diff=166977HTTP Strict Transport Security2014-01-30T15:33:03Z<p>Simon Waters: HSTS enabled in Mavericks, it is free upgrade so do it.</p>
<hr />
<div><br><br />
== Description ==<br />
<br />
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.<br />
<br />
<br><br />
<br />
The specification has been released and published end of 2012 as RFC 6797 (HTTP Strict Transport Security (HSTS)) by the IETF. (Reference see in the links at the bottom.)<br />
<br />
== Examples ==<br />
<br />
Example of the HTTP strict transport security header <br />
<br />
Strict-Transport-Security: max-age=60000<br />
<br />
If all subdomains are HTTPS too then the following header is applicable:<br />
<br />
Strict-Transport-Security: max-age=60000; includeSubDomains<br />
<br />
== Browser Support ==<br />
<br />
{| width="400" cellspacing="1" cellpadding="1" border="1"<br />
|-<br />
| '''Browser'''<br><br />
| '''Support Introduced'''<br><br />
|-<br />
| Internet Explorer <br><br />
| no support as of IE 10 (tested on 2013-01-01)<br><br />
|-<br />
| Firefox<br><br />
| 4<br><br />
|-<br />
| Opera<br><br />
| 12<br><br />
|-<br />
| Safari<br><br />
| Mavericks (Mac OS X 10.9)<br><br />
|-<br />
| Chrome<br><br />
| 4.0.211.0<br><br />
|}<br />
<br />
<br><br />
<br />
== Server Side ==<br />
<br />
The web server side needs to inject the HSTS header. <br />
<br />
For HTTP sites on the same domain it is [http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec#section-6.1 not recommended] to add a HSTS header but to do a permanent redirect (301 status code) to the HTTPS site.<br />
<br />
An Apache HTTPd example that will permanently redirect a URL to the identical URL with a HTTPS scheme, is as follows:<br />
<br />
<VirtualHost *:80><br />
ServerAlias *<br />
RewriteEngine On<br />
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]<br />
</VirtualHost><br />
<br />
On the HTTPS site configuration the following is needed to add the header as [http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec#section-6.1 recommended by the standard]:<br />
Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"<br />
<br />
The following links show how to set response headers in other web servers:<br />
* [http://wiki.nginx.org/HttpHeadersModule NGINX]<br />
* [http://redmine.lighttpd.net/wiki/lighttpd/Docs:ModSetEnv#Options Lighttpd]<br />
* [http://httpd.apache.org/docs/2.2/mod/mod_headers.html HTTPd]<br />
<br />
==== IIS ====<br />
Whilst [http://technet.microsoft.com/en-us/library/cc753133(WS.10).aspx custom headers] can be configured in IIS without any extensions, it is not possible to restrict these headers to secure transport channels [http://tools.ietf.org/html/rfc6797#section-7.2 as per the HSTS specification]. HSTS has been implemented as per the specification as an [http://hstsiis.codeplex.com/ open source IIS module].<br />
<br />
== Threats ==<br />
<br />
HSTS addresses the following threats:<br />
* User bookmarks or manually types http://example.com and is subject to a man-in-the-middle attacker<br />
** HSTS automatically upgrades HTTP requests to HTTPS for the target domain<br />
* Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP<br />
** HSTS automatically upgrades HTTP requests to HTTPS for the target domain<br />
* A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate<br />
** HSTS does not allow a user to override the invalid certificate message<br />
<br />
<br />
== Links ==<br />
<br />
[http://dev.chromium.org/sts Chromium Projects/HSTS]<br />
<br />
[http://tools.ietf.org/html/rfc6797 HSTS Spec]<br />
<br />
[http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security Wikipedia]<br />
<br />
[https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security Mozilla Developer Network]<br />
<br />
[https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet OWASP TLS Protection Cheat Sheet]<br />
<br />
[https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security Firefox STS Support]<br />
<br />
[http://lists.w3.org/Archives/Public/public-webapps/2009JulSep/1148.html Google Chrome STS Support]<br />
<br />
[http://www.thoughtcrime.org/software/sslstrip/ Moxie Marlinspike's Black Hat 2009 talk on sslstrip, that demonstrates why you need HSTS]<br />
<br />
[[Category:Control|Control]]</div>Simon Watershttps://wiki.owasp.org/index.php?title=PHP_Security_Cheat_Sheet&diff=149462PHP Security Cheat Sheet2013-04-09T00:32:26Z<p>Simon Waters: Changes to grammar, link to doctrine, explanation of acronym ORM</p>
<hr />
<div>= DRAFT CHEAT SHEET - WORK IN PROGRESS =<br />
= Introduction =<br />
This page intends to provide basic PHP security tips for developers and administrators. Keep in mind that tips mentioned in this page may not be sufficient for securing your web application.<br />
<br />
==PHP status on the web==<br />
PHP is the most commonly used server-side programming language and 72% of web servers deploy PHP. PHP is open source. The core of PHP is reasonably secure, but its plugins, libraries and third party tools are often insecure. Also no default security mechanism is included in PHP (there were some in the old days, but they usually broke things). <br />
<br />
PHP developers are usually better informed than ASPX or JSP developers on how the web and HTTP works, and that makes for better coding practices, but they both lack basic security knowledge. Other languages have built-in security mechanisms, which is why PHP websites often have more flawed. <br />
<br />
==Update PHP Now==<br />
'''Important Note: ''' PHP 5.2.x is officially unsupported now. This means that in the near future, when a common security flaw on PHP 5.2.x is discovered, PHP 5.2.x powered website may become vulnerable. ''It is of utmost important that you upgrade your PHP to 5.3.x or 5.4.x right now.''<br />
<br />
Also keep in mind that you should regularly upgrade your PHP distribution on an operational server. Every day new flaws are discovered and announced in PHP and attackers use these new flaws on random servers frequently.<br />
<br />
=Untrusted data=<br />
All data that is a product, or subproduct, of user input is to NOT be trusted. They have to either be validated, using the correct methodology, or filtered, before considering them untainted.<br />
<br />
Super globals which are not to be trusted are $_SERVER, $_GET, $_POST, $_REQUEST, $_FILES and $_COOKIE. Not all data in $_SERVER can be faked by the user, but a considerable amount in it can, particularly and specially everything that deals with HTTP headers (they start with HTTP_).<br />
<br />
==Common mistakes on the processing of $_FILES array==<br />
It is common to find code snippets online doing something similar to the following code:<br />
<br />
if ($_FILES['some_name']['type'] == 'image/jpeg') { <br />
//Proceed to accept the file as a valid image<br />
}<br />
<br />
However, the type is not determined by using heuristics that validate it, but by simply reading the data sent by the HTTP request, which is created by a client. A better, yet not perfect, way of validating file types is to use finfo class.<br />
<br />
$finfo = new finfo(FILEINFO_MIME_TYPE);<br />
$fileContents = file_get_contents($_FILES['some_name']['tmp_name']);<br />
$mimeType = $finfo->buffer($fileContents);<br />
<br />
Where $mimeType is a better checked file type. This uses more resources on the server, but can prevent the user from sending a dangerous file and fooling the code into trusting it as an image, which would normally be regarded as a safe file type.<br />
<br />
==Use of $_REQUEST==<br />
Using $_REQUEST is strongly discouraged. This super global is not recommended since it includes not only POST and GET data, but also the cookies sent by the request. This can lead to confusion and makes your code prone to mistakes, which could lead to security problems.<br />
<br />
=Database Cheat Sheet=<br />
Since a single SQL Injection vulnerability permits the hacking of your website, and every hacker first tries SQL injection flaws, fixing SQL injections are the first step to securing your PHP powered application. Abide to the following rules:<br />
<br />
==Encoding Issues==<br />
===Everything is a string for a database===<br />
There are ways to send different data types to a database, ints, floats, etc. Never rely on them, instead always send an string to the database. Database engines type cast automatically if they need to. This makes for much safer queries. Make this a habit of yours, and see how many time it saves you. Still, do not concatenate without escaping the values. Check the [[#Use Prepared Statements|Use Prepared Statements]].<br />
<br />
====Wrong====<br />
$x=1; <br />
SELECT * FROM users WHERE ID > $x<br />
====Right====<br />
$x=1; // or $x='1';<br />
SELECT * FROM users WHERE ID >'$x';<br />
<br />
===Use UTF-8 unless necessary===<br />
Many new attack vectors rely on encoding bypassing. Use UTF-8 as your database and application charset unless you have a mandatory requirement to use another encoding.<br />
<br />
$DB = new mysqli($Host, $Username, $Password, $DatabaseName);<br />
if (mysqli_connect_errno())<br />
trigger_error("Unable to connect to MySQLi database.");<br />
$DB->set_charset('UTF-8');<br />
<br />
==Escaping is not safe== <br />
'''mysql_real_escape_string''' is not safe. Don't rely on it for your SQL injection prevention.<br />
<br />
'''Why:'''<br />
When you use mysql_real_escape_string on every variable and then concat it to your query, ''you are bound to forget that at least once'', and once is all it takes. You can't force yourself in any way to never forget. Number fields might also be vulnerable if not used as strings. Instead use prepared statements or equivalent.<br />
<br />
==Use Prepared Statements==<br />
Prepared statements are very secure. In a prepared statement, data is separated from the SQL command, so that everything user inputs is considered data and put into the table the way it was. <br />
<br />
<br />
====MySQLi Prepared Statements Wrapper====<br />
The following function, performs a SQL query, returns its results as a 2D array (if query was SELECT) and does all that with prepared statements using MySQLi fast MySQL interface:<br />
<br />
$DB = new mysqli($Host, $Username, $Password, $DatabaseName);<br />
if (mysqli_connect_errno())<br />
trigger_error("Unable to connect to MySQLi database.");<br />
$DB->set_charset('UTF-8');<br />
<br />
function SQL($Query) {<br />
global $DB;<br />
$args = func_get_args();<br />
if (count($args) == 1) {<br />
$result = $DB->query($Query);<br />
if ($result->num_rows) {<br />
$out = array();<br />
while (null != ($r = $result->fetch_array(MYSQLI_ASSOC)))<br />
$out [] = $r;<br />
return $out;<br />
}<br />
return null;<br />
} else {<br />
if (!$stmt = $DB->prepare($Query))<br />
trigger_error("Unable to prepare statement: {$Query}, reason: " . $DB->error . "");<br />
array_shift($args); //remove $Query from args<br />
//the following three lines are the only way to copy an array values in PHP<br />
$a = array();<br />
foreach ($args as $k => &$v)<br />
$a[$k] = &$v;<br />
$types = str_repeat("s", count($args)); //all params are strings, works well on MySQL and SQLite<br />
array_unshift($a, $types);<br />
call_user_func_array(array($stmt, 'bind_param'), $a);<br />
$stmt->execute();<br />
//fetching all results in a 2D array<br />
$metadata = $stmt->result_metadata();<br />
$out = array();<br />
$fields = array();<br />
if (!$metadata)<br />
return null;<br />
$length = 0;<br />
while (null != ($field = mysqli_fetch_field($metadata))) {<br />
$fields [] = &$out [$field->name];<br />
$length+=$field->length;<br />
}<br />
call_user_func_array(array(<br />
$stmt, "bind_result"<br />
), $fields);<br />
$output = array();<br />
$count = 0;<br />
while ($stmt->fetch()) {<br />
foreach ($out as $k => $v)<br />
$output [$count] [$k] = $v;<br />
$count++;<br />
}<br />
$stmt->free_result();<br />
return ($count == 0) ? null : $output;<br />
}<br />
}<br />
<br />
Now you could do your every query like the example below:<br />
<br />
$res=SQL("SELECT * FROM users WHERE ID>? ORDER BY ? ASC LIMIT ?" , 5 , "Username" , 2);<br />
<br />
Every instance of ? is bound with an argument of the list, not ''replaced'' with it. MySQL 5.5+ supports ? as ORDER BY and LIMIT clause specifiers. If you're using a database that doesn't support them, see next section.<br />
<br />
'''REMEMBER:''' When you use this approach, you should ''NEVER'' concat strings for a SQL query.<br />
<br />
====PDO Prepared Statement Wrapper====<br />
The following function, does the same thing as the above function but using PDO. You can use it with every PDO supported driver.<br />
<br />
try {<br />
$DB = new PDO("{$Driver}:dbname={$DatabaseName};host={$Host};", $Username, $Password);<br />
} catch (Exception $e) {<br />
trigger_error("PDO connection error: " . $e->getMessage());<br />
}<br />
<br />
function SQL($Query) {<br />
global $DB;<br />
$args = func_get_args();<br />
if (count($args) == 1) {<br />
$result = $DB->query($Query);<br />
if ($result->rowCount()) {<br />
return $result->fetchAll(PDO::FETCH_ASSOC);<br />
}<br />
return null;<br />
} else {<br />
if (!$stmt = $DB->prepare($Query)) {<br />
$Error = $DB->errorInfo();<br />
trigger_error("Unable to prepare statement: {$Query}, reason: {$Error[2]}");<br />
}<br />
array_shift($args); //remove $Query from args<br />
$i = 0;<br />
foreach ($args as &$v)<br />
$stmt->bindValue(++$i, $v);<br />
$stmt->execute();<br />
return $stmt->fetchAll(PDO::FETCH_ASSOC);<br />
}<br />
}<br />
<br />
$res=SQL("SELECT * FROM users WHERE ID>? ORDER BY ? ASC LIMIT 5" , 5 , "Username" );<br />
<br />
===Where prepared statements do not work===<br />
The problem is, when you need to build dynamic queries, or need to set variables not supported as a prepared variable, or your database engine does not support prepared statements. For example, PDO MySQL does not support ? as LIMIT specifier. In these cases, you need to do two things:<br />
<br />
====Not Supported Fields====<br />
When some field does not support binding (like LIMIT clause in PDO), you need to '''whitelist''' the data you're about to use. LIMIT always requires an integer, so cast the variable to an integer. ORDER BY needs a field name, so whitelist it with field names:<br />
<br />
function whitelist($Needle,$Haystack)<br />
{<br />
if (!in_array($Needle,$Haystack))<br />
return reset($Haystack); //first element<br />
return $Needle;<br />
}<br />
<br />
$Limit = $_GET['lim'];<br />
$Limit = $Limit * 1; //type cast, integers are safe<br />
<br />
$Order = $_GET['sort'];<br />
$Order=whitelist($Order,Array("ID","Username","Password"));<br />
<br />
This is very important. If you think you're tired and you rather blacklist than whitelist, you're bound to fail.<br />
<br />
====Dynamic Queries====<br />
Now this is a highly delicate situation. Whenever hackers fail to injection SQL in your common application scenarios, they go for Advanced Search features or similars, because those features rely on dynamic queries and dynamic queries are almost always insecurely implemented.<br />
<br />
When you're building a dynamic query, the only way is whitelisting. Whitelist every field name, every boolean operator (it should be OR or AND, nothing else) and after building your query, use prepared statements:<br />
<br />
$Query="SELECT * FROM table WHERE ";<br />
foreach ($_GET['fields'] as $g)<br />
$Query.=whitelist($g,Array("list","of","possible","fields","here"))."=?";<br />
$Values=$_GET['values'];<br />
array_unshift($Query); //add to the beginning<br />
$res=call_user_func_array(SQL, $Values);<br />
<br />
<br />
==ORM==<br />
ORMs (Object Relational Mappers) are good security practice. If you're using an ORM (like [http://www.doctrine-project.org/ Doctrine]) in your PHP project, you're still prone to SQL attacks. Although injecting queries in ORM's is much harder, keep in mind that concatenating ORM queries makes for the same flaws that concatenating SQL queries, so '''NEVER''' concatenate strings sent to a database. ORM's support prepared statements as well.<br />
<br />
<br />
<br />
<br />
<br />
=Other Injection Cheat Sheet=<br />
SQL aside, there are a few more injections possible ''and common'' in PHP:<br />
<br />
==Shell Injection==<br />
A few PHP functions namely<br />
<br />
* shell_exec<br />
* exec<br />
* passthru<br />
* system<br />
* [http://no2.php.net/manual/en/language.operators.execution.php backtick operator] ( ` )<br />
<br />
run a string as shell scripts and commands. Input provided to these functions (specially backtick operator that is not like a function). Depending on your configuration, shell script injection can cause your application settings and configuration to leak, or your whole server to be hijacked. This is a very dangerous injection and is somehow considered the haven of an attacker.<br />
<br />
Never pass tainted input to these functions - that is input somehow manipulated by the user - unless you're absolutely sure there's no way for it to be dangerous (which you never are without whitelisting). Escaping and any other countermeasures are ineffective, there are plenty of vectors for bypassing each and every one of them; don't believe what novice developers tell you. <br />
<br />
<br />
==Code Injection==<br />
All interpreted languages such as PHP, have some function that accepts a string and runs that in that language. It is usually named Eval. PHP also has Eval.<br />
Using Eval is a very bad practice, not just for security. If you're absolutely sure you have no other way but eval, use it without any tainted input.<br />
<br />
Reflection also could have code injection flaws. Refer to the appropriate reflection documentations, since it is an advanced topic.<br />
<br />
==Other Injections==<br />
LDAP, XPath and any other third party application that runs a string, is vulnerable to injection. Always keep in mind that some strings are not data, but commands and thus should be secure before passing to third party libraries.<br />
<br />
<br />
=XSS Cheat Sheet=<br />
<br />
There are two scenarios when it comes to XSS, each one to be mitigated accordingly:<br />
<br />
==No Tags==<br />
Most of the time, output needs no HTML tags. For example when you're about to dump a textbox value, or output user data in a cell. In this scenarios, you can mitigate XSS by simply using the function below. '''Keep in mind that this scenario won't mitigate XSS when you use user input in dangerous elements (style, script, image's src, a, etc.)''', but mostly you don't. Also keep in mind that every output that is not intended to contain HTML tags should be sent to the browser filtered with the following function.<br />
<br />
//xss mitigation functions<br />
function xssafe($data,$encoding='UTF-8')<br />
{<br />
return htmlspecialchars($data,ENT_QUOTES | ENT_HTML401,$encoding);<br />
}<br />
function xecho($data)<br />
{<br />
echo xssafe($data);<br />
}<br />
<br />
//usage example<br />
<input type='text' name='test' value='<?php <br />
xecho ("' onclick='alert(1)");<br />
?>' /><br />
<br />
==Yes Tags==<br />
When you need tags in your output, such as rich blog comments, forum posts, blog posts and etc., you have to use a '''Secure Encoding''' library. This is usually hard and slow, and that's why most applications have XSS vulnerabilities in them. OWASP ESAPI has a bunch of codecs for encoding different sections of data. There's also OWASP AntiSammy and HTMLPurifier for PHP. Each of these require lots of configuration and learning to perform well, but you need them when you want that good of an application.<br />
<br />
==Templating engines==<br />
<br />
There are several templating engines that can help the programmer (and designer) to output data without exposing it too much against XSS vulnerabilities. While their primary goal isn't security, but improving the designing experience, most important templating engines automatically escape the variables on output and force the developer to explicitly indicate if there is a variable that shouldn't be escaped. This makes output of variables have a white-list behavior. There exist several of these engines. A good example is twig[http://twig.sensiolabs.org/]. Other popular template engines are Smarty, Haanga and Rain TPL.<br />
<br />
The advantage of following a white-list approach is that the programmer should be less prone to forget about using a function call to clean the output of a variable.<br />
<br />
<br />
==Other Tips==<br />
<br />
* We don't have a '''trusted section''' in any web application. Many developers tend to leave admin areas out of XSS mitigation, but most intruders are interested in admin cookies and XSS. Every output should be cleared by the functions provided above, if it has a variable in it. Remove every instance of echo, print, and printf from your application and replace them with the above statement when you see a variable is included, no harm comes with that.<br />
<br />
* HTTP-Only cookies are a very good practice, for a near future when every browser is compatible. Start using them now. (See PHP.ini configuration for best practice)<br />
<br />
* The function declared above, only works for valid HTML syntax. If you put your Element Attributes without quotation, you're doomed. Go for valid HTML.<br />
<br />
* [[Reflected XSS]] is as dangerous as normal XSS, and usually comes at the most dusty corners of an application. Seek it and mitigate it.<br />
<br />
<br />
=CSRF Cheat Sheet=<br />
CSRF mitigation is easy in theory, but hard to implement correctly. First, a few tips about CSRF:<br />
<br />
* Every request that does something noteworthy, should be CSRF mitigated. Noteworthy things are changes to the system, and reads that take a long time.<br />
* CSRF mostly happens on GET, but is easy to happen on POST. Don't ever think that post is secure.<br />
<br />
The [[PHP_CSRF_Guard|OWASP PHP CSRFGuard]] is a code snippet that shows how to mitigate CSRF. Only copy pasting it is not enough. In the near future, a copy-pasteable version would be available (hopefully). For now, mix that with the following tips:<br />
<br />
* Use re-authentication for critical operations (change password, recovery email, etc.)<br />
* If you're not sure whether your operation is CSRF proof, consider adding CAPTCHAs (however CAPTCHAs are inconvenience for users)<br />
* If you're performing operations based on other parts of a request (neither GET nor POST) e.g Cookies or HTTP Headers, you might need to add CSRF tokens there as well.<br />
* AJAX powered forms need to re-create their CSRF tokens. Use the function provided above (in code snippet) for that and never rely on Javascript.<br />
* CSRF on GET or Cookies will lead to inconvenience, consider your design and architecture for best practices.<br />
<br />
=Authentication and Session Management Cheat Sheet=<br />
PHP doesn't ship with a readily available authentication module, you need to implement your own or use a PHP framework, unfortunately most PHP frameworks are far from perfect in this manner, due to the fact that they are developed by open source developer community rather than security experts. A few instructive and useful tips are listed below:<br />
<br />
==Session Management==<br />
PHP's default session facilites are considered safe, the generated PHPSessionID is random enough, but the storage is not necessarily safe:<br />
<br />
* Session files are stored in temp (/tmp) folder and are world writable unless suPHP installed, so any LFI or other leak might end-up manipulating them.<br />
* Sessions are stored in files in default configuration, which is terribly slow for highly visited websites. You can store them on a memory folder (if UNIX).<br />
* You can implement your own session mechanism, without ever relying on PHP for it. If you did that, store session data in a database. You could use all, some or none of the PHP functionality for session handling if you go with that.<br />
<br />
===Session Hijacking Prevention===<br />
It is good practice to bind sessions to IP addresses, that would prevent most session hijacking scenarios (but not all), however some users might use anonymity tools (such as TOR) and they would have problems with your service.<br />
<br />
To implement this, simply store the client IP in the session first time it is created, and enforce it to be the same afterwards. The code snippet below returns client IP address:<br />
<br />
$IP = (getenv ( "HTTP_X_FORWARDED_FOR" )) ? getenv ( "HTTP_X_FORWARDED_FOR" ) : getenv ( "REMOTE_ADDR" );<br />
<br />
Keep in mind that in local environments, a valid IP is not returned, and usually the string ''':::1''' or ''':::127''' might pop up, thus adapt your IP checking logic.<br />
<br />
===Invalidate Session ID===<br />
You should invalidate (unset cookie, unset session storage, remove traces) of a session whenever a violation occurs (e.g 2 IP addresses are observed). A log event would prove useful. Many applications also notify the logged in user (e.g GMail).<br />
<br />
===Rolling of Session ID===<br />
You should roll session ID whenever elevation occurs, e.g when a user logs in, the session ID of the session should be changed, since it's importance is changed.<br />
<br />
===Exposed Session ID===<br />
Session IDs are considered confidential, your application should not expose them anywhere (specially when bound to a logged in user). Try not to use URLs as session ID medium.<br />
<br />
Transfer session ID over TLS whenever session holds confidential information, otherwise a passive attacker would be able to perform session hijacking.<br />
<br />
===Session Fixation===<br />
Session IDs are to be generated by your application only. Never create a session only because you receive the session ID from the client, the only source of creating a session should be a secure random generator.<br />
<br />
===Session Expiration===<br />
A session should expire after a certain amount of inactivity, and after a certain time of activity as well. The expiration process means invalidating and removing a session, and creating a new one when another request is met.<br />
<br />
Also keep the '''log out''' button close, and unset all traces of the session on log out.<br />
<br />
====Inactivity Timeout====<br />
Expire a session if current request is X seconds later than the last request. For this you should update session data with time of the request each time a request is made. The common practice time is 30 minutes, but highly depends on application criteria. <br />
<br />
This expiration helps when a user is logged in on a publicly accessible machine, but forgets to log out. It also helps with session hijacking.<br />
<br />
====General Timeout====<br />
Expire a session if current session has been active for a certain amount of time, even if active. This helps keeping track of things. The amount differs but something between a day and a week is usually good. To implement this you need to store start time of a session.<br />
<br />
<br />
===Cookies===<br />
Handling cookies in a PHP script has some tricks to it:<br />
<br />
====Never Serialize====<br />
Never serialize data stored in a cookie. It can easily be manipulated, resulting in adding variables to your scope.<br />
<br />
====Proper Deletion====<br />
To delete a cookie safely, use the following snippet:<br />
<br />
setcookie ($name, "", 1);<br />
setcookie ($name, false);<br />
unset($_COOKIE[$name]);<br />
The first line ensures that cookie expires in browser, the second line is the standard way of removing a cookie (thus you can't store false in a cookie). The third line removes the cookie from your script. Many guides tell developers to use time() - 3600 for expiry, but it might not work if browser time is not correct.<br />
<br />
You can also use '''session_name()''' to retrieve the name default PHP session cookie.<br />
<br />
====HTTP Only====<br />
Most modern browsers support HTTP-only cookies. These cookies are only accessible via HTTP(s) requests and not Javascript, so XSS snippets can not access them. They are very good practice, but are not satisfactory since there are many flaws discovered in major browsers that lead to exposure of HTTP only cookies to javascript.<br />
<br />
To use HTTP-only cookies in PHP (5.2+), you should perform session cookie setting [http://php.net/manual/en/function.setcookie.php manually] (not using '''session_start'''):<br />
<br />
#prototype<br />
bool setcookie ( string $name [, string $value [, int $expire = 0 [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]]]] )<br />
<br />
#usage<br />
if (!setcookie("MySessionID", $secureRandomSessionID, $generalTimeout, $applicationRootURLwithoutHost, NULL, NULL,true))<br />
echo ("could not set HTTP-only cookie");<br />
<br />
The '''path''' parameter sets the path which cookie is valid for, e.g if you have your website at example.com/some/folder the path should be /some/folder or other applications residing at example.com could also see your cookie. If you're on a whole domain, don't mind it. '''Domain''' parameter enforces the domain, if you're accessible on multiple domains or IPs ignore this, otherwise set it accordingly. If '''secure''' parameter is set, cookie can only be transmitted over HTTPS. See the example below:<br />
<br />
$r=setcookie("SECSESSID","1203j01j0s1209jw0s21jxd01h029y779g724jahsa9opk123973",time()+60*60*24*7 /*a week*/,"/","owasp.org",true,true);<br />
if (!$r) die("Could not set session cookie.");<br />
<br />
====Internet Explorer issues====<br />
Many version of Internet Explorer tend to have problems with cookies. Mostly setting Expire time to 0 fixes their issues.<br />
<br />
==Authentication==<br />
<br />
<br />
===Remember Me===<br />
Many websites are vulnerable on remember me features. The correct practice is to generate a one-time token for a user and store it in the cookie. The token should also reside in data store of the application to be validated and assigned to user. This token should have '''no relevance''' to username and/or password of the user, a secure long-enough random number is a good practice.<br />
<br />
It is better if you imply locking and prevent brute-force on remember me tokens, and make them long enough, otherwise an attacker could brute-force remember me tokens until he gets access to a logged in user without credentials.<br />
<br />
* '''Never store username/password or any relevant information in the cookie.'''<br />
<br />
=Access Control Cheat Sheet=<br />
This section aims to mitigate access control issues, as well as '''Insecure Direct Object Reference''' issues. <br />
<br />
=Cryptography Cheat Sheet=<br />
<br />
=File Inclusion Cheat Sheet=<br />
<br />
<br />
<br />
=Configuration and Deployment Cheat Sheet=<br />
Please see [[PHP Configuration Cheat Sheet]].<br />
<br />
=Sources of Taint=<br />
<br />
<br />
<br />
<br />
= OLD. PHP General Guidelines for Secure Web Applications =<br />
<br />
== PHP Version ==<br />
Use '''PHP 5.3.8'''. Stable versions are always safer then the beta ones. <br />
<br />
== Framework==<br />
Use a framework like '''Zend''' or '''Symfony'''. Try not to re-write the code again and again. Also avoid dead codes. <br />
<br />
== Directory==<br />
Code with most of your code outside of the webroot. This is automatic for Symfony and Zend. Stick to these frameworks. <br />
<br />
== Hashing Extension ==<br />
Not every PHP installation has a working '''mhash''' extension, so if you need to do hashing, check it before using it. Otherwise you can't do SHA-256<br />
<br />
== Cryptographic Extension ==<br />
Not every PHP installation has a working '''mcrypt''' extension, and without it you can't do AES. Do check if you need it.<br />
<br />
== Authentication and Authorization ==<br />
There is no authentication or authorization classes in native PHP. Use '''ZF''' or '''Symfony''' instead.<br />
<br />
== Input nput validation ==<br />
Use $_dirty['foo'] = $_GET['foo'] and then $foo = validate_foo($dirty['foo']); <br />
<br />
== Use PDO or ORM ==<br />
Use PDO with prepared statements or an ORM like Doctrine<br />
<br />
== Use PHP Unit and Jenkins ==<br />
When developing PHP code, make sure you develop with PHP Unit and Jenkins - see http://qualityassuranceinphpprojects.com/pages/tools.html for more details.<br />
<br />
== Use Stefan Esser's Hardened PHP Patch ==<br />
Consider using Stefan Esser's Hardened PHP patch - http://www.hardened-php.net/suhosin/index.html <br />
(not maintained now, but the concepts are very powerful)<br />
<br />
== Avoid Global Variables==<br />
In terms of secure coding with PHP, do not use globals unless absolutely necessary <br />
Check your php.ini to ensure register_globals is off Do not run at all with this setting enabled It's extremely dangerous (register_globals has been disabled since 5.0 / 2006, but .... most PHP 4 code needs it, so many hosters have it turned on)<br />
<br />
== Avoid Eval() ==<br />
It basically allows arbitrary PHP code execution, so do not evaluate user supplied input. and if you're not doing that, you can just use PHP directly. eval() is at least 10-100 times slower than native PHP<br />
<br />
== Protection against RFI==<br />
Ensure allow_url_fopen and allow_url_include are both disabled to protect against RFI But don't cause issues by using the pattern include $user_supplied_data or require "base" + $user_supplied_data - it's just unsafe as you can input /etc/passwd and PHP will try to include it<br />
<br />
== Regexes (!)==<br />
Watch for executable regexes (!) <br />
<br />
== Session Rotation ==<br />
Session rotation is very easy - just after authentication, plonk in session_regenerate_id() and you're done.<br />
<br />
== Be aware of PHP filters ==<br />
PHP filters can be tricky and complex. Be extra-conscious when using them. <br />
<br />
== Logging ==<br />
Set display_errors to 0, and set up logging to go to a file you control, or at least syslog. This is the most commonly neglected area of PHP configuration<br />
<br />
== Output encoding ==<br />
Output encoding is entirely up to you. Just do it, ESAPI for PHP is ready for this job.<br />
<br />
These are transparent to you and you need to know about them. php://input: takes input from the console gzip: takes compressed input and might bypass input validation http://au2.php.net/manual/en/filters.php <br />
<br />
= Authors and Primary Editors =<br />
<br />
[[User:Abbas Naderi|Abbas Naderi Afooshteh]] ([mailto:abbas.naderi@owasp.org abbas.naderi@owasp.org])<br />
<br />
[[User:Achim|Achim]] - [mailto:achim_at_owasp.org Achim at owasp.org]<br />
<br />
[mailto:vanderaj@owasp.org Andrew van der Stock]<br />
<br />
= Other Cheatsheets =<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]]</div>Simon Waters