This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Session Variable Overloading"
| Line 19: | Line 19: | ||
of applications that enforce authentication by validating the existence of session | of applications that enforce authentication by validating the existence of session | ||
variables that contain identity–related values, which are usually stored in the session after a successful authentication process. | variables that contain identity–related values, which are usually stored in the session after a successful authentication process. | ||
| − | The authentication bypass attack vector could be executed by accessing a | + | The authentication bypass attack vector could be executed by accessing a publicly |
accessible entry point (e.g. a password recovery page) that populates the session with | accessible entry point (e.g. a password recovery page) that populates the session with | ||
an identical session variable, based on fixed values or on user originating input. | an identical session variable, based on fixed values or on user originating input. | ||
| − | |||
| − | |||
===Environments Affected=== | ===Environments Affected=== | ||
| Line 31: | Line 29: | ||
The most effective way to detect these vulnerabilities is to enumerate all of the session variables used and in which context they are valid. | The most effective way to detect these vulnerabilities is to enumerate all of the session variables used and in which context they are valid. | ||
In practice this can only be effectively done via a source code review. | In practice this can only be effectively done via a source code review. | ||
| − | |||
==Prevention== | ==Prevention== | ||
| − | Session variables should only be used for a single | + | Session variables should only be used for a single consistent purpose. |
<!-- | <!-- | ||
| Line 63: | Line 60: | ||
* Session Puzzles: http://puzzlemall.googlecode.com/files/Session%20Puzzles%20-%20Indirect%20Application%20Attack%20Vectors%20-%20May%202011%20-%20Whitepaper.pdf | * Session Puzzles: http://puzzlemall.googlecode.com/files/Session%20Puzzles%20-%20Indirect%20Application%20Attack%20Vectors%20-%20May%202011%20-%20Whitepaper.pdf | ||
* Session Puzzling and Session Race Conditions: http://sectooladdict.blogspot.com/2011/09/session-puzzling-and-session-race.html | * Session Puzzling and Session Race Conditions: http://sectooladdict.blogspot.com/2011/09/session-puzzling-and-session-race.html | ||
| − | |||
__NOTOC__ | __NOTOC__ | ||
Latest revision as of 14:15, 26 September 2011
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
Last revision (mm/dd/yy): 09/26/2011
Vulnerabilities Table of Contents
Description
Session Variable Overloading (also known as Session Puzzling) is an application level vulnerability which can enable an attacker to perform a variety of malicious actions not limited to:
- Bypass efficient authentication enforcement mechanisms, and impersonate legitimate users.
- Elevate the privileges of a malicious user account, in an environment that would otherwise be considered foolproof.
- Skip over qualifying phases in multiphase processes, even if the process includes all the commonly recommended code level restrictions.
- Manipulate server-side values in indirect methods that cannot be predicted or detected.
- Execute traditional attacks in locations that were previously unreachable, or even considered secure.
This vulnerability occurs when an application uses the same session variable for more than one purpose. An attacker can potentially access pages in an order unanticipated by the developers so that the session variable is set one one context and then used in another.
For example an attacker could use session variable overloading to bypass authentication enforcement mechanisms of applications that enforce authentication by validating the existence of session variables that contain identity–related values, which are usually stored in the session after a successful authentication process. The authentication bypass attack vector could be executed by accessing a publicly accessible entry point (e.g. a password recovery page) that populates the session with an identical session variable, based on fixed values or on user originating input.
Environments Affected
All web servers, application servers, and web application environments are susceptible to session variable overloading.
How to Determine If You Are Vulnerable
The most effective way to detect these vulnerabilities is to enumerate all of the session variables used and in which context they are valid. In practice this can only be effectively done via a source code review.
Prevention
Session variables should only be used for a single consistent purpose.
Examples
Related Attacks
References
- Session Puzzles: http://puzzlemall.googlecode.com/files/Session%20Puzzles%20-%20Indirect%20Application%20Attack%20Vectors%20-%20May%202011%20-%20Whitepaper.pdf
- Session Puzzling and Session Race Conditions: http://sectooladdict.blogspot.com/2011/09/session-puzzling-and-session-race.html
