This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Reviewing Code for Session Integrity issues"

From OWASP
Jump to: navigation, search
(Introduction)
Line 1: Line 1:
 
[[OWASP Code Review Guide Table of Contents]]__TOC__
 
[[OWASP Code Review Guide Table of Contents]]__TOC__
 
==Introduction==
 
==Introduction==
 
+
Cookies can be used to maintain a session state. This identifies a user whilst in the middle of using the application. Session Id's are a popular method of idenfitying an ser. A "secure" session Id should be at least 12b bits in length and sufficiently random.
 +
Cookies can also be used to identify a user but care must be taken in using cookies. Generally it is not recommended to implement a SSO (Single Sign on) solution usign cookies, they were never intended for such use. Persistent cookes are stored on a user hard disk and are valid depending on the expiry date defined in the cookie. The following are pointers when reviewing cookie related code.
  
 
==How to locate the potentially vulnerable code==
 
==How to locate the potentially vulnerable code==

Revision as of 11:56, 23 October 2007

OWASP Code Review Guide Table of Contents

Introduction

Cookies can be used to maintain a session state. This identifies a user whilst in the middle of using the application. Session Id's are a popular method of idenfitying an ser. A "secure" session Id should be at least 12b bits in length and sufficiently random. Cookies can also be used to identify a user but care must be taken in using cookies. Generally it is not recommended to implement a SSO (Single Sign on) solution usign cookies, they were never intended for such use. Persistent cookes are stored on a user hard disk and are valid depending on the expiry date defined in the cookie. The following are pointers when reviewing cookie related code.

How to locate the potentially vulnerable code

If the cookie object is being set with various attributes apatrt from the session ID check the the cookie is set only to transmitt over HTTPS/SSL. In java this is perfromed by the method

cookie.setSecure() (Java)
cookie.secure = secure; .NET 

HTTP Only Cookie

This is adhered to in IE6 and above... HTTP Only cookie is meant to provide protection agains XSS by not letting client side script accessing the cookie. Its a step in the right direction but not a silver bullet.

cookie.HttpOnly = true (C#)

Here cookie should only be accessable via ASP.NET


Limiting Cookie Domain

Ensure cookies are limitead to a domain such as example.com. Therefore the cookie is associated to example.com. If the cookie is associated iwth other domains the following code performs this:

Response.Cookies("domain").Domain = "support.example.com (VB)
Response.Cookies["domain"].Domain = "support.example.com"; (C#)

During the review if the cookie is assigned to more than one domain make note of it and query why this is the case.

Displaying Data to user from Cookie

Make sure that data being displayed to a user from a cookie is HTML encoded. This mitigates some forms of Cross Site Scripting.

LabelX.Text = Server.HtmlEncode(Request.Cookies["userName"].Value); (C#)

Session Tracking/Management Techniques

HTML Hidden Field

The HTML Hidden field could be used to perform session tracking. Upon each HTTP POST request the hidden field is passed to the server identifying the user. It would be in the form of

<INPUT TYPE="hidden" NAME="user"VALUE="User001928394857738000094857hfduekjkksowie039848jej393"> 


Server-side code is used to perfrom validation on the VALUE in order to ensure the used is valid. This approach can only be used for POST/Form requests.

URL Rewriting

URL rewriting approaches session tracking by appending a unique id pertaining to the user at the end of the URL.

<A HREF="/smackmenow.htm?user=User001928394857738000094857hfduekjkksowie039848jej393">Click Here</A> 

Leading Practice Patterns for Session Management/Integrity

HTTPOnly Cookie: Prevents cookie access via client side script. Not all browsers support such a directive.

Valid Session checking:

Upon any HTTP request the framework should check if the user pertaining to the HTTP request (vis session ID) is valid.

Successful Authentication:

Upon a successful login the user should be issued a new session identifier. The old session Id should be invalidated. This prevents session fixation attacks and the same browser also sharing the same session ID in a multi user environment. SOme times the session Id is per browser and the session remains valid while the browser is alive.

Logout: This also leads to the idea of why a logout button is so important. The logout button should invalidate the users session Id when it is selected.

Related Articles

http://www.owasp.org/index.php/Category:OWASP_Cookies_Database http://msdn2.microsoft.com/en-us/library/ms533046.aspx http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/http/Cookie.html