Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Cookie Theft/Session Hijacking"

From OWASP
Jump to: navigation, search
m
Line 4: Line 4:
  
 
=== Root Cause Summary ===
 
=== Root Cause Summary ===
It's possible for an attacker to steal and abuse session identifiers when these are stored in cookies.
+
It's possible for an attacker to steal and reuse session identifiers when they are stored or transmitted insecurely.
  
 
=== Browser / Standards Solution ===
 
=== Browser / Standards Solution ===
None
+
Define a new standard for transmitting session identifiers and managing them within the browser, such as a new request/response header to be used instead of cookies.
  
 
=== Perimeter Solution ===
 
=== Perimeter Solution ===
 
* Make sure that all session identifiers are transmitted over an encrypted protocol.
 
* Make sure that all session identifiers are transmitted over an encrypted protocol.
* Terminate/regenerate session if the session token is transmitted insecurely.
+
* Terminate/regenerate session if the session token is transmitted insecurely, or signal to the application to do so.
* Enforce the Secure and HttpOnly flags on cookies using a Web Application Firewall.
+
* Enforce the Secure and HttpOnly flags on sensitive cookies using a Web Application Firewall.
  
Complexity: Low<br>
 
Impact: High
 
 
=== Generic Framework Solution ===
 
=== Generic Framework Solution ===
* force Secure and HttpOnly flags for all cookies.
+
The framework should provide a centralized cookie management API which prevents direct access to cookies. By default, cookies should be handled according to the following rules, which must be explicitly overridden if a developer has a specific need for a cookie with unsafe properties.
* Make sure that the Domain and Path are set correctly
+
* Alert user and deauthorize oldest session when multiple simultaneous logins are detected.
+
* Terminate session if User-Agent string or other client fingerprinting changes.
+
  
Complexity: Medium<br>
+
* Apply Secure and HttpOnly flags.
Impact: High
+
* Set the Domain and Path parameters for the cookie correctly.
 +
 
 +
The framework should provide a configurable session management scheme, which includes the following features:
 +
 
 +
* Alert user and deauthorize oldest session when multiple simultaneous logins are detected. Multiple simultaneous logins are prohibited by default, but may be enabled by changing a configuration setting.
 +
* Terminate session and send security SNMP trap or other configurable message if User-Agent string or other client fingerprinting changes.
 +
* Provide the option to the user when logging in to pin the session to the originating IP.
  
 
=== Custom Framework Solution ===
 
=== Custom Framework Solution ===

Revision as of 14:33, 15 May 2013

Return to Periodic Table Working View

Cookie Theft/Session Hijacking

Root Cause Summary

It's possible for an attacker to steal and reuse session identifiers when they are stored or transmitted insecurely.

Browser / Standards Solution

Define a new standard for transmitting session identifiers and managing them within the browser, such as a new request/response header to be used instead of cookies.

Perimeter Solution

  • Make sure that all session identifiers are transmitted over an encrypted protocol.
  • Terminate/regenerate session if the session token is transmitted insecurely, or signal to the application to do so.
  • Enforce the Secure and HttpOnly flags on sensitive cookies using a Web Application Firewall.

Generic Framework Solution

The framework should provide a centralized cookie management API which prevents direct access to cookies. By default, cookies should be handled according to the following rules, which must be explicitly overridden if a developer has a specific need for a cookie with unsafe properties.

  • Apply Secure and HttpOnly flags.
  • Set the Domain and Path parameters for the cookie correctly.

The framework should provide a configurable session management scheme, which includes the following features:

  • Alert user and deauthorize oldest session when multiple simultaneous logins are detected. Multiple simultaneous logins are prohibited by default, but may be enabled by changing a configuration setting.
  • Terminate session and send security SNMP trap or other configurable message if User-Agent string or other client fingerprinting changes.
  • Provide the option to the user when logging in to pin the session to the originating IP.

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

References

Session Management Cheat Sheet (OWASP)