Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Cookie Theft/Session Hijacking"

From OWASP
Jump to: navigation, search
m
Line 13: Line 13:
 
* Terminate/regenerate the session if the session token is transmitted insecurely (either in clear text or as part of the URL), or signal to the application to do so.
 
* Terminate/regenerate the session if the session token is transmitted insecurely (either in clear text or as part of the URL), or signal to the application to do so.
 
* Enforce the Secure and HttpOnly flags on sensitive cookies using a Web Application Firewall.
 
* Enforce the Secure and HttpOnly flags on sensitive cookies using a Web Application Firewall.
* Ensure that sessions identifiers are transmitted only over the SSL session where they originated. Track sessions across SSL renegotiations and integrate with framework solutions to support common SSL termination/reencryption architectures.
+
* Ensure that session identifiers are transmitted only using the SSL session where they originated. Track sessions across SSL renegotiations and integrate with framework solutions to support common SSL termination/reencryption architectures.
  
 
=== Generic Framework Solution ===
 
=== Generic Framework Solution ===
Line 20: Line 20:
 
* Apply Secure and HttpOnly flags.
 
* Apply Secure and HttpOnly flags.
 
* Set the Domain and Path parameters for the cookie correctly.
 
* Set the Domain and Path parameters for the cookie correctly.
* Automatically checks for cookie support and either instructs the user to enable cookies/upgrade the browser, or switches to a "cookieless" session scheme based on a configuration choice. Defaults to requiring cookies support.
+
* Automatically check for cookie support and either instruct the user to enable cookies/upgrade the browser, or switch to a "cookieless" session scheme based on a configuration choice. Default to requiring cookie support.
* Expose simple administrative interface for setting P3P rules.
+
* Expose a simple administrative interface for setting P3P rules.
* Automatically validate and alert when the number of cookies in use or the size of cookie data exceeds common browser support.
+
* Automatically validate and signal when the number of cookies in use or the size of cookie data exceeds that which is commonly supported by browsers.
* Prevent application code from overwriting or otherwise manipulating the session cookie.
+
* Prevent application code from overwriting or otherwise manipulating the session cookie. Possibly prohibit the application from accessing the session token at all.
  
 
The framework should provide a configurable session management scheme, which includes the following features:
 
The framework should provide a configurable session management scheme, which includes the following features:
Line 31: Line 31:
 
* Tie the session ID to the SSL session and provide configurable options for actions to take if the session ID is transmitted over a new SSL session. Expose integration points with perimeter technologies to facilitate SSL termination, renegotiation, and other transitions.
 
* Tie the session ID to the SSL session and provide configurable options for actions to take if the session ID is transmitted over a new SSL session. Expose integration points with perimeter technologies to facilitate SSL termination, renegotiation, and other transitions.
 
* Provide the option to the user when logging in to pin the session to the originating IP.
 
* Provide the option to the user when logging in to pin the session to the originating IP.
* Never include session information as part of a URL in order to support "cookieless" sessions. Must rewrite URLs as form POSTs including the session identifier as a hidden field, instead.
+
* Never include session information as part of a URL in order to support "cookieless" sessions. Rewrite URLs as form POSTs including the session identifier as a hidden field, instead.
 
* Provide a configurable option for automatically changing the session identifier transparently during a session: never, after a set time period, or a set number of requests.
 
* Provide a configurable option for automatically changing the session identifier transparently during a session: never, after a set time period, or a set number of requests.
  

Revision as of 15:14, 15 May 2013

Return to Periodic Table Working View

Cookie Theft/Session Hijacking

Root Cause Summary

It's possible for an attacker to steal and reuse session identifiers or other sensitive cookie values when they are stored or transmitted insecurely.

Browser / Standards Solution

Define a new standard for transmitting session identifiers and managing them within the browser, such as a new request/response header to be used instead of cookies. The standard should include a mechanism to tie the session identifier to the SSL session on both the browser and the server.

Perimeter Solution

  • Make sure that all session identifiers are transmitted over an encrypted protocol.
  • Terminate/regenerate the session if the session token is transmitted insecurely (either in clear text or as part of the URL), or signal to the application to do so.
  • Enforce the Secure and HttpOnly flags on sensitive cookies using a Web Application Firewall.
  • Ensure that session identifiers are transmitted only using the SSL session where they originated. Track sessions across SSL renegotiations and integrate with framework solutions to support common SSL termination/reencryption architectures.

Generic Framework Solution

The framework should provide a centralized cookie management API which prevents direct access to cookies. By default, cookies should be handled according to the following rules, which must be explicitly overridden if a developer has a specific need for a cookie with unsafe properties.

  • Apply Secure and HttpOnly flags.
  • Set the Domain and Path parameters for the cookie correctly.
  • Automatically check for cookie support and either instruct the user to enable cookies/upgrade the browser, or switch to a "cookieless" session scheme based on a configuration choice. Default to requiring cookie support.
  • Expose a simple administrative interface for setting P3P rules.
  • Automatically validate and signal when the number of cookies in use or the size of cookie data exceeds that which is commonly supported by browsers.
  • Prevent application code from overwriting or otherwise manipulating the session cookie. Possibly prohibit the application from accessing the session token at all.

The framework should provide a configurable session management scheme, which includes the following features:

  • Alert user and deauthorize oldest session when multiple simultaneous logins are detected. Multiple simultaneous logins are prohibited by default, but may be enabled by changing a configuration setting.
  • Terminate session and send security SNMP trap or other configurable message if User-Agent string or other client fingerprinting changes.
  • Tie the session ID to the SSL session and provide configurable options for actions to take if the session ID is transmitted over a new SSL session. Expose integration points with perimeter technologies to facilitate SSL termination, renegotiation, and other transitions.
  • Provide the option to the user when logging in to pin the session to the originating IP.
  • Never include session information as part of a URL in order to support "cookieless" sessions. Rewrite URLs as form POSTs including the session identifier as a hidden field, instead.
  • Provide a configurable option for automatically changing the session identifier transparently during a session: never, after a set time period, or a set number of requests.

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

References

Session Management Cheat Sheet (OWASP)