Difference between revisions of "Session Variable Overloading"

From OWASP
Jump to: navigation, search
(Created page with "{{Template:Vulnerability}} Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' Vulnerabilities Table of Contents ==...")
 
 
(One intermediate revision by one user not shown)
Line 19: Line 19:
 
of applications that enforce authentication by validating the existence of session
 
of applications that enforce authentication by validating the existence of session
 
variables that contain identity–related values, which are usually stored in the session after a successful authentication process.
 
variables that contain identity–related values, which are usually stored in the session after a successful authentication process.
The authentication bypass attack vector could be executed by accessing a publically
+
The authentication bypass attack vector could be executed by accessing a publicly
 
accessible entry point (e.g. a password recovery page) that populates the session with
 
accessible entry point (e.g. a password recovery page) that populates the session with
 
an identical session variable, based on fixed values or on user originating input.
 
an identical session variable, based on fixed values or on user originating input.
 
 
  
 
===Environments Affected===
 
===Environments Affected===
Line 31: Line 29:
 
The most effective way to detect these vulnerabilities is to enumerate all of the session variables used and in which context they are valid.
 
The most effective way to detect these vulnerabilities is to enumerate all of the session variables used and in which context they are valid.
 
In practice this can only be effectively done via a source code review.
 
In practice this can only be effectively done via a source code review.
 
  
 
==Prevention==
 
==Prevention==
Session variables should only be used for a single consistant purpose.
+
Session variables should only be used for a single consistent purpose.
  
 
<!--
 
<!--
Line 63: Line 60:
 
* Session Puzzles: http://puzzlemall.googlecode.com/files/Session%20Puzzles%20-%20Indirect%20Application%20Attack%20Vectors%20-%20May%202011%20-%20Whitepaper.pdf
 
* Session Puzzles: http://puzzlemall.googlecode.com/files/Session%20Puzzles%20-%20Indirect%20Application%20Attack%20Vectors%20-%20May%202011%20-%20Whitepaper.pdf
 
* Session Puzzling and Session Race Conditions: http://sectooladdict.blogspot.com/2011/09/session-puzzling-and-session-race.html
 
* Session Puzzling and Session Race Conditions: http://sectooladdict.blogspot.com/2011/09/session-puzzling-and-session-race.html
 
  
 
__NOTOC__
 
__NOTOC__
  
[[Category:OWASP ASDR Project]]
+
[[Category:Session Management Vulnerability]]
 
[[Category:Vulnerability]]
 
[[Category:Vulnerability]]
 
[[Category:Externally Linked Page]]
 
[[Category:Externally Linked Page]]

Latest revision as of 09:15, 26 September 2011

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


Last revision (mm/dd/yy): 09/26/2011

Vulnerabilities Table of Contents

Description

Session Variable Overloading (also known as Session Puzzling) is an application level vulnerability which can enable an attacker to perform a variety of malicious actions not limited to:

  • Bypass efficient authentication enforcement mechanisms, and impersonate legitimate users.
  • Elevate the privileges of a malicious user account, in an environment that would otherwise be considered foolproof.
  • Skip over qualifying phases in multiphase processes, even if the process includes all the commonly recommended code level restrictions.
  • Manipulate server-side values in indirect methods that cannot be predicted or detected.
  • Execute traditional attacks in locations that were previously unreachable, or even considered secure.

This vulnerability occurs when an application uses the same session variable for more than one purpose. An attacker can potentially access pages in an order unanticipated by the developers so that the session variable is set one one context and then used in another.

For example an attacker could use session variable overloading to bypass authentication enforcement mechanisms of applications that enforce authentication by validating the existence of session variables that contain identity–related values, which are usually stored in the session after a successful authentication process. The authentication bypass attack vector could be executed by accessing a publicly accessible entry point (e.g. a password recovery page) that populates the session with an identical session variable, based on fixed values or on user originating input.

Environments Affected

All web servers, application servers, and web application environments are susceptible to session variable overloading.

How to Determine If You Are Vulnerable

The most effective way to detect these vulnerabilities is to enumerate all of the session variables used and in which context they are valid. In practice this can only be effectively done via a source code review.

Prevention

Session variables should only be used for a single consistent purpose.


Examples

Related Attacks

References