Difference between revisions of "Testing for Session puzzling (OTG-SESS-008)"

From OWASP
Jump to: navigation, search
m (Andrew Muller moved page Testing for Session puzzling (OWASP-SESS-010) to Testing for Session puzzling (OTG-SESS-010): Clean up of new OTG numbering scheme)
Line 3: Line 3:
  
 
== Brief Summary ==
 
== Brief Summary ==
<br>
+
 
..here: we describe in "natural language" what we want to test.
+
Session Variable Overloading (also known as Session Puzzling) is an application level vulnerability which can enable an attacker to perform a variety of malicious actions not limited to:
<br>
+
* Bypass efficient authentication enforcement mechanisms, and impersonate legitimate users.
 +
* Elevate the privileges of a malicious user account, in an environment that would otherwise be considered foolproof.
 +
* Skip over qualifying phases in multiphase processes, even if the process includes all the commonly recommended code level restrictions.
 +
* Manipulate server-side values in indirect methods that cannot be predicted or detected.
 +
* Execute traditional attacks in locations that were previously unreachable, or even considered secure.
 +
 
 
== Description of the Issue ==  
 
== Description of the Issue ==  
<br>
+
 
...here: Short Description of the Issue: Topic and Explanation
+
This vulnerability occurs when an application uses the same session variable for more than one purpose.
<br>
+
An attacker can potentially access pages in an order unanticipated by the developers so that the session variable is set one one context and then used in another.
== Black Box testing and example ==
+
 
'''Testing for Topic X vulnerabilities:''' <br>
+
For example an attacker could use session variable overloading to bypass authentication enforcement mechanisms
...<br>
+
of applications that enforce authentication by validating the existence of session
'''Result Expected:'''<br>
+
variables that contain identity–related values, which are usually stored in the session after a successful authentication process.
...<br><br>
+
The authentication bypass attack vector could be executed by accessing a publicly
== References ==
+
accessible entry point (e.g. a password recovery page) that populates the session with
 +
an identical session variable, based on fixed values or on user originating input.
 +
 
 +
===How to Determine If You Are Vulnerable===
 +
 
 +
The most effective way to detect these vulnerabilities is to enumerate all of the session variables used and in which context they are valid.
 +
In practice this can only be effectively done via a source code review.
 +
 
 +
 
 +
==Examples==
 +
 
 +
 
 +
==Prevention==
 +
 
 +
Session variables should only be used for a single consistent purpose.
 +
 
 +
==References==
 
'''Whitepapers'''<br>
 
'''Whitepapers'''<br>
 +
* Session Puzzles: http://puzzlemall.googlecode.com/files/Session%20Puzzles%20-%20Indirect%20Application%20Attack%20Vectors%20-%20May%202011%20-%20Whitepaper.pdf
 +
* Session Puzzling and Session Race Conditions: http://sectooladdict.blogspot.com/2011/09/session-puzzling-and-session-race.html
 
...<br>
 
...<br>
 
'''Tools'''<br>
 
'''Tools'''<br>
 
...<br>
 
...<br>

Revision as of 08:29, 14 November 2013

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project


Brief Summary

Session Variable Overloading (also known as Session Puzzling) is an application level vulnerability which can enable an attacker to perform a variety of malicious actions not limited to:

  • Bypass efficient authentication enforcement mechanisms, and impersonate legitimate users.
  • Elevate the privileges of a malicious user account, in an environment that would otherwise be considered foolproof.
  • Skip over qualifying phases in multiphase processes, even if the process includes all the commonly recommended code level restrictions.
  • Manipulate server-side values in indirect methods that cannot be predicted or detected.
  • Execute traditional attacks in locations that were previously unreachable, or even considered secure.

Description of the Issue

This vulnerability occurs when an application uses the same session variable for more than one purpose. An attacker can potentially access pages in an order unanticipated by the developers so that the session variable is set one one context and then used in another.

For example an attacker could use session variable overloading to bypass authentication enforcement mechanisms of applications that enforce authentication by validating the existence of session variables that contain identity–related values, which are usually stored in the session after a successful authentication process. The authentication bypass attack vector could be executed by accessing a publicly accessible entry point (e.g. a password recovery page) that populates the session with an identical session variable, based on fixed values or on user originating input.

How to Determine If You Are Vulnerable

The most effective way to detect these vulnerabilities is to enumerate all of the session variables used and in which context they are valid. In practice this can only be effectively done via a source code review.


Examples

Prevention

Session variables should only be used for a single consistent purpose.

References

Whitepapers

...
Tools
...