Security Testing - Broken Authentication and Session Management Flaws





When authentication functions related to the application are NOT implemented correctly which will allow hackers to compromise passwords or session ID's or to exploit other implementation flaws using other users credentials.

Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.
2.Broken Auth and Session Mgmt Flaws

Example

An e-commerce application supports URL rewriting, putting session IDs in the URL:


http://example.com/sale/saleitems/jsessionid=2P0OC2JSNDLPSKHCJUN2JV/?item=laptop
An authenticated user of the site forwards the URL to their friends to know about the discounted sales. He e-mails the above link without knowing that the user is also giving away the session ID's. When his friends use the link they will use his session and credit card.

Hands ON

1. Login to Webgoat and navigate to 'Session Management Flaws' Section. Let us bypass the authetication by spoofing the cookie. Below is the snapshot of the scenario.
2.Broken Auth and Session Mgmt Flaws 2. When we login using the credentials webgoat/webgoat, we find from Burp Suite that the JSESSION ID is C8F3177CCAFF380441ABF71090748F2E while the AuthCookie=65432ubphcfx upon successful authentication

2.Broken Auth and Session Mgmt Flaws 2.Broken Auth and Session Mgmt Flaws 3. When we login using the credentials aspect/aspect, we find from Burp Suite that the JSESSION ID is C8F3177CCAFF380441ABF71090748F2E while the AuthCookie=65432udfqtb upon successful authentication.
2.Broken Auth and Session Mgmt Flaws 4. Now we need to analyze the AuthCookie Patterns. The first half '65432' is common for both authentications. Hence we are now interested in analyzing the last part of the authcookie values viz- ubphcfx for webgoat user and udfqtb for aspect user respectively.

5. If we take a deep look at the auth cookie values, the last part is having the same lenght as that of user name. Hence it is evident that the username is used with some encryption method. Upon trial and errors/brute force mechanisms we find that the after reversing the user name, webgoat we end up with taogbew and then the before alphabet character is what being used as authcookie. i.e ubphcfx
6. If we pass this cookie value and let us see what happens. Upon authenticating as user webgoat, change the authcookie value to mock the user Alice by finding the authcookie for the same by performing step#4 and step#5.

2.Broken Auth and Session Mgmt Flaws 2.Broken Auth and Session Mgmt Flaws

Preventing Mechanisms

Develop a strong authentication and session management controls such that it meets all the authentication and session management requirements defined in OWASP�s Application Security Verification Standard
Dev should ensure that they avoid XSS flaws that can be used to steal session IDs.

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)