The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

from accessing subsequent pages. Except where strictly necessary, per-

sonal data should not be displayed back to the user at all. Even where

this is required (e.g., a “confirm order” page showing addresses), sensi-

tive items such as credit card numbers and passwords should never be

displayed back to the user and should always be masked within the

source of the application’s response.

Per-Page Tokens

Finer-grained control over sessions can be achieved, and many kinds of session

attacks made more difficult or impossible, by using per-page tokens in addition to

session tokens. Here, a new page token is created every time a user requests an

application page (as opposed to an image, for example) and is passed to the client

in a cookie or a hidden field of an HTML form. Each time the user makes a

request, the page token is validated against the last value issued, in addition to the

normal validation of the main session token. In the case of a non-match, the entire

session is terminated. Many of the most security-critical web applications on the

Internet, such as online banks, employ per-page tokens to provide increased pro-

tection for their session management mechanism, as shown in Figure 7-5.

Figure 7-5:  Per-page tokens used in a banking application

While the use of per-page tokens does impose some restrictions on navigation

(for example, on use of the back and forward buttons and multi-window brows-

ing), it effectively prevents session fixation attacks and ensures that the simulta-

neous use of a hijacked session by a legitimate user and an attacker will quickly

be blocked after both have made a single request. Per-page tokens can also be

leveraged to track the user’s location and movement through the application,

and used to detect attempts to access functions out of a defined sequence, help-

ing to protect against certain access control defects (see Chapter 8).

Download 5,76 Mb.

Do'stlaringiz bilan baham: