The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

security compromise has occurred: either the user has disclosed their creden-

tials to another party or an attacker has obtained their credentials through

some other means. In both cases, permitting concurrent sessions is undesirable

because it allows users to persist in undesirable practices without inconve-

nience and because it allows an attacker to use captured credentials without

risk of detection. 

A related but distinct weakness is for applications to use “static” tokens.

These look like session tokens and may initially appear to function like them,

but in fact they are no such thing. In these applications, each user is assigned a

token, and this same token is reissued to the user every time he logs in. The

application always accepts the token as valid regardless of whether the user

has recently logged in and been issued with it. Applications like this really

involve a misunderstanding of the whole concept of what a session is, and the

benefits that it provides for managing and controlling access to the applica-

tion. Sometimes, applications operate like this as a means of implementing

poorly designed “remember me” functionality, and the static token is accord-

ingly stored in a persistent cookie (see Chapter 6). Sometimes the tokens them-

selves are vulnerable to prediction attacks, making the vulnerability far more

serious because rather than compromising the sessions of currently logged-in

users, a successful attack will compromise, for all time, the accounts of all reg-

istered users.

Other kinds of strange application behavior are also occasionally observed

that demonstrate a fundamental defect in the relationship between tokens and

sessions. One example is where a meaningful token is constructed based upon

a username and a random component. For example, consider the token:

dXNlcj1kYWY7cjE9MTMwOTQxODEyMTM0NTkwMTI=

which Base64-decodes to:

user=daf;r1=13094181213459012

After extensive analysis of the 

r1

component, we may conclude that this

cannot be predicted based on a sample of values. However, if the application’s

session processing logic is awry, it may be that an attacker simply needs to

submit any valid value as 

r1

and any valid value as 

user

, in order to access a

session under the security context of the specified user. This is essentially an

access control vulnerability, because decisions about access are being made on

the basis of user-supplied data outside of the session (see Chapter 8). It arises

because the application effectively uses session tokens to signify that the

requester has established some kind of valid session with the application; how-

ever, the user context in which that session is processed is not an integral prop-

erty of the session itself but is determined per-request through some other

means. In this case, that means can be directly controlled by the requester.

Download 5,76 Mb.

Do'stlaringiz bilan baham: