Chapter 12  ■ Attacking Other Users

browser. In the case of cookies, this attack will succeed in hijacking the

user’s session even against applications that issue 

HttpOnly

cookies,

and so where cookies cannot be straightforwardly captured via an XSS

attack.

In both of these cases, the same various mechanisms for delivering the

attack are available as were described previously for reflected XSS.

Session fixation vulnerabilities can also exist in applications that do not con-

tain login functionality. For example, an application may allow anonymous

users to browse a catalog of products, place items into a shopping cart, check

out by submitting personal data and payment details, and then review all of

this information on a Confirm Order page. In this situation, an attacker may fix

an anonymous session token with the browser of a victim, wait for that user to

place an order and submit sensitive information, and then access the Confirm

Order page using the token, to capture the user’s details.

Some web applications and web servers accept arbitrary tokens submitted

by users, even if these were not previously issued by the server itself. When an

unrecognized token is received, the server simply creates a new session for the

token, and handles it exactly as if it were a new token generated by the server.

Microsoft IIS and Allaire ColdFusion servers have been vulnerable to this

weakness in the past.

When an application or server behaves in this way, attacks based on session

fixation are made considerably easier because the attacker does not need to

take any steps to ensure that the tokens fixed in target users’ browsers are cur-

rently valid. The attacker can simply choose an arbitrary token, distribute this

as widely as possible (for example, by emailing a URL containing the token to

individual users, mailing lists, etc.), and then periodically poll a protected

page within the application (for example, My Details) to detect when a victim

has used the token to log in. Even if a targeted user does not follow the URL

for several months, a determined attacker may still be able hijack their session.

Download 5,76 Mb.

Do'stlaringiz bilan baham: