The objective of this article is to evaluate the security posture of the WEB session management. Distinguish the common attack patterns and vulnerable conditions, provide countermeasures to act.
Applicable Laws, Regulations, Standards & Guidance
The following cybersecurity laws, regulations, industry standards, and guidance are applied to this assessment.
✅[NIST SP 800–115] Technical Guide to Information Security Testing and Assessment.
✅[RFC-6265] HTTP State Management Mechanism.
✅[RFC-4086] Randomness Requirements for Security.
✅[ISO/IEC 24792:2010] Multicast Session Management Protocol (MSMP).
✅[OWASP-ASVV] Application Security Verification Standard 4.0.3.
The standard OSI model is divided into seven different types of layers as like shown in Figure 1, and further these layers can be grouped into two top level layers such as host layers and media layers. Each layer’s host a vast multifarious protocol suite, the predominant one is the TCP/IP suite. A set of protocols are used to form an end to end communication on the internet using the underlying principles of OSI model.
2.1 A cross layer triad:
A cross-layer functions work with multiple layers and functions to handle their services.
2.1.1 Transport Layer:
TCP helps to transport the data reliably from a source to the destination point via an end-to-end service while pertaining a QoS via connection-oriented service. Whereas UDP transport the data via connectionless service.
2.1.2 Session Layer:
In client-server model, distributing an application service to the client is the common principle. The protocols X.225 (ISO 8327), X.235 (ISO 9548–1) are responsible to controls ports, establish, maintain, data transfer, steaming, terminate sessions between the client and server nodes. The session expiration is handled in two ways, manual termination through logout, and automatic termination through session idle, timeout, and renewal timeout. This layer offers data streaming in three different ways, simplex, half-duplex, and full-duplex modes.
2.1.3 Presentation Layer and Application Layer:
The presentation layer defines the format, and encryption factors, for the provided data. Application layer act as an interactive layer correspondence between external devices and human user.
3. A WEB Application Session Management:
3.1 Session management:
The data flow between the two endpoints are synchronized timely, which maintain the session entities. The popular tool provided by session layer is Application programming Interface (APIs), which is used by NetBIOS, TCP/IP, and RPC. The following services are offered by the session layer. The hierarchy of the session management is depicted in Figure 2.
3.1.1 Session Authentication, Authorization, Access policies (AAA):
Authentication and Authorization:
In the client-server model, when a client sends an HTTP request packet (HTTP header, message) via a component URL parameters, an application server acknowledges and provide a response to the client. When multiple requests are received from the same client, session management maintain session information’s associated to the same user once they are authenticated. This derivative observes and serve pre- and post-authentication scenarios. The objective of such request is to obtain the requisite resources. In the modern application framework, an authenticated session generates a session identifier is called session ID or also known as token which is used for a user identification. Each application interlinks the pre-authentication, post-authentication, session functions with appropriate authorization controls enforced by the owner. Due to less stringent measures on these three functions, which makes any application vulnerable to attacks.
Types of Cookies
The sessions are stored in cookies. The cookies are classified into two groups-session and persistent cookies. In session cookie an expiration date field is not defined and stored in the memory not on disk, whereas in persistent cookies it’s defined and stored on the disk.
3.1.2 Session Restoration:
Most of the distributed applications are up for longer duration, App session failure is inevitable during the operation. When it occurs, session layer utilizes the session restoration function to capture the snapshot of the live events in timeframe series and restore a session upon the failure of a particular timestamp.
4. Session Analysis and Threat Identification:
In session analysis, to identify, and analyse the received “A.pcapng” file from the Hexagon corporation and exhibit on how it’s exposed on the WEB.
4.1 Assessment Tools:
The following commercial and open-source tools has been utilized.
1. Windows 10, 64-bit Microsoft Operating system (OS).
2. Wireshark Packet analyser.
4.2 Wireshark case study:
Globally renowned open-source tool offers an extensive functionality such as traffic analysis, packet capturing, sniffing, decrypting traffic, statistics, etc.,
4.2.1 IPV4 and TCP Conversation Filter:
To apply the filer, using the given command. In total, there are 18 packets.
4.2.2 TCP and HTTP Stream packets:
To apply the stream packet filter.
4.2.3 Checksum and HTTP sequence info:
To use “expert information”, to extract the notable issues to justify the root cause.
Checksum Error:
In an invalid checksum, packets were reported and deemed to be invalid.
The packet was corrupted during the transfer.
Sequence Error:
We identified a suspicious activity; a set of packet sequence wasn’t in a continuous order and highly likely packet retransmission was performed.
A URL passing the username and password was found in cleartext format.
Packet analysis:
4.2.4 HTTP Analysis:
4.3 Summary of Session investigation and attack methodologies:
✓ Microsoft IIS server V.10 was used.
✓ ASP.NET V.4.0.30319 was used.
✓ HTTP response splitting, XSS, DoS, privilege escalation, HTTP request hijacking, RCE based CVEs are presented on the Microsoft ISS V10.
✓ Cache-Control: max-age=0 was used to revalidate each cache entry, and return code was 302. The server should never cope the same cache. Refer to Figure 6. Cache control data.
✓ Cache-Control: private defines, it can be cached locally on the device.
✓ Open TCP Port (80), Entropy in/out.
✓ Session open date: 2021–12–22 11:14:42 UTC, Session end: 2021–12–22 11:14:53 UTC.
✓ Total number of detected files 4.
✓ Incorrect Timestamp in the HTTP GET/POST headers.
✓ Inadequate session ID length.
✓ Secure attribute https was not implemented.
✓ Lack of encryption standards (No encryption, no password masking, HASH, salts).
✓ Used predictable dictionary words as username and password.
Different Attack techniques:
The following attack techniques can be applied on the WEB sessions files.
Session ID and Attacks:
The stored session ID is prone to numerous attacks. The attacker can perform brute force, session hijack, session play, and privilege escalations to harm the victim. The objective is to obtain the privileges and impersonate as a legitimate user. Majority of the attacks happens after the post authentication, such as hijacking an authenticated user session to steal IDs, passwords, taking advantage of low integrity check features, executable commands, session fixation assist attackers to steal valid IDs, improperly defined access policies, less stringent verification leads to cross-site request forgery (CSRF) attack.
4.4 Recommendations/Mitigations:
The following TTPs can be applied to the WEB sessions management.
✓ To implement a secure session ID for each individual session.
✓ Recommend configuring minimum 16 bytes length.
✓ To configure CSPRNG with 8 bytes entropy value to prevent statistical based guessing attacks.
✓ Session content should never hold personally identifiable information, excluding necessities.
✓ To use the latest framework and IIS server to prevent CVEs logging on.
✓ To protect integrity, use secure cryptographic protocols HTTPS/TLS1.2/TLS1.3 versions on the WEB.
✓ To prevent scripts accessing cookies.
✓ To prevent XSS attack from intruders, configure WEB worker to store in the web browser.
✓ To perform verification and validation of the session ID.
✓Manual and automatic session expiration such as idle, absolute, renewal timeout values should be configured.
✓ To enforce enhanced countermeasures, use JavaScript to set initial timeout, valid session forced expiration, and disable cross tab cookie sharing.
✓ To increaser the scrutiny on session attempt principles.
✓ Restrict users to WEB directory traversal, object queries, sessions tokens, parameterize queries through SQL injection attacks.
✓ Integrate SAST/DAST testing throughout the CI/CD pipeline activities. Always use latest’s application security frameworks
✓ Develop, monitor, and use encoding techniques on web pages. Refer to XSS, SQL,CSRF cheat sheets.
✓ Enforce input validation on server side because incoming data should be treated as untrusted.
✓ Enforce automated controls, centralized management, analytics, strong authentication, authorization, MFA, SSO policies.
✓To enable a SIEM controls on the server for security events and compliance.
5 Conclusion:
In this assessment, we analysed, and explored the different types of attacks, techniques, and provided required countermeasures to enhance.
Also published here.