| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Jul 2012 22:20:12 +0000
From: Gökhan Muharremoğlu
<gokhan.muharremoglu@...ec.org>
To: <gokhan.muharremoglu@...ec.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Predefined Post Authentication Session
ID Vulnerability
This article explains how this vulnerability works with Session Fixation attack.
https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OWASP-SM-003)
> From: gokhan.muharremoglu@...ec.org
> To: full-disclosure@...ts.grok.org.uk
> Date: Wed, 11 Jul 2012 11:34:11 +0300
> Subject: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability
>
> Vulnerability Name: Predefined Post Authentication Session ID Vulnerability
> Type: Improper Session Handling
> Impact: Session Hijacking
> Level: Medium
> Date: 10.07.2012
> Vendor: Vendor-neutral
> Issuer: Gokhan Muharremoglu
> E-mail: gokhan.muharremoglu@...ec.org
>
>
> VULNERABILITY
> If a web application starts a session and defines a session id before a user
> authenticated, this session id must be changed after a successful
> authentication. If web application uses the same session id before and after
> authentication, any legitimate user who has gained the "before
> authentication" session id can hijack future "after authentication" sessions
> too.
>
>
> Vulnerable Login Page & Session ID before Authentication
> (Status-Line) HTTP/1.1 200 OK
> Server Apache/2.2.3 (CentOS)
> Set-Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/
> Expires Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0
> Pragma no-cache
> Content-Type text/html
> Content-Length 308
> Date Tue, 10 Jul 2012 06:16:57 GMT
> X-Varnish 1922993981
> Age 0
> Via 1.1 varnish
> Connection keep-alive
>
>
> Vulnerable Login Page & Authentication Request
> (Request-Line) POST /iosec_login_vulnerable.php HTTP/1.1
> Host www.iosec.org
> User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.2.25)
> Gecko/20111212 Firefox/3.6.25 ( .NET CLR 3.5.30729; .NET4.0E)
> Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3
> Accept-Encoding gzip,deflate
> Accept-Charset ISO-8859-9,utf-8;q=0.7,*;q=0.7
> Keep-Alive 115
> Connection keep-alive
> Referer http://www.iosec.org/iosec_login_vulnerable.php
> Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2
> Content-Type application/x-www-form-urlencoded
> Content-Length 42
> POST DATA
> user gokhan
> pass muharremoglu
> submit Login
>
>
> Vulnerable Login Page & Session ID after Authentication
> (Status-Line) HTTP/1.1 200 OK
> Server Apache/2.2.3 (CentOS)
> Set-Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/
> Expires Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0
> Pragma no-cache
> Content-Type text/html
> Content-Length 308
> Date Tue, 10 Jul 2012 06:16:57 GMT
> X-Varnish 1922993981
> Age 0
> Via 1.1 varnish
> Connection keep-alive
>
>
> MITIGATION
> To avoid this vulnerability, sessions must be regenerated after a successful
> login. In a session fixation attack, attacker fixates (sets) another
> person's (victim's) session identifier because of "never regenerated and
> validated" session id and this vulnerability can also lead to the Session
> Fixation attack.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists