Session Management Security and Applied Reverse Benchmarking - Tom Stracener, Sr. Security Analyst, Cenzic Inc.

1. November 2007 Session Management Security and Applied Reverse Benchmarking- Tom Stracener, Sr. Security Analyst, Cenzic Inc.

2. Agenda • Security Statistics • Application Layer Basics • Session Management Vulnerability Types • Session Poisoning as a research area • Reverse Benchmarking as applied to session management testing methods • Q&A Cenzic Confidential

3. Web Vulnerabilities Source: Cenzic Q3 Application Trends Report Cenzic Confidential

4. Web vulnerabilities by Major Type Source: Cenzic Q3 Application Trends Report Cenzic Confidential

5. Web Browser Vulnerabilities Source: Cenzic Q3 Application Trends Report Cenzic Confidential

6. Percentage of Applications by Vulnerability Source: Cenzic Q3 Application Trends Report – Cenzic ClickToSecure Managed Services Cenzic Confidential

7. Incidents by Category Source: Cenzic Q3 Application Trends Report Cenzic Confidential

8. Incidents by Sector Source: Cenzic Q3 Application Trends Report Cenzic Confidential

9. Vulnerability by Class Source: Cenzic Q3 Application Trends Report Cenzic Confidential

10. Anatomy of a web application Single Factor Session Management UI Layer (Browser Logic) Web Browser JavaScript Java DOM HTML/DHTML Cookies Plug-Ins/ API Communication Layer (Protocol Layer) Digital Signatures HTTP SSL HTTP-S Authentication Certificates Server and Middleware (Session Management) Web Server SW/HW Java .NET ASP J2EE PHP Data Layer File System Databases XML SSI Raw Data CSS/XSL Custom Applications CGI JavaScript VB Script C/C++ PHP/LAMP Cenzic Confidential

11. Session Mgmt Overview • HTTP is a stateless protocol. • A Session identifies a user with a persistent (but changing) state within the application. • Web Applications must track and maintain state for a user across application boundaries over time. • 99% of all session management mechanisms offer single-factor protection and were not designed for security. Cenzic Confidential

12. Session Mgmt Overview • Types of session management mechanisms • Cookies (RFC 2109, • HTML Hidden Field Values • URL Tokens • Ex. http://eBiz/Cart/checkout.php?session_id=2006011617415164.60.123.42&pid=&cat_id=&attrib Cenzic Confidential

13. 3 Challenges of Session Mgmt Security • Web Applications must maintain state securely User session data must individuate one user from another so that state information does not overlap, for the purpose of enforcing proper user privileges and roles. Ex. User 2Pac (registered user), 50Cent (Admin), Master P (anonymous) have access to different pages and functions within the application. Cenzic Confidential

14. 3 Challenges of Session Mgmt Security 2. Distributed Components within Web Applications must share user session information securely User session data must be shared and validated by application components that process user requests and information associated with a user. Ex. Shopping Cart (Add/remove items), Wish List (Add/Remove items), Checkout & Transaction (SSL), Confirmation of Order (SSL), Reciept (SSL) Cenzic Confidential

15. 3 Challenges of Session Mgmt Security 3. State maintaining mechanisms must handle state transitions securely as the user moves between functional hierarchies. As the user’s privilege level changes within the application, state tracking must securely handle these transitions without data leaks or exposures. Ex. Spot (anonymous) authenticates and adds several items to his wishlist (registered) and then makes a purchase (SSL-cart) by selecting an item and performing the transaction (SSL-cart). The transaction details are stored in Spots purchase history (SSL-cart). Cenzic Confidential

16. Misconceptions Regarding Session Security • “Our Sessions are Secure” • “There really aren’t any exploits” • “Our Session IDs aren’t predictable so we are safe.” Cenzic Confidential

17. Cookie Security Flaws Types of Cookie Security Flaws Cookie Theft/Hijacking (single factor attack) Cookie Tampering Cross-Site Cooking (Cookie Based Session Fixation) Cookie Persistence and Expiration Cenzic Confidential

18. Cookie Security Flaws Types of Session ID Flaws Session Hijacking (single factor attack) Session Replay Attacks\Expiration Session Tampering\Prediction Session Poisoning (New) Cenzic Confidential

19. Session Vulnerabilities and Examples • Insecure Session Teardown/Session Timeout The Session IDs used during a session are not removed following termination or inactivity of a session, allowing the Session IDs to be reused by an attacker to access the previous users session. (non-concurrent attack) S1…………S1…………..L1……….S1 T1………….T2………….T3…………T4 Reuse of S1 following Logout L1 Cenzic Confidential

20. Session Vulnerabilities and Examples • Session Replay Attacks Session information persistently stored by an intermediate server or application is reused to access a users session. • Caching Proxies • Web Proxies\Reverse Proxies • Internet Gateways • Logging Servers/Webtrends, etc. URL-based Session IDs can be cached in web logs, Proxy Servers, logged in HTTP Referrer Fields. A Session replay attack involves uses these credentials to gain access to the application to take over an existing session. Cenzic Confidential

21. Session Vulnerabilities and Examples • Session ID Prediction Generating Sequential Session IDs is dangerous, as an attacker can predict the next value and take over a concurrent session. Using static information like the data and IP addresses in Session IDs can allow an attacker to analyze and break down the session ID, making it easier to brute force valid session tokens. /Cart/checkout.php?session_id=2006011617415164.60.123.42&pid=&cat_id=&attrib /Cart/checkout.php?session_id=2006011617416164.60.123.42&pid=&cat_id=&attrib /Cart/checkout.php?session_id=2006011617417164.60.123.42&pid=&cat_id=&attrib /Cart/checkout.php?session_id=2006011617418164.60.123.42&pid=&cat_id=&attrib Cenzic Confidential

22. Session Vulnerabilities and Examples • Session ID Prediction (Example) Cenzic Confidential

23. Session Vulnerabilities and Examples • Session Hijacking Attacker submits a concurrent request with a valid session ID for a current user and gains access to their web session. The attack can involve combinations of other attacks to capture a live Session ID, or could capture unencrypted Session Tokens from the LAN. • Brute Force attacks against Session IDs. • Local Sniffer-based attacks • Cookie Reuse. • URL Session ID Harvesting/logging via proxy or XSS. Cenzic Confidential

24. Session Vulnerabilities and Examples • Session Fixation Attacker fixes the user’s session ID prior to authentication, so that the Session ID supplied by the attacker is used by the application. Depends upon the application trusting the session ID supplied by the client. The ability to generate or predict Session IDS that are valid for the Session Token syntax makes the attack more likely to succeed. Cenzic Confidential

25. Session Vulnerabilities and Examples • Session ID Poisoning (New Research Area) Attacker appends arbitrary data to a users session ID, resulting in potentially unsafe content being propagated via the Session ID mechanism. Depends upon the application sanitizing the session ID. • Session_id=ghzdkfl11020003<script>maliciouscontent<script> Cenzic Confidential

26. Hailstorm Overview • Session Poisoning Attack Example ttp://www.internet.com/forums/viewtopic.php?p=36660&sid=15170326da8f83631f59d120a6dea3f8<script>alert(document.cookie)</script> Characteristics of the attack • Malicious Content “Piggiebacks” on a session ID • Content is innocuous to the attacked application • Malicious Content logged by intermediaries • Malicious Content executed (reflected) by an intermediary (e.g. a web proxy server). Cenzic Confidential

27. Hailstorm Overview • Session Poisoning Attack Example Characteristics of the attack • Malicious Content “Piggiebacks” on a session ID • Content is innocuous to the attacked application • Malicious Content logged by intermediaries • Malicious Content executed (reflected) by an intermediary (e.g. a web proxy server). Cenzic Confidential

28. Versions of PHP are vulnerable when used in conjunction with software that relies on PHP Session Management mechanisms. • Verified on Apache/2.0.55 (Win32) PHP/5.1.2 Cenzic Confidential

29. Reverse Benchmarking & Session Management Security Testing Procedures. (A scanner darkly) Cenzic Confidential

30. Analyzing Application Security Scanners • Security Assessment Methods and Quality-based Criteria • Functionality (Black vs White Box) • Ergonomics & Usability • Performance • Feature Sets • Bling • Accuracy • False Positive Rates i.e. Signal to Noise Cenzic Confidential

31. Analyzing Application Security Scanners • Benchmarking Concepts • Benchmarking black box scanners is ultimately a systematic comparison • Most common Benchmarking technique is ‘positive’ or ‘comparative’ benchmarking • The goal is to see which scanner does the best against a selected application Cenzic Confidential

32. Positive and Negative Accuracy concepts Detection Metrics Matrix Cenzic Confidential

33. What is Reverse Benchmarking? • It’s a type of passive Reverse Engineering. • Taxonomic understanding of False Positives • Causes Massive False Positives • Understanding vulnerability detection methods • Think of it as Detection Logic Fuzzing • Exposes poor coding, faulty detection logic • Reveals Security Testing design flaws • Confuses Stateless Testing Mechanisms Cenzic Confidential

34. Rationale for Reverse Benchmarking • Most of the Common False Positive Types have been around since 1999-2000 • Most testing mechanisms are entirely stateless and have evolved little • Very little is known about False Positives, as a science • There are no taxonomies or Top 10 lists for Common False Positive Types Cenzic Confidential

35. Reverse Benchmark Target Enumerates and Categorizes False Positive Types Reveals Vacuous or Meaningless results Reveals Semantic flaws in vulnerability Categorization Web Application Scanner Reveals systemic flaws in application spider technology Cenzic Confidential

36. Positive and Negative Accuracy concepts Detection Metrics Matrix Cenzic Confidential

37. Positive and Negative Accuracy concepts Detection Metrics Matrix Cenzic Confidential

38. Positive and Negative Accuracy concepts Detection Metrics Matrix Cenzic Confidential

39. Hailstorm Overview • Reverse Benchmarking Example • 4 page test target • Generated over 57,000 False Positives. Cenzic Confidential

40. Session Hijacking SmartAttack Cenzic Confidential

41. Session Hijacking SmartAttack Cenzic Confidential

42. Reverse Benchmarking Methodology • Active False Positive Solicitation and Reverse Fault Injection via a sample web application. • Reverse benchmarking target can be used to model a production application, thereby decreasing the semantic gap between triggered false positives and false positives found within the production environment Cenzic Confidential

43. Reverse Benchmarking Goals • The goal of Reverse Benchmarking is not to malign vendors, but to aid the security community and help developers avoid the same mistakes with each new generation of technology • Systematically performed, Reverse Benchmarking can help security practioners learn to quickly distinguish false positives from valid security issues, as they will learn the conditions under which the technology they are using fails. • Based on the type of trigger that elicits the false positive, a taxonomy of false positive types can be developed. A set of common causes or contributing factors for each type can be outlined. Cenzic Confidential

44. Common Causes of False Positives • Out of Session Faults • Detection of session management security issues under the mistaken assumption that a session exists when in fact it does not, or the scanner has lost state with the application. In Session parameters In Session Progression Stateless Progression Cenzic Confidential

45. Common Causes of False Positives • Partial Match Problems • Detection strings may be a subset of existing content and triggered by the presence of unrelated words or elements within the HTML or DOM GET /search.pl~bak July 2007 200 OK Cenzic Confidential

46. Parameter Echoing • Parameter values may be echoed back in places within a web application, and this can trigger false positives. <TEXTAREA rows=3 ls=100> • <?php • // get the form data • $field1 = $_POST['comments']; • // Echo the value of the comments parameter • echo "Backacha Biatch: $field1"; • ?> • </TEXTAREA> Cenzic Confidential

47. Mistaken Identity • Some security tests look for vulnerability conditions so general that the vulnerability reported must be disambiguated in order to be verified. • Many types of PHP forum software, Calendars, Blogs reuse a common code base and so overlapping URI and application responses Alibaba Search Overflow Paul’s Search SQL InjXn YABB Search.pl XSS GET /search.pl Cenzic Confidential

48. Semantic Ambiguity • Signature-based detection is often relies on signatures that are generic and thus are neither necessary nor sufficient for the vulnerability to be present. [Microsoft][ODBC SQL Server Driver] Many false positives arise because the vulnerability is more complex than the vulnerability conditions checked for by the signatures. Cenzic Confidential

49. Response Timing • Slow, unresponsive, or delayed server-side processing can trigger security checks that are timing dependent Some SQL injection tests use a wait_for_delay expression and measure the timing. Cenzic Confidential

50. Custom 404 Pages • Simple file scanning routines and other security tests will trigger erroneously in the presence of custom 404 pages. • Some signatures are based on 302 Redirects GET /search.pl~bak 302 200 Cenzic Confidential