[Esapi-user] [OWASP-ESAPI] ESAPI Encryptor

Ed Schaller schallee at darkmist.net
Sat Jan 16 10:55:26 EST 2010


> Personally, I would make sure that your developers are aware of and
> mitigating against HTTP Session _Fixation_ attacks (see
> http://www.owasp.org/index.php/Session_Fixation). With today's
> app servers, this is much more likely to be a problem than is
> HTTP Session _Prediction_ (see
> http://www.owasp.org/index.php/Session_Prediction) which most
> vendors have already addresses.

On a completely unrelated note to crypto part, I did some analysis a
few months ago on the servlet spec and it's requirements toward session
state management and specifically toward session fixation which surprised
me. I'll dig up the specifics if someone would like.

The gist is that the servlet spec is vague at best and there is no
requirement that the tracking token (eg: JSESSION) be changed at login,
logout or even HttpSession#invalidate(). I know of no implementation
that doesn't at least change the token when invalidate() is called
but it appears completely possible that a naive, yet fully conformant,
implementation wouldn't.

To muddy the waters further, the spec does require that session state
before login be maintained after login. If you set a session attribute
before login it will still be there after login. This further leads to
session fixation issues in the naive implementation as the easiest way
to accomplish this is to not do a thing;) A better implementation would
be to change the session tracking token without changing the actually
session object which should prevent fixation and meet the spec.

Such vagueness would seem a fertile ground for security issues. I
would have tried to get some clarification in the 3.0 (thanks for the
inspiration and your push for HTTPOnly Jeff) but it was too late.

>>>------>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : https://lists.owasp.org/pipermail/esapi-user/attachments/20100116/f0141ca5/attachment.bin 


More information about the Esapi-user mailing list