[Owasp-delhi] Clarifications

Suman Sourav suman.sourav at sellasynergy.com
Thu Dec 10 02:44:16 EST 2009


Hi,

Very powerfully explained!!!

Just to add one note- it is always recommended to keep idle session timeout as minimum as possible, especially if application is dealing with financial transactions.

Bhupendra, I hope these details will suffice to cope up with your current scenario.

Regards
Suman

________________________________
From: owasp-delhi-bounces at lists.owasp.org [mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of sushil nehra
Sent: Wednesday, December 09, 2009 11:44 PM
To: owasp-delhi at lists.owasp.org
Subject: Re: [Owasp-delhi] Clarifications

hi

I agree with Suman. Session fixation seems to be quite difficult but for an experienced hacker it is quite easy to demonstrate.

For hijacking any application information about the Session ID of the present session is required and during the hijacking process and exploitation it is assumed the victims session remains valid.

Three steps are involved:
Step 1: Prospective Victim login in the application say ERP

Just as simple that victim use any type of Authentication mechanism say password or digital certificate or real time token. Once the user login is successful then this information about the valid session is stored in the sessionID.

Step 2: Attacker gets the valid SessionID
If the attacker by any means get the (say 40 byte) of session ID; he can do this by sniffing if victim and attacker are on same network. If they are in different places in internet then other vulnerabilities like XSS or others are required.

Step 3: Attacker uses the stolen SessionID.
Attacker tries to access the page that can be accessed only after login. But during this process the replaces his own session ID with the Stolen SessionID. This way he is granted access in the Application and can make any changes.


For mitigation
---------------------------
One of many of the mechanisms can be used:
1. Every pages visited after login on server throws a random token( random number) embeded in the page. And the next request from client/browser should contain that random number along with session ID else the application logoff the user.
(This is done during the development of application)

2. Use https with valid certificate, with the application so that sniffing and man in the middle to dont get the sessionID.
(Webserver - to avoid stealing of sessionID)

3. Application should be free from XSS and related vulnerabilities.
( Application -to avoid stealing of sessionID)

4. Assuming that passwords are sent in encrypted format with challenge response.
( application)

5. Even if the attacker gets the sessionID he will not be use it if random tokens are used in designing the application (see point 1 above)

Note: The Screen Saver does not protect the valid session from hijacking as the attacker is not going to use your PC for attack. He only need sometime to hijack and wants a fair amount of time to do his tricks. So always logoff the critical application like financial ones once u use it and do not open another mail or non trusted site in other browser tab.

Best practice: Use one type of browser (eg firefox) for financial appliation like banking etc and never use it for other surfing and use other browser( say IE) for general surfing.



--
regards

Sushil Kumar Nehra
98710 62353

"When the wind of change blows, some people build walls and  few build Windmills - Attitude matters .. always"




On Tue, Dec 8, 2009 at 5:14 PM, Suman Sourav <suman.sourav at sellasynergy.com<mailto:suman.sourav at sellasynergy.com>> wrote:
Hi Bhupendra,

If application is vulnerable to session fixation then exploitation is possible in your given scenario; though it is tough but it's possible. Please visit http://www.owasp.org/index.php/Session_Fixation for more details about this vulnerability and protection against it. Check first whether your application is vulnerable or not.

Regards

Suman
Senior Associate-Application Security
________________________________
From: owasp-delhi-bounces at lists.owasp.org<mailto:owasp-delhi-bounces at lists.owasp.org> [mailto:owasp-delhi-bounces at lists.owasp.org<mailto:owasp-delhi-bounces at lists.owasp.org>] On Behalf Of Kumar, Bhupendra.
Sent: Tuesday, December 08, 2009 4:39 PM
To: 'owasp-delhi at lists.owasp.org<mailto:owasp-delhi at lists.owasp.org>'
Subject: [Owasp-delhi] Clarifications


Hi All,

Can any one plz explain the threats present in a specific scenario as explained below:

User has logged-on in certain ERP application to carry out some transactions. ERP application has been configured for Automatic logoff after prolong idle time of 2 hrs. However desktop is set to get locked after idle time of 5 minutes.
After idle time of 5 minutes when desktop is locked, Can anyone from remote misuse/hacked the logged ERP application / session and carry out unauthorised activities.  If Yes, How ? and What are ways to protect from such a scenario.

Thanks all your support and coordination.

Warm Regards,

Bhupendra Kumar
 Tel.: +91-124-2349456



This Message was sent from Indian Oil Messaging Gateway, New Delhi, India. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.




Le e-mail provenienti dalla Sella Synergy India Private Ltd sono trasmesse in buona fede e non comportano alcun vincolo ne' creano obblighi per la Sella Synergy India Private Ltd stessa, salvo che cio' non sia espressamente previsto da un precedente accordo.
Questa e-mail e' confidenziale. Qualora l'avesse ricevuta per errore, La preghiamo di comunicarne via e-mail la ricezione al mittente e di distruggerne il contenuto. La informiamo inoltre che l'utilizzo non autorizzato del messaggio o dei suoi allegati potrebbe costituire reato.
Grazie per la collaborazione.

E-mails from Sella Synergy India Ltd Private are sent in good faith but they are neither binding on the Sella Synergy India Private Ltd nor to be understood as creating any obligation on its part except where provided for an agreement.
This e-mail is confidential. If you have received it by mistake, please inform the sender by reply e-mail and delete it from your system. Please also note that the unauthorized disclosure or use of the message or any attachments could be an offence.
Thank you for your cooperation.

_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org<mailto:Owasp-delhi at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-delhi



Le e-mail provenienti dalla Sella Synergy India Private Ltd sono trasmesse in buona fede e non comportano alcun vincolo ne' creano obblighi per la Sella Synergy India Private Ltd  stessa, salvo che cio' non sia espressamente previsto da un precedente accordo.
Questa e-mail e' confidenziale. Qualora l'avesse ricevuta per errore, La preghiamo di comunicarne via e-mail la ricezione al mittente e di distruggerne il contenuto. La informiamo inoltre che l'utilizzo non autorizzato del messaggio o dei suoi allegati potrebbe costituire reato.
Grazie per la collaborazione.

E-mails from Sella Synergy India Private Ltd are sent in good faith but they are neither binding on the Sella Synergy India Private Ltd nor to be understood as creating any obligation on its part except where provided for an agreement. This e-mail is confidential. If you have received it by mistake, please inform the sender by reply e-mail and delete it from your system. Please also note that the unauthorized disclosure or use of the message or any attachments could be an offence.
Thank you for your cooperation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20091210/8263fb5a/attachment-0001.html 


More information about the Owasp-delhi mailing list