november 2007 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Session Management Security and Applied Reverse Benchmarking - Tom Stracener, Sr. Security Analyst, Cenzic Inc. PowerPoint Presentation
Download Presentation
Session Management Security and Applied Reverse Benchmarking - Tom Stracener, Sr. Security Analyst, Cenzic Inc.

Loading in 2 Seconds...

play fullscreen
1 / 72

Session Management Security and Applied Reverse Benchmarking - Tom Stracener, Sr. Security Analyst, Cenzic Inc. - PowerPoint PPT Presentation


  • 300 Views
  • Uploaded on

November 2007. Session Management Security and Applied Reverse Benchmarking - Tom Stracener, Sr. Security Analyst, Cenzic Inc. . Agenda . Security Statistics Application Layer Basics Session Management Vulnerability Types Session Poisoning as a research area

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Session Management Security and Applied Reverse Benchmarking - Tom Stracener, Sr. Security Analyst, Cenzic Inc.' - Ava


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
november 2007
November 2007

Session Management Security and Applied Reverse Benchmarking- Tom Stracener, Sr. Security Analyst, Cenzic Inc.

agenda
Agenda
  • Security Statistics
  • Application Layer Basics
  • Session Management Vulnerability Types
  • Session Poisoning as a research area
  • Reverse Benchmarking as applied to session management testing methods
  • Q&A

Cenzic Confidential

web vulnerabilities
Web Vulnerabilities

Source: Cenzic Q3 Application Trends Report

Cenzic Confidential

web vulnerabilities by major type
Web vulnerabilities by Major Type

Source: Cenzic Q3 Application Trends Report

Cenzic Confidential

web browser vulnerabilities
Web Browser Vulnerabilities

Source: Cenzic Q3 Application Trends Report

Cenzic Confidential

percentage of applications by vulnerability
Percentage of Applications by Vulnerability

Source: Cenzic Q3 Application Trends Report – Cenzic ClickToSecure Managed Services

Cenzic Confidential

incidents by category
Incidents by Category

Source: Cenzic Q3 Application Trends Report

Cenzic Confidential

incidents by sector
Incidents by Sector

Source: Cenzic Q3 Application Trends Report

Cenzic Confidential

vulnerability by class
Vulnerability by Class

Source: Cenzic Q3 Application Trends Report

Cenzic Confidential

anatomy of a web application
Anatomy of a web application

Single Factor Session Management

UI Layer (Browser Logic)

Web Browser

JavaScript

Java

DOM

HTML/DHTML

Cookies

Plug-Ins/

API

Communication Layer (Protocol Layer)

Digital Signatures

HTTP

SSL

HTTP-S

Authentication

Certificates

Server and Middleware (Session Management)

Web Server SW/HW

Java

.NET

ASP

J2EE

PHP

Data Layer

File System

Databases

XML

SSI

Raw Data

CSS/XSL

Custom Applications

CGI

JavaScript

VB Script

C/C++

PHP/LAMP

Cenzic Confidential

session mgmt overview
Session Mgmt Overview
  • HTTP is a stateless protocol.
  • A Session identifies a user with a persistent (but changing) state within the application.
  • Web Applications must track and maintain state for a user across application boundaries over time.
  • 99% of all session management mechanisms offer single-factor protection and were not designed for security.

Cenzic Confidential

session mgmt overview12
Session Mgmt Overview
  • Types of session management mechanisms
    • Cookies (RFC 2109,
    • HTML Hidden Field Values
    • URL Tokens
    • Ex.

http://eBiz/Cart/checkout.php?session_id=2006011617415164.60.123.42&pid=&cat_id=&attrib

Cenzic Confidential

3 challenges of session mgmt security
3 Challenges of Session Mgmt Security
  • Web Applications must maintain state securely

User session data must individuate one user from another so that state information does not overlap, for the purpose of enforcing proper user privileges and roles.

Ex. User 2Pac (registered user), 50Cent (Admin), Master P (anonymous) have access to different pages and functions within the application.

Cenzic Confidential

3 challenges of session mgmt security14
3 Challenges of Session Mgmt Security

2. Distributed Components within Web Applications must share user session information securely

User session data must be shared and validated by application components that process user requests and information associated with a user.

Ex. Shopping Cart (Add/remove items), Wish List (Add/Remove items), Checkout & Transaction (SSL), Confirmation of Order (SSL), Reciept (SSL)

Cenzic Confidential

3 challenges of session mgmt security15
3 Challenges of Session Mgmt Security

3. State maintaining mechanisms must handle state transitions securely as the user moves between functional hierarchies.

As the user’s privilege level changes within the application, state tracking must securely handle these transitions without data leaks or exposures.

Ex. Spot (anonymous) authenticates and adds several items to his wishlist (registered) and then makes a purchase (SSL-cart) by selecting an item and performing the transaction (SSL-cart). The transaction details are stored in Spots purchase history (SSL-cart).

Cenzic Confidential

misconceptions regarding session security
Misconceptions Regarding Session Security
  • “Our Sessions are Secure”
  • “There really aren’t any exploits”
  • “Our Session IDs aren’t predictable so we are safe.”

Cenzic Confidential

cookie security flaws
Cookie Security Flaws

Types of Cookie Security Flaws

Cookie Theft/Hijacking (single factor attack)

Cookie Tampering

Cross-Site Cooking (Cookie Based Session Fixation)

Cookie Persistence and Expiration

Cenzic Confidential

cookie security flaws18
Cookie Security Flaws

Types of Session ID Flaws

Session Hijacking (single factor attack)

Session Replay Attacks\Expiration

Session Tampering\Prediction

Session Poisoning (New)

Cenzic Confidential

session vulnerabilities and examples
Session Vulnerabilities and Examples
  • Insecure Session Teardown/Session Timeout

The Session IDs used during a session are not removed following termination or inactivity of a session, allowing the Session IDs to be reused by an attacker to access the previous users session. (non-concurrent attack)

S1…………S1…………..L1……….S1

T1………….T2………….T3…………T4

Reuse of S1 following Logout L1

Cenzic Confidential

session vulnerabilities and examples20
Session Vulnerabilities and Examples
  • Session Replay Attacks

Session information persistently stored by an intermediate server or application is reused to access a users session.

  • Caching Proxies
  • Web Proxies\Reverse Proxies
  • Internet Gateways
  • Logging Servers/Webtrends, etc.

URL-based Session IDs can be cached in web logs, Proxy Servers, logged in HTTP Referrer Fields. A Session replay attack involves uses these credentials to gain access to the application to take over an existing session.

Cenzic Confidential

session vulnerabilities and examples21
Session Vulnerabilities and Examples
  • Session ID Prediction

Generating Sequential Session IDs is dangerous, as an attacker can predict the next value and take over a concurrent session.

Using static information like the data and IP addresses in Session IDs can allow an attacker to analyze and break down the session ID, making it easier to brute force valid session tokens.

/Cart/checkout.php?session_id=2006011617415164.60.123.42&pid=&cat_id=&attrib

/Cart/checkout.php?session_id=2006011617416164.60.123.42&pid=&cat_id=&attrib

/Cart/checkout.php?session_id=2006011617417164.60.123.42&pid=&cat_id=&attrib

/Cart/checkout.php?session_id=2006011617418164.60.123.42&pid=&cat_id=&attrib

Cenzic Confidential

session vulnerabilities and examples22
Session Vulnerabilities and Examples
  • Session ID Prediction (Example)

Cenzic Confidential

session vulnerabilities and examples23
Session Vulnerabilities and Examples
  • Session Hijacking

Attacker submits a concurrent request with a valid session ID for a current user and gains access to their web session. The attack can involve combinations of other attacks to capture a live Session ID, or could capture unencrypted Session Tokens from the LAN.

  • Brute Force attacks against Session IDs.
  • Local Sniffer-based attacks
  • Cookie Reuse.
  • URL Session ID Harvesting/logging via proxy or XSS.

Cenzic Confidential

session vulnerabilities and examples24
Session Vulnerabilities and Examples
  • Session Fixation

Attacker fixes the user’s session ID prior to authentication, so that the Session ID supplied by the attacker is used by the application.

Depends upon the application trusting the session ID supplied by the client. The ability to generate or predict Session IDS that are valid for the Session Token syntax makes the attack more likely to succeed.

Cenzic Confidential

session vulnerabilities and examples25
Session Vulnerabilities and Examples
  • Session ID Poisoning (New Research Area)

Attacker appends arbitrary data to a users session ID, resulting in potentially unsafe content being propagated via the Session ID mechanism.

Depends upon the application sanitizing the session ID.

  • Session_id=ghzdkfl11020003<script>maliciouscontent<script>

Cenzic Confidential

hailstorm overview
Hailstorm Overview
  • Session Poisoning Attack Example

ttp://www.internet.com/forums/viewtopic.php?p=36660&sid=15170326da8f83631f59d120a6dea3f8<script>alert(document.cookie)</script>

Characteristics of the attack

  • Malicious Content “Piggiebacks” on a session ID
  • Content is innocuous to the attacked application
  • Malicious Content logged by intermediaries
  • Malicious Content executed (reflected) by an intermediary (e.g. a web proxy server).

Cenzic Confidential

hailstorm overview27
Hailstorm Overview
  • Session Poisoning Attack Example

Characteristics of the attack

  • Malicious Content “Piggiebacks” on a session ID
  • Content is innocuous to the attacked application
  • Malicious Content logged by intermediaries
  • Malicious Content executed (reflected) by an intermediary (e.g. a web proxy server).

Cenzic Confidential

slide28
Versions of PHP are vulnerable when used in conjunction with software that relies on PHP Session Management mechanisms.
  • Verified on Apache/2.0.55 (Win32) PHP/5.1.2

Cenzic Confidential

slide29
Reverse Benchmarking & Session Management Security Testing Procedures.

(A scanner darkly)

Cenzic Confidential

analyzing application security scanners
Analyzing Application Security Scanners
  • Security Assessment Methods and Quality-based Criteria
    • Functionality (Black vs White Box)
    • Ergonomics & Usability
    • Performance
    • Feature Sets
    • Bling
    • Accuracy
    • False Positive Rates i.e. Signal to Noise

Cenzic Confidential

analyzing application security scanners31
Analyzing Application Security Scanners
  • Benchmarking Concepts
    • Benchmarking black box scanners is ultimately a systematic comparison
    • Most common Benchmarking technique is ‘positive’ or ‘comparative’ benchmarking
    • The goal is to see which scanner does the best against a selected application

Cenzic Confidential

positive and negative accuracy concepts
Positive and Negative Accuracy concepts

Detection Metrics Matrix

Cenzic Confidential

slide33
What is Reverse Benchmarking?
    • It’s a type of passive Reverse Engineering.
    • Taxonomic understanding of False Positives
    • Causes Massive False Positives
    • Understanding vulnerability detection methods
    • Think of it as Detection Logic Fuzzing
    • Exposes poor coding, faulty detection logic
    • Reveals Security Testing design flaws
    • Confuses Stateless Testing Mechanisms

Cenzic Confidential

slide34
Rationale for Reverse Benchmarking
  • Most of the Common False Positive Types have been around since 1999-2000
  • Most testing mechanisms are entirely stateless and have evolved little
  • Very little is known about False Positives, as a science
  • There are no taxonomies or Top 10 lists for Common False Positive Types

Cenzic Confidential

slide35

Reverse Benchmark Target

Enumerates and Categorizes False Positive Types

Reveals Vacuous or Meaningless results

Reveals Semantic flaws in vulnerability Categorization

Web Application Scanner

Reveals systemic flaws in application spider technology

Cenzic Confidential

positive and negative accuracy concepts36
Positive and Negative Accuracy concepts

Detection Metrics Matrix

Cenzic Confidential

positive and negative accuracy concepts37
Positive and Negative Accuracy concepts

Detection Metrics Matrix

Cenzic Confidential

positive and negative accuracy concepts38
Positive and Negative Accuracy concepts

Detection Metrics Matrix

Cenzic Confidential

hailstorm overview39
Hailstorm Overview
  • Reverse Benchmarking Example
    • 4 page test target
    • Generated over 57,000 False Positives.

Cenzic Confidential

slide42
Reverse Benchmarking Methodology
  • Active False Positive Solicitation and Reverse Fault Injection via a sample web application.
  • Reverse benchmarking target can be used to model a production application, thereby decreasing the semantic gap between triggered false positives and false positives found within the production environment

Cenzic Confidential

slide43
Reverse Benchmarking Goals
  • The goal of Reverse Benchmarking is not to malign vendors, but to aid the security community and help developers avoid the same mistakes with each new generation of technology
  • Systematically performed, Reverse Benchmarking can help security practioners learn to quickly distinguish false positives from valid security issues, as they will learn the conditions under which the technology they are using fails.
  • Based on the type of trigger that elicits the false positive, a taxonomy of false positive types can be developed. A set of common causes or contributing factors for each type can be outlined.

Cenzic Confidential

slide44
Common Causes of False Positives
  • Out of Session Faults
      • Detection of session management security issues under the mistaken assumption that a session exists when in fact it does not, or the scanner has lost state with the application.

In Session parameters

In Session Progression

Stateless

Progression

Cenzic Confidential

slide45
Common Causes of False Positives
  • Partial Match Problems
      • Detection strings may be a subset of existing content and triggered by the presence of unrelated words or elements within the HTML or DOM

GET /search.pl~bak

July 2007

200 OK

Cenzic Confidential

slide46

Parameter Echoing

      • Parameter values may be echoed back in places within a web application, and this can trigger false positives.

<TEXTAREA rows=3 ls=100>

  • <?php
  • // get the form data
  • $field1 = $_POST['comments'];
  • // Echo the value of the comments parameter
  • echo "Backacha Biatch: $field1";
  • ?>
  • </TEXTAREA>

Cenzic Confidential

slide47

Mistaken Identity

  • Some security tests look for vulnerability conditions so general that the vulnerability reported must be disambiguated in order to be verified.
  • Many types of PHP forum software, Calendars, Blogs reuse a common code base and so overlapping URI and application responses

Alibaba Search Overflow

Paul’s Search SQL InjXn

YABB Search.pl XSS

GET /search.pl

Cenzic Confidential

slide48
Semantic Ambiguity
      • Signature-based detection is often relies on signatures that are generic and thus are neither necessary nor sufficient for the vulnerability to be present.

[Microsoft][ODBC SQL Server Driver]

Many false positives arise because the vulnerability is more complex than the vulnerability conditions checked for by the signatures.

Cenzic Confidential

slide49
Response Timing
      • Slow, unresponsive, or delayed server-side processing can trigger security checks that are timing dependent

Some SQL injection tests use a wait_for_delay expression and measure the timing.

Cenzic Confidential

slide50
Custom 404 Pages
  • Simple file scanning routines and other security tests will trigger erroneously in the presence of custom 404 pages.
  • Some signatures are based on 302 Redirects

GET /search.pl~bak

302

200

Cenzic Confidential

slide51
Custom 404 Pages
  • Simple file scanning routines and other security tests will trigger erroneously in the presence of custom 404 pages.
  • Some signatures are based on 302 Redirects

GET /search.pl~bak

302

200

Cenzic Confidential

slide52
Creating a Reverse Benchmark target
    • Nature of the target will depend on your goals as a researcher

Reverse Engineering

  • Emphasis on exposing as much of the signature base and rule set as possible without inspecting datafiles or code. Clear generic cases that will likely impact the largest portion of the rule base
  • Focus on generic trigger signatures, including available open source scanners. (i.e. use of Nikto detections strings in response data.

Cenzic Confidential

slide53
Creating a Reverse Benchmark target
    • Nature of the target will depend on your goals as a researcher

Bakeoffs/Comparisons

  • Emphasis on exposing false positives or signature flaws of all varieties, including the uncommon or essoteric. Use of non-standard or overly difficult application configuration to stress test the scanner.
  • Focus on unusual or non-standard trigger signatures. i.e. Javascript or Flash road test

Cenzic Confidential

slide54
Creating a Reverse Benchmark target
    • Nature of the target will depend on your goals as a researcher

Reverse Engineering

  • Emphasis on exposing as much of the signature base and rule set as possible without inspecting datafiles or code.
  • Focus on generic trigger signatures

Cenzic Confidential

slide55
Open Reverse Benchmarking Project
    • Nature of the target will depend on your goals as a researcher
  • Emphasis on exposing as much of the signature base and rule set as possible without inspecting datafiles or code.
  • Focus on generic trigger signatures

Cenzic Confidential

slide56
Backatcha Roadtest Results Overview
  • Took 4 popular blackbox web application security scanners
  • Ran their default policies against the target reverse benchmarking application
  • Put the results into high level buckets
  • Generated a few graphs with the results

Cenzic Confidential

slide58
Out of 4 scanners, 1 scanner generated 92% of the false positive volume
  • Roughly 9000 false positives total
  • 3 other scanners came in at 2%, 2% and 4%.
  • In terms of numbers, our 3 page application generated 180, 180, and 360 false positives in the remaining scanners

Cenzic Confidential

slide63
Further Research
    • Improve reverse benchmarking target
    • Add more tests
    • Improve testing methodology
    • Test with more scanners
  • Partner with OWASP
    • Help develop Reverse Benchmarking Module for SiteGenerator

Cenzic Confidential

hailstorm overview64
Hailstorm Overview
  • SmartAttack Library provides for robust testing and analysis of Session Security
  • Session Management SmartAttacks target a wide-range of Session-Based vulnerabilities.
  • Session Hijacking
  • Privilege Escalation
  • Authorization Boundary

Cenzic Confidential

privilege escalation smartattack
Privilege Escalation SmartAttack
  • The SmartAttack gathers session credentials from a previous user and injects them in a more privileged user’s session. Pages accessible only by the privileged user should not be accessible using the gathered session credentials if the sessions are maintained correctly

Cenzic Confidential

session expiration
Session Expiration
  • The SmartAttack gathers session credentials from a previous user and injects them into a different session once the first user logs out. Pages accessible with these credentials are vulnerable to session id/cookie reuse-based attacks.

Cenzic Confidential

authorization boundary
Authorization Boundary
  • The SmartAttack takes an application traversal by a previous user and attempts to access pages restricted to that user by suppressing session credentials. Tests for authentication/authorization boundaries within an application, and also detects fail open bugs in session management.

Cenzic Confidential

authorization boundary70
Authorization Boundary
  • The SmartAttack takes an application traversal by a previous user and attempts to access pages restricted to that user by suppressing session credentials. Tests for authentication/authorization boundaries within an application, and also detects fail open bugs in session management.

Cenzic Confidential

slide71
Thank You for Your Time!
  • Tom Stracener
  • For more info: tom@cenzic.com or 1-866-4-CENZIC (1-866-423-6942)

Cenzic Confidential

questions answers
Questions & Answers

Cenzic Confidential