Educause Security Discussion mailing list archives

Re: ASP Session ID Reuse

From: Brian Reilly <reillyb () GEORGETOWN EDU>
Date: Tue, 10 Feb 2009 20:54:59 -0500

Hi Neil,

Does the application use ASPSESSIONID to keep session state?  If it's
merely set by the web server but not actually used to keep state (and
other properly-managed cookies are used for state), then the risk is
significantly reduced.  However, if ASPSESSIONID is used for session
management, then I'd agree that what you describe is a very bad idea
and is an application vulnerability.  The application should re-set a
new sessionID value upon successful login, and clear the cookie value
in the client and invalidate it at the server upon logout.

Additional best practices to protect sessionIDs include:

1) Ensure the application isn't vulnerable to session fixation
2) Ensure that adequate entropy and cookie length is used during
sessionID creation (more of an issue when rolling your own than with
vetted app platforms)
3) Set the 'Secure' flag on all cookies if the application only uses HTTPS
4) Set the 'HTTPOnly' flag on all cookies if client-side script does
not need to access them (if script access to cookies *is* required,
that should be fixed as well, then the HTTPOnly flag should be set.)
(And just about everything else in the OWASP Session Management guide.)

--Brian


On Tue, Feb 10, 2009 at 7:40 PM, Neil Matatall <nmatatal () uci edu> wrote:

Hello All,

While pen testing a vendor ASP application, we found that the session ID
cookies are reused by default.  I feel that I must be missing something
here.  Isn't this a bad idea?  Under OWASP's "Things To Do" section on
session management:

"For all applications, session tokens should be regenerated after a change
in user privilege." - this applies to a user who is unauthenticated that
becomes authenticated and vice versa, correct?

Assuming your cookies are safe, the following exploit still exists

Login as User1
Copy the ASPSESSIONID* cookie name and value
Log out
Login as a User2
On a different computer (or browser), create the cookie with the previous
information.
Visit the application and you will see that you are logged in as User2

http://support.microsoft.com/kb/899918 actually discourages removing the
session id cookie values!  What are you doing to protect you ASP session
IDs?


Neil

Note: this is not an ASP.Net application, just plain old ASP.  This is my
first experience with ASP :P

Current thread:

ASP Session ID Reuse Neil Matatall (Feb 10)
- <Possible follow-ups>
- Re: ASP Session ID Reuse Brian Reilly (Feb 10)
- Re: ASP Session ID Reuse Ozzie Paez (Feb 10)
- Re: ASP Session ID Reuse Neil Matatall (Feb 11)
- Re: ASP Session ID Reuse Brian Reilly (Feb 11)
- Re: ASP Session ID Reuse Ozzie Paez (Feb 11)
- Re: ASP Session ID Reuse Josh Drummond (Feb 11)