Re: Predefined Post Authentication Session ID Vulnerability

[Gökhan Muharremoğlu <gokhan.muharremoglu () iosec org>]

This article explains how this vulnerability works with Session Fixation attack.
https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OWASP-SM-003)

> From: gokhan.muharremoglu () iosec org
> To: full-disclosure () lists grok org uk
> Date: Wed, 11 Jul 2012 11:34:11 +0300
> Subject: [Full-disclosure] Predefined Post Authentication Session ID  Vulnerability
>
> Vulnerability Name: Predefined Post Authentication Session ID Vulnerability 
> Type: Improper Session Handling
> Impact: Session Hijacking
> Level: Medium
> Date: 10.07.2012
> Vendor: Vendor-neutral
> Issuer: Gokhan Muharremoglu
> E-mail: gokhan.muharremoglu () iosec org
>
>
> VULNERABILITY
> If a web application starts a session and defines a session id before a user
> authenticated, this session id must be changed after a successful
> authentication. If web application uses the same session id before and after
> authentication, any legitimate user who has gained the "before
> authentication" session id can hijack future "after authentication" sessions
> too. 
>
>
> Vulnerable Login Page & Session ID before Authentication
> (Status-Line)   HTTP/1.1 200 OK
> Server  Apache/2.2.3 (CentOS)
> Set-Cookie      PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/
> Expires Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control   no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0
> Pragma  no-cache
> Content-Type    text/html
> Content-Length  308
> Date    Tue, 10 Jul 2012 06:16:57 GMT
> X-Varnish       1922993981
> Age     0
> Via     1.1 varnish
> Connection      keep-alive
>
>
> Vulnerable Login Page & Authentication Request
> (Request-Line)  POST /iosec_login_vulnerable.php HTTP/1.1
> Host    www.iosec.org
> User-Agent      Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.2.25)
> Gecko/20111212 Firefox/3.6.25 ( .NET CLR 3.5.30729; .NET4.0E)
> Accept  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3
> Accept-Encoding gzip,deflate
> Accept-Charset  ISO-8859-9,utf-8;q=0.7,*;q=0.7
> Keep-Alive      115
> Connection      keep-alive
> Referer  http://www.iosec.org/iosec_login_vulnerable.php
> Cookie  PHPSESSID=8usd2oeo11a8cod9q3lnev9je2
> Content-Type    application/x-www-form-urlencoded
> Content-Length  42
> POST DATA
> user    gokhan
> pass    muharremoglu
> submit  Login
>
>
> Vulnerable Login Page & Session ID after Authentication
>  (Status-Line)  HTTP/1.1 200 OK
> Server  Apache/2.2.3 (CentOS)
> Set-Cookie      PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/
> Expires Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control   no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0
> Pragma  no-cache
> Content-Type    text/html
> Content-Length  308
> Date    Tue, 10 Jul 2012 06:16:57 GMT
> X-Varnish       1922993981
> Age     0
> Via     1.1 varnish
> Connection      keep-alive
>
>
> MITIGATION
> To avoid this vulnerability, sessions must be regenerated after a successful
> login. In a session fixation attack, attacker fixates (sets) another
> person's (victim's) session identifier because of "never regenerated and
> validated" session id and this vulnerability can also lead to the Session
> Fixation attack.              
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/