RE: IIS 5.0 Session Hijacking Question

["Jones, Chris" <CJones () SierraPine com>]

Please excuse me if I am in error, I am not security officer, I am just a
programmer who is now the IS Admin for my branch of the tree.

One of your questions is how to:

> My final question is relating to a suggestion by one of the security
> professionals from the web cast who suggested that the only way to know if
> data has been modified in transit, is to use a keyed hash function. However
> I cannot work out how this would work. The thing I cannot understand is
> that if a "normal" user uses the application, when they submit a form it
> WILL come back looking different if they have entered/modified data. So I
> cannot work out how the keyed hash function would be of any benefit in
> determining if the data was tampered with or not.

I believe this can be done in MS_WIN with ASP, or other I am not sure, by
sending encrypted code from your server to the client and then having the
client section of the page decrypt the information.  If someone screws with
the information in transit your hash algorithm on the client side would not
be able to understand the modified information and should present errors to
the client saying ("@#%@#%") or some other vernacular.  By keying your HASH
algorithm, you can tell if anything has been altered.

It seems to make sense to me anyway.  Not very hard to do and you could
create a script file for the code to separate it from the page.
Unfortunately, I don't think this would be a very good solution.  You cannot
hide your client code from the end user, so they would have access to the
decryption information in your script.  Obviously not a good solution, but
it does satisfy what you are trying to do and in certain circumstances, it
may come in handy.

If you really wanted to get techie, you could create a DLL or ActiveX that
does all the work of decrypting the page on the client for you and this way
no one could get your code until they hacked your DLL or ActiveX (Much more
difficult than and HTML Page, but not impossible).

As to the other direction, why couldn't you have your page transmit HASHED
dialog to the server and have the server decrypt it there.  Same diff just a
little more complicated.  I would for sure use the ActiveX or DLL to do it
though.

Cjones 
DBA / IS Admin


-----Original Message-----
From: Robin Fordham [mailto:rfordham () bha com] 
Sent: Tuesday, September 23, 2003 6:04 AM
To: webappsec () securityfocus com
Subject: IIS 5.0 Session Hijacking Question

Hi.
I hope this is the right place to direct this kind of question, if not
please let me know where I should direct it to. Thanks...

I recently participated in a web cast about web security and it mentioned
free tools available that allowed you to aggressively test your web apps.
The one that I am currently using is Paros3.0.

I used it to successfully hijack a session on an app that I am building, but
only because I logged in twice, first as an administrator-type user and
second as a read-only user and so could see both session IDs, allowing me to
swap them around to perform the session hijack. Does this still mean my app
is not secure "enough"?

My main question is, is it possible for an intruder to be able to obtain a
list of session IDs present on the (Win2000sp4 - IIS5.0) server? Or would
they have to try brute force to guess the session ID? If brute force is the
only option, is it safe to say, based on the OWASP recommendations (which I
have
been following religiously), that an application that bases it's user
permissions on a session value is secure "enough"?

I am not using any hidden form fields or query string values to denote a
user's ID or permission level, only a session memory cookie. This is what I
believe to be the most secure way of managing sessions. As then the only way
to bypass this is to use a tool like Paros to intercept the data transmitted
and grab the session id being sent from the browsers memory. The application
is running on an SSL encrypted connection so is it possible for an intruder
to still be able to see the data being transmitted using a tool like Paros?

My final question is relating to a suggestion by one of the security
professionals from the web cast who suggested that the only way to know if
data has been modified in transit, is to use a keyed hash function. However
I cannot work out how this would work. The thing I cannot understand is that
if a "normal" user uses the application, when they submit a form it WILL
come back looking different if they have entered/modified data. So I cannot
work out how the keyed hash function would be of any benefit in determining
if the data was tampered with or not.

I've been visiting OWASP regularly and have been very impressed with the
content. Learning about security has totally changed the way I develop and I
consider myself as being more knowledgeable than the average web developer.
It's just the few issues I have mentioned above which I am stuck on. I
realize that they are very specific questions and the nature of this
discussion forum is
of a more generic nature, but if you could help answer some of them, or even
point me in the right direction to someone else that might be able to help,
it would be most appreciated.

Regards

Robin Fordham
Web Developer


The information contained in this e-mail is intended solely for the
addressee and as such is confidential and may legally be privileged. If you
are not the intended recipient, any disclosure, copying, distribution or
publishing of this information in any form is expressly prohibited and may
be unlawful. For more information about BHA, visit our website at
http://www.bha.com