[MIS CDS - NST Advisory 001] Possible session hijacking with websites using middleware products

[MIS-NST <nst () MIS-CDS COM>]

Hi All,

Please see that attached security advisory.

Regards,

Network Security Team.
MIS Corporate Defence Solutions Limited

Tel:  +44 (0)1622 723400 (Switchboard)
Fax:  +44 (0)1622 728580
Website: http://www.mis-cds.com/


Do you want to know more about Hacking?

MIS is offering an Applied Hacking Course to assist clients in identifying and managing their risks more effectively. 
The course involves a hands on security workshop, showing systems administrators and network security staff exactly how 
exploits and attacks are launched. A mock corporate network will also be deployed, and a 'capture the flag' exercise 
allows the attendees to use their attack and penetration skills in a live environment.

For more information regarding this offering, please download the Applied Hacking Course White Paper from -

http://www.mis-cds.com/services/spirit/test/wp-applied-hacking.pdf

**********************************************************************
The information contained in this message or any of its attachments may be privileged and confidential and intended for 
the exclusive use of the addressee. If you are not the addressee any disclosure, reproduction, distribution or other 
dissemination or use of this communications is strictly prohibited.

The views expressed in this e-mail are those of the individual and not necessarily of MIS Corporate Defense Solutions 
Ltd. Any prices quoted are only valid if followed up by a formal written quote.

If you have received this transmission in error, please contact our Security Manager on 44 (0) 1622 723400.
**********************************************************************

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

            MIS Corporate Defence Solutions - NST Advisory (001)

           Possible session hijacking with website implementations
                          using middleware products.

                                                        Written:  13/11/00
                                                        Revised:  20/11/00
                                                       Released:  21/11/00

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Systems affected:
-----------------

Any web systems / farms utilising middleware software to help run all or
parts of their website using some form of session id tokens that are stored
within the URL.

Affected:
---------

Users that visit websites that are affected (see above).

Vendor status:
--------------

N/A - no single vendor.

However, BroadVision was contacted about this issue and they are aware of
this problem. They are currently implementing changes and recommendations to
it's customers as you read.

Overview:
---------

There are a number of companies that utilise middleware software within
their websites / farms, due to the "all-in-one" nature of the packages on
offer. Some of the features (not naming all of them) allow a company to
track user's browsing and buying habits throughout their site, tailored
content depending on the visitor, and real-time analytic reports.

This issue seems not to be publicised and from conversations we have had
with people at the software houses, they seem to be sweeping this under the
carpet and changing their systems on the quiet.

Issue:
------

BroadVision will be used as our example middleware product because it is the
one we have been using for testing. An example site of www.site.com
utilising BroadVision software, passes it's parameters required for
identification into JavaScript Pages (.jsp) that display site content and
run any back-end commands / applications that may be required. We assume
from here on, that www.site.com is an e-commerce and a service provider of
some sort.

When a user views a site using BroadVision as well as Session IDs and Engine
IDs to display content, the IDs are present within the URL. From the limited
experience we have had with BroadVision, it seems that the session ID is a
random 20 digit number (xxxxxxxxxx.xxxxxxxxxx) and the Engine ID represents
what server is serving the content. Therefore it can be determined how many
servers are presenting the content. The first part (10 digits) of the
BV_SessionID is a random number. The second part (10 digits) however, seems
to be an incremental counter that could be used as a primary key in a
database or as a reference:

An example where the engine IDs are constant (taken from a sample of 100
hits):

BV_SessionID            BV_EngineID

            2nd part
           ^^^^^^^^^^
0857833937.0974830784   caljgjejmdfbekfcflcfhfcggl.0
2030451565.0974830918   caljgjejmdfbekfcflcfhfcggl.0
0013750567.0974830947   caljgjejmdfbekfcflcfhfcggl.0
1966354090.0974830997   caljgjejmdfbekfcflcfhfcggl.0

An example where the engine IDs are different (sequential hits from a sample
of 100 hits):

            2nd part
           ^^^^^^^^^^
0303470036.0974831433   kaljgjejmfmbekfcflcfhfcggm.0
1662867632.0974831449   ialjgjejmfkbekfcflcfhfcggm.0
0534620068.0974831462   faljgjejmfhbekfcflcfhfcggm.0
0325859633.0974831480   haljgjejmfjbekfcflcfhfcggm.0
1626080627.0974831494   galjgjejmfibekfcflcfhfcggm.0
0654920185.0974831506   ealjgjejmehbekfcflcfhfcggm.0
1323165012.0974831517   laljgjejmgebekfcflcfhfcggm.0

For example, visit www.site.com that is running Broadvision software. You
will notice that your address bar will read something like this:

http://www.site.com/cgi-bin/iminst2-1/dev/globalframe.jsp?browser=4&plugin=no&startcat=/Main&startloc=%2fdev%2fsinglecontent.jsp%3fid%3dpage_home%26type%3dEDITORIAL%26property%3dCONTENT_TXT%26fullimage%3dtrue%26crmb%3dcrumb_home&lit=cre&titl=THE+Site+-+price+lists&BV_SessionID=@@@@0265483420.0974078984@@@@&BV_EngineID=haljfclmegjbekfcflcfhfcggm.0

(this will be wrapped :( ) The important part of this URL is:

... &BV_SessionID=@@@@0265483420.0974078984@@@@&BV_EngineID=haljfclmegjbekfcflcfhfcggm.0

For other middleware applications, the parameter name might be &IdKey or
&SessionID.

It is possible to derive the number of engines or servers that serve pages
for www.site.com. This is derived from the way the engine ids are
structured.

The problem exists when a user is viewing www.site.com in normal HTTP mode
and decides to move into the secure area of the site (HTTPS), such as
logging in to check your bill / account details for the service been
provided by www.site.com. The session ID that the user has remains the same,
so in essence, follows him/herself into the secure zone.

Therefore, if you were able to sniff the BV_SessionID and BV_EngineID
parameters whilst the user is still browsing the "unsecure" area of the
site, it is possible to "hijack" or "join" the session by replacing the ID
strings within any of the URLs displayed in the address bar, providing the
session timeout hasn't expired. The "hijack" or "join" is possible from
either the same IP address or from a different IP address.

By registering yourself as a valid customer of www.site.com, it is possible
to determine the full URL for accessing say a user's billing details,
billing address, etc... This will enable a malicious user to insert a stolen
set of ids into the URL to gain unauthorised access to another customers
data.

Please note that retrieving a list of valid BV_EngineIDs is trivial. Just
repeatedly close and open a browser and take a note of the value. Both the
session and engine IDs would be trivial to pick up if you knew users were
visiting www.site.com on a LAN for example. Set up a sniffer, retrieve the
IDs and hey presto! Although this is not as widespread as a number of other
website / middleware vulnerabilities, we still deem this as a large security
issue that is largely undocumented.

In theory, it is possible to brute force the BV_SessionID if there are no
restrictions on the server side, and the client side has enough bandwidth
available. Although this would take some time to brute force a randomly
generated 20 digit number, it may be possible for an evil cracker to get
lucky. If you specify an invalid session id / engine id or your session has
timed out, an error is displayed (applicable to this example, may differ
from implementation to implementation).

Workaround / Fix / Solution:
----------------------------

There is no silver bullet solution, but a number of workarounds can be
applied to prevent this type of session hijacking.

1) Send all HTTP communication containing the session and engine ids over
HTTPS to help prevent them from being "stolen".

2) Utilise a session cookie, i.e. a cookie that is linked to the
middleware's session management system. The cookie will contain the session
ID details. Each time a user visits the page, the middleware application
should check for the existance of this cookie and verify the values held
within the cookie against the ones held within it's own internal system. If
they are the same, it is a valid request. However if they are not the same
or the cookie does not exist, this is not a valid request and should be
declined. Please note that with some middleware software, it may be the
responsibility of the web application running on top of the middleware
software, to utilise a library that enables session cookies to be utilised.
Please check with the vendor regarding this.

3) Utilise URL re-writing to prevent the contents of the query string from
appearing in the URL that is displayed in the address bar of a browser.

4) When a user is directed into the secure area of www.site.com to view
their account details, site.com should generate a new session id within the
HTTPS request and reply. This prevents a user being followed into the secure
area.

5) Request further documentation from the vendor on how to implement a
higher level of security whilst using their middleware products. The
reasoning behind this is because BroadVision have further documentation
available, but we understand clients need to request it.

Disclaimer:
-----------

Nothing is 100% secure, the risk of being hacked / cracked is always
improbable, never impossible.

Thanks:
-------

NST @ MIS.
Eric Golin, Kevin Wharton @ BroadVision
Steve Fagg.

Thanks for taking the time to read this advisory,

WWW:
----

http://www.mis-cds.com/news/corporate/20001121bv.html

Network Security Team.
MIS Corporate Defence Solutions Limited

Tel:            +44 (0)1622 723400 (Switchboard)
Fax:            +44 (0)1622 728580
Website:        http://www.mis-cds.com/