RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications"

["Yvan G.J. Boily" <yboily () seccuris com>]

This name for the issue is misleading; this is a state management 
issue combined with a session management issue.

Although there is an attempt to separate this type of an attack, 
it is still a session hijacking attack, even though the attacker 
is taking a different approach; the attacker still manages to 
acquire the ability to execute a request using the original users.

The core of this type of a vulnerability is a lack of state 
management; the token mechanism that you refer to on page 
14 is a common state management technique.

The application should emit a unique (i.e. random) token for 
each request in combination with the session identifier.  If 
the succeeding request does not have the same token, then the
application should take the appropriate action.  This is a 
crucial step in state management, as it becomes possible to 
enforce state transitions using this method.

The issue is a serious one; I have seen this many times during 
code reviews and application pen-tests.  The important concern 
here is educating web developers so that they understand that 
even in a "stateless" protocol, maintaining an application state 
in a secure fashion is crucial.  Any type of exploit that takes 
advantage of this type of issue can be corrected by implementing
a state management mechanism (typically these are more robust 
than a page token system), and then ensuring that confirmation 
is crucial, verified (i.e. CAPTCHA) process.

The "Session Riding" vulnerability is not just an issue of immature
 web technology; it will affect any stateless protocol which does 
not have a strong method of enforcing state compliance.  It is 
certainly the case that this can be addressed by implementing this 
type of functionality at the framework/api level with a development 
platform, however there are a number of technical issues associated 
with the technology.

The paper is a good introduction to the issue, but perhaps the title 
is misleading as to the nature of the issue.


> -----Original Message-----
> From: Thomas Schreiber [mailto:ts () securenet de] 
> Sent: Wednesday, December 15, 2004 7:14 PM
> To: webappsec () securityfocus com
> Subject: Whitepaper "SESSION RIDING - A Widespread 
> Vulnerability in Today's Web Applications"
>
> Hello,
>
> I would like to point you to a whitepaper just released:
>
> SESSION RIDING - A Widespread Vulnerability in Today's Web 
> Applications
> http://www.securenet.de/papers/Session_Riding.pdf
>
> ----------
> Abstract:
>
> In this paper we describe an issue that was raised in 2001 
> under the name of Cross-Site Request Forgeries (CSRF). It 
> seems, though, that it has been neglected by the community, 
> as it is not part of recent Web Application Security 
> discussions, nor is it mentioned in OWASP's Top Ten or the 
> like. After having frequently observed this vulnerability in 
> our Web Application Security assessments of custom Web 
> applications, we started to examine various public Web 
> applications and other browser-based applications:
>
> -     popular (commercial) Web sites 
> -     popular browser-based console applications such as 
> administration tools for databases, servers, etc.
> -     browser-based administration clients of hardware devices
> -     webmail sites and open source and commercial webmail solutions 
>
> We have found out that this vulnerability is present in many 
> of those sites, services and products, some of which perform 
> sensitive tasks. Actually, the list of affected companies 
> contains well-known big players. Our analysis has led us to 
> the conclusion that this vulnerability is the most widespread 
> one in today's Web applications right after Cross-Site 
> Scripting (XSS). Even worse, in some scenarios it has to be 
> considered much more dangerous than XSS.
>
> We feel that a concise description of this issue is 
> necessary, along with a description of scenarios that 
> highlight the danger to all browser-based applications that 
> do not provide appropriate countermeasures, be it Intranet, 
> Internet or console applications. In this paper, we explain 
> this vulnerability in depth, show that it may be used 
> unnoticed by the victim, describe potential threats, and 
> finally give hints on how to make Web applications safe from 
> such attacks.
>
> We prefer to call this issue Session Riding which more 
> figuratively illustrates what is going on.
> ----------
>
> Feedback is very welcome - especially regarding our 
> rating/experience as one of the most widespread 
> vulnerabilities today. 
>
> Thomas Schreiber
> ____________________________________________________________
> SecureNet GmbH - http://www.securenet.de
> +49 89/32133-610
> mailto:ts () securenet de