Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Secure sessions, easy logins?
Posted by: iNs4n3
Date: December 14, 2007 03:54AM

I have a little dilemma:

It seems that for a certain web app, i can either choose to allow users to login easily ("remember me", set session cookie) OR have real secure sessions.
Even if the session id is regenerated at each page load, session hijacking is still possible if the user hasn't visited the site since.


So i'm just wondering what would be a good mechanism to validate the returning user without having to time out his session and/or keep asking for his credentials?

Options: ReplyQuote
Re: Secure sessions, easy logins?
Posted by: rsnake
Date: December 14, 2007 11:06AM

How are you envisioning the session hijacking occurring if they haven't visited the site? Physical access to the machine?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Secure sessions, easy logins?
Posted by: iNs4n3
Date: December 14, 2007 12:08PM

rsnake Wrote:
-------------------------------------------------------
> How are you envisioning the session hijacking
> occurring if they haven't visited the site?
> Physical access to the machine?


As i see it, random session ID is only effective to lower the time window a possible attacker has... if the legitimate user is browsing the site (and regenerating sess id's). If not, i can't see any gain.
The session could be compromised by the usual ways (physical access, sniffing, XSS...)

I guess it's safe to assume there is no way to have persistent logins without the risk of hijacking, but i was still wondering if there would be a better way than to ask users for credentials every time.

Options: ReplyQuote
Re: Secure sessions, easy logins?
Posted by: rsnake
Date: December 14, 2007 04:19PM

Sniffing can be stopped via SSL, OTPs can stop replay (but they're really annoying and non-NFB compliant). Physical access to the machine is sorta a non-starter. But to answer your question, I don't see an easy way to mitigate that risk - if you store credentials expect them to be used later. If you make them transferable (usable by other IPs for instance) credential theft via XSS will always be a problem. Kinda a crappy problem, I know, but that's sorta the state of affairs at the moment.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Secure sessions, easy logins?
Posted by: Anonymous User
Date: December 15, 2007 07:30AM

@RSnake

If you can read the /tmp/ folder you could access session data, one small hole is needed or buy a virtual account next to that site with safe_mode turned down in PHP (default)

Well, I guess I can say that the gross of virtual hosting accounts can be hacked pretty quick if you know how. My site runs virtual with PHP safemode off (I have no control) and I can hack myself for 19,99$ if I wanted too, it's not that hard, I'm not talking about stealing sessions, but overwriting Apache config files is also possible. Maybe I'm saying too much here... ^^ but yeah.

Options: ReplyQuote
Re: Secure sessions, easy logins?
Posted by: kirke
Date: December 23, 2007 02:42AM

> .. credential theft via XSS will always be a problem.
if the session ID is transported in the URL (URL rewriting) or as form parameter (hidden field), XSS is no thread, except the page containing the session ID value is vulnerable to XSS itself.

(sniffing and physical access to the server is another problem, to be discussed elsewhere)

> .. you can read the /tmp/ folder
also to be discussed elswhere 'cause it requires for example a code injection vulnerability

<OT>
> .. that the gross of virtual hosting accounts can be hacked pretty quick ..
you mean name-based virtual hosts (mainly in apache), then you're right
this problem is well known since years, but noone listens nor does any countermeasure, in particular hosting providers constantly ignore this thread :-(
</OT>

Options: ReplyQuote
Re: Secure sessions, easy logins?
Posted by: kcanis
Date: January 14, 2008 05:51PM

So I see two options, both are pretty much equally as lame:

* Have a captcha the user has to pass to get their fully authed session back.

But at that point in time you might as well just ask for a password.

* Support two types of authenticated sessions: fully authed and partially authed.

With a partially authed session the user would be prompted again for credentials when they try to complete certain operations.


thanks,

kc

Options: ReplyQuote
Re: Secure sessions, easy logins?
Posted by: Anonymous User
Date: January 18, 2008 10:19AM

@kirke

Well, if the /tmp/ is shared under all virtual accounts, and PHP safe_mode is off, every virtual PHP instance can read the /tmp/ folder. So only thing you need is:

a. a hole
b. $19,99 and sit next to the guy.

Options: ReplyQuote
Re: Secure sessions, easy logins?
Posted by: kirke
Date: January 22, 2008 02:47PM

@Ronald
you got it (and it's not only /tmp/ ;-) see my <OT> comment ..
You don't need $19,99, virtual hosts are often for free.

Options: ReplyQuote
Re: Secure sessions, easy logins?
Posted by: EWSec
Date: January 30, 2008 01:02PM

One can use database-based sessions. If you're on shared host that means you don't have enough traffic to warrant dedicated host, so a query per hit won't be too much of an overhead.

If you're on dedicated, then you don't have problems default with file-based sessions, or you can use memcached or apc to speed up session handling.

Speking of your original question and security for returning users, well, I associate each session with IP and UA string hash, so if any of that changes, the session privilege is dropped to guest level. This is far from perfect, but should prevent against fixations. As for people using public computers, well, if they're dumb enough not to log out when they're done, then shame's on them.

Options: ReplyQuote


Sorry, only registered users may post in this forum.