Security Leak: Session Fixation vulnerability

security
security@Image courtesy of Stuart Miles/ FreeDigitalPhotos.net

Security Leak: Session Fixation vulnerability

Welcome to CodeSpread!

What is a Session?

HTTP is a stateless protocol. Each request to the server is independent and does not contain any information about the user like who has requested which page or any information/state of the client machine.

ASP.NET Session state can be used to store values that will persist across page requests. ASP.NET session state identifies requests from the same browser as a session.This session is limited to some time, then it expires and renew again.

image

Whenever the Session starts, a cookie by the name of ASP.NET_SessionId identifier is created which stores the values of session and can be retrieved by calling the identifier. By default, if a user is inactive for 20 minutes, the Session will expire and all items that had been stored in the Session will be discarded.

There are methods to kill the session programmatically like

  • Session.Abandon()
  • Session.Clear()
  • Session.RemoveAll()

These methods can only end the session but does not delete the cookie.

What is Session Fixation?

As the security of cookie is dependent on the client machine, there is a chance of hacking/stealing this cookie which might reveal the session identifier. Unlikely but naive,Another way the hacker can steal the session identifier is from the query string,if session identifier is appended to the URL. If stolen, An attacker can impersonate a user by using the authenticated session ID (SID).
Lets create the basic flow to understand session fixation.

  • User visited a site having a valid ASP.NET_SessionId like ‘abcdefg’ .
  • User logs in with his valid credentials and perform some transaction. Here, the session identifier does not change ‘abcdefg’.
  • Hacker creates or obtains a valid session identifier.
  • Hacker impersonates the user and continue as the user.
  • Hacker can continue to impersonate the victim user until the SID expires.

Another way is where the SID is appended to the URL as a query parameter. In a phishing mail, which contains a URL, SID can be appended  which is only known to the hacker. Once the user logs in, the hacker can use this SID, which is now associated with an authenticated session, to impersonate the user. So please avoid clicking any links on spam mails.

How can it be fixed?

There are many countermeasures available, One of them is to

  • Assign a new session identifier on login and,
  • Remove the session identifier once the user logs out.

Second,

  • Regenerate session identifier on each request, although this is not always possible.

Third,

  • As a precautionary measure and applicable for small sites, Enable Https.

Fourth

  • A log out function, which states that a session should not allow further requests. Not a very secure option though.

Fifth,

  • Beware of the suspicious referrers,the page that contained the link that you followed to get to current page.

Conclusion

We have countermeasures for session fixation but still not a fool-proof strategy. If a hacker is improvising, we should also improvise on countermeasures. I suggest to always prepare a strategy to foresee any security leaks and prepare the precautionary measures.

Author: hershey

A passion for knowledge drives me to do programming, A passion for programming drives me to create something different, A passion for creation drives me to spread the knowledge.

Share This Post On

0 Comments

  1. nice superb explaination

    Post a Reply
  2. thanks for the tutorial
    I am having a problem.
    The feature “Create SQL server database” isn’t available , I can’t select it.
    Can you help, please ?

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

More from CodeSpread:

  • New SDLC: Security Development Life CycleNew SDLC: Security Development Life CycleWhen I heard Security Development Life Cycle, my first reaction was, is it really possible? But, as always, Microsoft surprised me with the introduction of SDL. I just went through a paper publi...
  • Asp.Net: Hidden Truth of CookiesAsp.Net: Hidden Truth of CookiesI know there are several articles on cookies as what are they? and how can they be created? but i always wanted to know more about them. My questions were where they are stored? how to track their ...
  • ASP.NET : Stick to the ContextASP.NET : Stick to the ContextWhat we are talking about? We are talking about HttpContext Class. It is a part of System.Web namespace/assembly and is usually referred by, [code] System.Object System.Web.HttpContext [...
  • Asp.Net: More about CookiesAsp.Net: More about CookiesWe have seen, how our cookies looks in our last article Cookies Part 1. In this article, we will talk about their properties,limitations and technical part. Properties and Limitations Cook...
  • When ViewState is loaded?When ViewState is loaded?We know asp.net page life cycle and on subsequent request, each stage of life cycle is analyzed to find out, as and when viewstate is available for use.
  • Few lines about Static code analysisFew lines about Static code analysisStatic code analysis We divide the term into two parts: Static+code analysis. Static in programming can be referred to as non-running/non-dynamic and code analysis is a process where the code is...
  • SQL fry: PIVOT and UNPIVOTSQL fry: PIVOT and UNPIVOTWhat is PIVOT? In our day-to-day SQL server coding, PIVOT and UNPIVOT are not very familiar words but still holds good if we understand them correctly and know when to use it.Web Definition of PIV...
  • Maintain Page State on Browser’s Back Button ClickMaintain Page State on Browser’s Back Button ClickThis is a very common requirement and a major expectation for a quality user experience. Scenario: User visits a site which heavily uses AJAX. Here, AJAX will not let the user navigate from the p...