Feeds

Attention developers: Your SESSIONIDs are showing

You don't know sidejack

Internet Security Threat Report 2014

Another way an attacker might steal the SESSIONID is to use a cross-site scripting (XSS) attack. The injected script simply accesses the cookie and sends it to the attacker. Another cookie flag called HttpOnly can protect against this attack, as it tells the browser not to allow scripts to access the SESSIONID. While most browsers respect the HttpOnly flag, many development environments do not yet make it easy to set. You may have to set your own cookie header something like this:

 response.addHeader( "Set-Cookie", SESSIONID=" + session.getId() + "; Secure; HttpOnly" );

Avoid that URL re-write

Back in the early days of the web, the US Government (wrongly) concluded that cookies were evil and they banned them. Developers quickly came up with a workaround that involved including the SESSIONID directly in the URL. Unfortunately, URLs are frequently disclosed via bookmarks, referrers, web logs, cut-and-paste, and more. So the cure was much worse than the disease.

Given the small number of web users that do not allow session cookies and the high risk of SESSIONID exposure, this URL rewriting technique should not be used. Disabling this may not be trivial, as many frameworks fall back to this technique when cookies are not accepted. You can test your environment by disabling cookies and browsing your site.

Change SESSIONID on login and logout

One creative way for attackers to steal SESSIONIDs is to grab them before the user logs in. For example, imagine an evil coworker goes to your desk, browses to a sensitive internal application, and writes down your SESSIONID. Then when you come in to work and log in, the SESSIONID is now authenticated, and the attacker can use it to access the application as you.

The solution is to always change the SESSIONID whenever anyone logs in or logs out. This is simple to test for using the alert method described above. Many environments do not support changing SESSIONIDs, so you have to copy anything you need from the old session and put it in a brand new session.

Watch the skies

Even though these problems are easy to identify and relatively easy to fix, many web applications still have them. These issues seriously undermine your overall authentication scheme, preventing compliance with any application security standard, including the PCI. So protect your users and make sure your application doesn't make it easy for the bad guys to hijack their sessions. ®

Jeff Williams is the founder and CEO of Aspect Security and the volunteer chair of the Open Web Application Security Project. His latest project is the Enterprise Security API, a free and open set of foundational security building blocks for developers.

Security for virtualized datacentres

More from The Register

next story
Microsoft WINDOWS 10: Seven ATE Nine. Or Eight did really
Windows NEIN skipped, tech preview due out on Wednesday
Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
Forget touchscreen millennials, Microsoft goes for mouse crowd
Apple: SO sorry for the iOS 8.0.1 UPDATE BUNGLE HORROR
Apple kills 'upgrade'. Hey, Microsoft. You sure you want to be like these guys?
ARM gives Internet of Things a piece of its mind – the Cortex-M7
32-bit core packs some DSP for VIP IoT CPU LOL
Microsoft on the Threshold of a new name for Windows next week
Rebranded OS reportedly set to be flung open by Redmond
Lotus Notes inventor Ozzie invents app to talk to people on your phone
Imagine that. Startup floats with voice collab app for Win iPhone
'Google is NOT the gatekeeper to the web, as some claim'
Plus: 'Pretty sure iOS 8.0.2 will just turn the iPhone into a fax machine'
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.