Critical New Web Application Vulnerability:
Cross X Double-Free Session Riding Turbo Champion Gold
"A Widespread Vulnerability in Tomorrow's Web Applications"
http://www.anachronic.com/modules.php?op=modload&name=News&file=article&sid=9&mode=thread&order=0&thold=0
(if you prefer HTML)
Issue:
(P1) If a web application implements dual-factor entity authentication using
dynamically generated session
tokens in the URL, and
(P2) If this secondary token is used to control per-resource access
(resource=URL), in addition to a primary
session token (e.g.-session cookie, etc.) which controls general session state,
then
---------------------------------------------------------------------
(C) Any attacker who can harvest the dynamically generated session token can
send a user to that resource via
URL link or embedded script including the aforementioned session token, and
execute commands within the
application on the user's behalf.
As the user's browser will automatically provide the primary session token
(e.g.-session cookie) or auth like
NTLM, Kerberos, etc., inclusion of this secondary resource token is all that's
needed to allow the attacker to
arbitrarily execute commands in the application on behalf of the user.
Recommendation: All web applications should implement Best Practices:
(1) a cryptographically secure primary session token
(2) a cryptographically secure user identifier (hidden in the page)
(3) a cryptographically secure, dynamically-generated per-page resource token
::And to mitigate the above risk::
(4a) Provide a separate application the user can use to generate OTPs. Require
OTPs to be entered on *every*
page before undertaking _any_ action.
-or-
(4b) Require a user-supplied secret that the user must enter on *every* page
before they can undertake _any_
action.
Additional notes:
HTTP is STATELESS.
Web Applications have no control over web clients.
Web Applications have no control over webapp users.
Background:
My esteemed appsec colleague Ed Welsh brought to my attention a paper Entitled
"Session Riding" published by
SecureNet GmbH.
Overall the SecureNet paper is well written and well organized. It facilitates
an intelligent discussion of:
-State Management general issues
-Session Management particulars
-Authentication
However, this paper suffers from overzealous marketing statements. Paragraph
o-ne: this is clearly covered by
the OWASP Top 10 (how does this not fall under A3?); a separate discussion is
the alleged 'Top-10' document's
illogical mixing of Category, Class, and Particulars.
While 'Session Riding' is an interesting read, I assumed this was common
knowledge. There is *nothing* new in
this paper especially about so-called 'session riding'. Am I very wrong about
this being common knowledge (in
the appsec community)?
This paper essentially explains the concept of using dual-factor
authentication, and specifically a
dynamically-generated token, for per-resource access in a web application to
prevent access to default or
static URL strings. Not a bad design idea, though the solution has more options
than this paper suggests.
Additionally, SecureNet's primary solution can introduce other issues.
I would have liked this paper a lot better if it weren't positioned with
MarketingMyth(tm) jargon.
For a more detailed analysis of this issue:
Session Riding Analysis: more webappsec hype & confusion just in time for
Christmas!
http://www.anachronic.com/modules.php?op=modload&name=News&file=article&sid=10&mode=thread&order=0&thold=0
Note: anachronic.com is vulnerable to 'Session Riding' but not to
'Cross X Double-Free Session Riding Turbo Champion Gold'. Yet.
So, like, watch how you get there.
Watch your back. Trust no one. Keep your Lynx handy.
Arian J. Evans
