Session ID not updated (AppScan scan results)

Source: Internet
Author: User

Recent job requirements address the vulnerability of the Web-based project, which is a appscan tool for scanning the vulnerability, in which this article is about the issue of session identity not being updated. Let's share this piece of stuff.

Original articles, reproduced please specify

------------------------------------------------------------------

Test Type:
Application-Level testing


Threat Classification:
Session setting


Reason:
WEB application Programming or configuration is not secure


Security risk:
Customer sessions and cookies may be stolen or manipulated, and they may be used to mimic legitimate users, allowing hackers to view or change user records as that user and perform transactions


Affected Products:
This issue may affect various types of products.

Reference:

"Session fixation vulnerability in web-based applications", Mitja Kolsek-acros Security
PHP Manual, Session handling Functions, Sessions and security technical description:

Technical Description:

When authenticating a user or otherwise establishing a new user session, if no existing session identity is invalidated, the attacker will have the opportunity to steal the authenticated session. This is usually observed in the following cases
The scene:
[1] The WEB application authenticates the user without first revoking the existing session, that is, continuing to use the session that has been associated with the user
[2] The attacker is able to enforce a known session identity to the user so that once the user authenticates, the attacker has access to the authenticated session
[3] The application or container uses a predictable session ID.
During a general exploration of a session-pinning vulnerability, an attacker creates a new session on the Web application and records the associated conversation identity. The attacker then causes the victim to use the session ID for the service
Can be authenticated so that an attacker can access the user's account through the active session. AppScan found that the session ID was not updated before and after the logon process, which means there are
Situations where a fake user may occur. A remote attacker who knows the session ID value beforehand can impersonate a legitimate user who is logged on.
Attack Flow:
A) The attacker uses the victim's browser to open the login form for the vulnerable site.
b) Once the form is opened, the attacker writes down the session ID value and waits.
c) When a victim logs on to a vulnerable site, its session ID is not updated.
D) The attacker could then use the session ID value to impersonate the victim and act as the user.
Session identity values can be obtained by leveraging cross-site scripting vulnerabilities that cause the victim's browser to use a predefined session ID when contacting a vulnerable site, or by initiating a "session-solid
(Will cause the site to provide a pre-defined session ID to the victim's browser) to obtain.

Session ID not updated (AppScan scan results)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.