First of all, what is session management? In most Web applications, the session management mechanism is a basic security component. It helps the application to identify a particular user from a large number of different requests and to handle the data it collects about the state of the user interacting with the application. Session management is particularly important when an application performs a login function, because it keeps the application secure of any user identity after the user submits their certificate through a request.
Because of the critical role played by session management mechanisms, they become the primary target of malicious attacks against applications. If an attacker is able to disrupt the session management of an application, he can easily circumvent the authentication mechanism it implements and disguise it as another application user without requiring a user certificate.
I. Status requirements
The HTTP protocol has no State, and it is based on a basic request-response model in which each pair of messages represents a separate thing. The protocol itself does not have a mechanism to link the various requests made by a user and distinguishes them from all other requests received by the Web server.
The previous visits are static pages, there are no requirements for the session, but now different, a variety of features appear in the Web application, such as the need for users to log in, remember the user's information, to add goods to the shopping cart. These features require the application to know that the requests it receives come from the same user. The session management mechanism is to solve this problem.
The simplest way to perform a session is to publish a unique session token or identifier to each user. In most cases, an application uses an HTTP cookie as the transport mechanism for transferring these session tokens between the server and the client.
There are two main types of vulnerabilities in session management mechanism:
1) Weaknesses in the session token generation process
2) Dealing with session token weaknesses throughout the life cycle process
Two. Weaknesses in the session token process
1) tokens have certain meanings, for example, some tokens are obtained through a user's user name or e-mail address through a kind of obfuscation (such as hexadecimal encoding), which can be guessed to get the user's token
2) Token predictability
Some session tokens do not contain any meaningful data about a particular user, but because they contain some sort of order or pattern, they allow an attacker to infer from several token samples that the application has recently published other valid tokens and is therefore predictable. A predictable session token usually comes from 3 aspects: implied sequence, time dependence, and the resulting number is not very random.
Three. Weaknesses in session token processing
1) leaking tokens on the network
This can be exploited if the session token is transmitted unencrypted over the network.
2) leaking tokens in the log
Various system logs also often leak tokens to unauthorized parties. These logs can be consulted by a variety of potential attackers, in addition to eavesdropping at the appropriate location on the network.
3) Token-session map vulnerable to attack
Allow several valid tokens to be assigned to the same user account colleague.
4) session termination susceptible to attack
Some applications do not perform exit functions, which provides the possibility to intercept the application's tokens.
5) client exposed to token hijacking risk
6) broad range of cookies
The action of the cookie is too large or not in the correct domain.
Four. Ensure session management security
1) Generate powerful tokens: Use a very large set of possible values for your data, including powerful pseudo-random sources, to ensure that tokens are evenly distributed across possible values in unpredictable ways.
2) secure tokens throughout the lifecycle: tokens can only be transmitted over HTTPS, never send tokens in URLs, perform exit functions, session termination should be performed after a session has been inactive for a period of time, and should be prevented from parallel landings;
Web security Learning-attack session Management