Tweet
A connection between a browser and a web server is not maintained open during a session so to prevent a user from authenticating to the web application continuously, a session is formed. The information maintained within the session is important and can give an attacker access to confidential information if compromised.
The session will contain information such as a unique identifier, encryption and other parameters assigned every time a new connection between the client and the server is created. After the session is closed or no longer needed, the information is discarded and ideally never used again, but unfortunately this is not always the case.
Some vulnerabilities of this type could be...
Long-Lived Sessions
Sessions between a client and a server should remain valid only for the time they are needed and then permanently discarded. Sessions that remain valid when they are no longer needed may allow an attacker to retrieve session identifiers using XSS and reuse a session. Effectively giving the attacker the same privileges as the victim that created the session.
Logout Features
All applications should provide the user with the option to log out and destroy the active session without closing the browser.
Insecure or Weak Session Identifiers
Session IDs that are easily predicted or guessed greatly increase the risk of an attacker locating a valid session and accessing the application with the same permissions and access as the victim. Some flaws in web applications can lead to the reuse of session IDs. Exploitation of a session ID is also considered a Session Hijacking Attack.
Granting of Session IDs to Unauthorized Users
Some applications grant session IDs to unauthenticated users and redirect them to a logout page. This can give the attacker the ability request valid URLs in the application that would normally require an authenticated session.
Poor or No Password Change Controls
An improper or insecure implementation of a password change system that do not require an old or current password when changing a password to something new may allow an attacker to change passwords for other users.
Inclusion of Unprotected Information in Cookies
In some cases a cookie may contain unprotected information such as the internal IP address of a server that can be used to learn more about the inner workings of the web application and the underlaying systems.
The session will contain information such as a unique identifier, encryption and other parameters assigned every time a new connection between the client and the server is created. After the session is closed or no longer needed, the information is discarded and ideally never used again, but unfortunately this is not always the case.
Some vulnerabilities of this type could be...
Long-Lived Sessions
Sessions between a client and a server should remain valid only for the time they are needed and then permanently discarded. Sessions that remain valid when they are no longer needed may allow an attacker to retrieve session identifiers using XSS and reuse a session. Effectively giving the attacker the same privileges as the victim that created the session.
Logout Features
All applications should provide the user with the option to log out and destroy the active session without closing the browser.
Insecure or Weak Session Identifiers
Session IDs that are easily predicted or guessed greatly increase the risk of an attacker locating a valid session and accessing the application with the same permissions and access as the victim. Some flaws in web applications can lead to the reuse of session IDs. Exploitation of a session ID is also considered a Session Hijacking Attack.
Granting of Session IDs to Unauthorized Users
Some applications grant session IDs to unauthenticated users and redirect them to a logout page. This can give the attacker the ability request valid URLs in the application that would normally require an authenticated session.
Poor or No Password Change Controls
An improper or insecure implementation of a password change system that do not require an old or current password when changing a password to something new may allow an attacker to change passwords for other users.
Inclusion of Unprotected Information in Cookies
In some cases a cookie may contain unprotected information such as the internal IP address of a server that can be used to learn more about the inner workings of the web application and the underlaying systems.