Covid-19 has transformed our lives and our work. Remote working is now a major part of our lives, leading to an increase in cyber-attacks.
Cost of Data Breach in 2021 (Measured In US$ Millions)
According to an IBM study, the average cost for a data breach amounts to $4.24 million. This is 10% more than last year’s total breach cost. Additionally, compromised credentials accounted for 20% and 17% respectively of all breaches in 2021.
Facebook suffered a huge hit in 2021 due to the Flytrap android Trojan causing session hijacking vulnerability. It spread to 140 countries, which was the worst part.
It attacked the user’s profile on social media by hijacking his Facebook ID, IP address, cookies and tokens, location, email addresses, and cookie & tokens.
In 2021, Session Hijacking Vulnerability Issue was Experienced in Countries
Vulnerabilities Category in Session Management
Session management vulnerabilities can be classified into two main categories:
- Generating weak session management tokens: This includes creating meaningful, predictable, or encrypted tokens that can be easily cracked as they usually depict a structure. Once the attacker understands the logic for the token generation, he can easily create a valid one using the exposed logic.
- Insecure handling of session management throughout life-cycle: This includes leaked tokens on the network or logs, session termination not appropriately implemented, token hijacking through other attacks like XSS, and loose cookie scope.
Vulnerabilities and their solution in session management
Let’s talk in detail about the session management vulnerabilities and how to fix them.
1. Vulnerability: Meaningful tokens
Developers make the error of selecting users’ information in a modified way. It could be username, user ID, or email address.
Although the transformed token might look very secure, it could be a long string. It could just be a hex value if you look closely. It may be possible to decode it and find the real value used for the session ID.
For example, Session ID: 757365723d616b3b6170703d746573743b646174653d31372f30352f32303232
When decoded this hex string it will reveal user=ak;app=test;date=17/05/2022
To test whether the token value can be decoded using common encoding methods such as Hexadecimal and base64, you should try to find the recipe for the session token.
Solution Do not use meaningful tokens for session ID.
2. Vulnerability: Predictable tokens
These session-id tokens aren’t typically associated with any meaningful user data. They do contain a pattern or sequence that hackers can use to guess valid tokens.
Methods to generate predictable tokens
- Hidden sequences: Although it may seem difficult to identify when the data is analyzed in its raw form There are patterns that can be decoded. Multiple patterns are used to determine the actual value.
- Time Dependency This is a very common way to generate session ID tokens. Hackers can access large amounts of user tokens by hacking the algorithm to generate tokens.
Avoid using predictable tokens generation methods for session ID. It should be used if possible.
3. Vulnerability: Encrypted Tokens
This method of creating session-ids has been shown to be very vulnerable in real-world applications. It’s easy to be attacked.
Here are some examples of the most popular algorithms developers use to generate tokens.
- EBC Ciphers These types of session-ids use a token generated using such symmetric encryption algorithms that can easily be decrypted to reveal the content. These tokens might appear random and may pass all standard tests.
4. Vulnerability: Disclosure tokens on the network/logs
Session-id transmissions over an unsecure network can be snooped by hackers to gain access to session tokens.
There may be cases when the session-id token can be exchanged via HTTPS instead of HTTPS. Most applications use HTTP to load static content such as images, scripts, and CSS.
Logs must be monitored for session tokens and user browser logs as well as web server logs or ISP proxy logs.
Hackers can easily sniff the session token value and decrypt it to reveal its original form.
Solution : Do not switch HTTPS – HTTP. Keep an eye on logs at different levels like web application, ISP, and browser.
5. Vulnerability: Session termination not appropriately implemented
Session time can be extended to allow hackers ample time to locate/exploit the session key key.
A few other scenarios, such as session expiring upon logout, inactivity or closing the browser, need to be addressed.
Solution Shorten the session time and expire session keys after a user logs off or closes the browser.
6. Vulnerability: Stealing tokens through other attacks like XSS and CSRF & Malware
It is possible for the application to be vulnerable to attacks such as those mentioned above. This could lead to the hijacking of the session by stealing session-related data, local storage, and cookies.
This is the most popular method of stealing session data. These vulnerabilities were used to attack the victim in phishing attacks, which accounted for almost 17 percent of all attacks in 2021.
Solution Your application must test for other vulnerabilities. We must fix any vulnerabilities that are found to prevent further exploit.
7. Vulnerability: Loose Cookie Scope
There are many ways to manage session management, including cookies, hidden fields, SSL, URL rewriting, and hidden form fields. Cookies are the most popular. While cookies can be helpful in many ways they can also pose a danger if they are not used properly.
Solution: Keep the cookie’s scope as limited as possible. If there is a need to be shared across other domains, keep it secure. Try avoiding sharing with insecure third-party application.
Different types of session hijacking attacks
Different types of session hijacking
The attacker has already obtained a valid session ID key and forces the target user log in using the hacker-provided ID. This attack can be carried out in multiple ways. For example, you could use an HTTP query to get the session ID.
Session IDs should be unique and hard to guess. Developers may not use the same libraries that are provided by frameworks. Developers create custom session IDs, which can lead to insecure implementation.
For example, here, the JSESSIONID token uses a user-id parameter as its value which is quite easily predictable.
Side-jacking can be done by sniffing. If the client uses an unsecured network, the hacker can easily become involved in the transmissions between client and server.
Best Practices for Session Management
The OWASP guidelines recommend the following best practices to ensure session security:
- Selection of good algorithms to generate the session identifiers as they should not be easy to guess via brute force. It must be random with good entropy.
- Terminating session when user logs out or closes browser.
- Using trusted servers to generate the session identifiers.
- Periodic timeout implementation of sessions.
- Prevent unauthorized users access to the server side session data via proper access control implemented.
Session Security Testing Tools
When testing for security of a session management application, there are many things that need to be considered. Manual testing the session token can be tedious so there are many tools on the market.
Here are some of the most used tools for testing session security.1ZapZap supports testing for different types of session management like script-based sessions and cookie-based sessions.
Session management is susceptible to many attacks. Hackers continue to search for loopholes within applications session management to hijack session & masquerade user to perform unauthorized actions.
Securing session management tips:
- Generate large, random and strong tokens
- Secure tokens for their entire life
- Log, Monitor and alert for brute force attack.
The management of sessions is an essential aspect of any application. It must be carefully implemented and tested. Offtheshelfexhibits has the expertise to ensure that our clients’ businesses are secure and thriving.