相关文章
随机文章
- 12-22科比手腕已打固定 布朗称其
- 03-04可是不足……三番五次想咬
- 10-29有力保障了全市经济平稳较
- 11-01瑞银证券
- 12-1711月完成固定资产投资46.8亿
- 11-03劳动合同法解读:无固定期
- 10-25手机,固定电话
- 02-28阁下匆匆说:“欠好了
- 12-26珠海固定电话厂家
- 03-08肛瘘术后换药难题,DWW术后
In computer network security, session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate (set) another person's session identifier (SID). Most session fixation attacks are web based, and most rely on session identifiers being accepted from URLs (query string) or POST data.百家乐
Contents
[edit] Attack scenariosAlice has an account at the bank . Unfortunately, Alice is not very security savvy.
Mallory is out to get Alice's money from the bank.
Alice has a reasonable level of trust in Mallory, and will visit links Mallory sends her.
[edit] A simple attack scenarioStraightforward scenario:
[edit] Attack using server generated SIDA misconception is that servers which only accept server generated session identifiers are safe from fixation. This is false.
Scenario:
[edit] Attacks using cross-site cookingAnother session fixation attack, cross-site cooking, exploits browser vulnerabilities. This allows the site to store cookies in Alice's browser in the cookie domain of another server , which is trusted. This attack can succeed even when there is no vulnerability within , because may assume that browser cookie management is secure.
Scenario:
[edit] Attacks using cross-subdomain cookingThis is like cross-site cooking, except that it does not rely on browser vulnerabilities. Rather, it relies on the fact that wildcard cookies can be set by one subdomain that affect other subdomains.
Scenario:
Each of these attack scenarios has resulted in Cross-calation, where Mallory has successfully gained access to the functions and data normally reserved for Alice.
An alternate attack scenario does not require Alice to log in to a site. Rather, simply by fixing the session, Mallory may be able to spy on Alice and abuse the data she enters. For example, Mallory may use the above attacks to give Alice her own authenticated session—so Alice will start using the site with all the authentication of Mallory. If Alice decides to purchase something on this site and enters her credit card details, Mallory might be able to retrieve that data (or other confidential data) by looking through the historical data stored for the account.
[edit] Countermeasures [edit] Do not accept session identifiers from GET / POST variablesSession identifiers in URL (query string, GET variables) or POST variables are not recommended as they simplify this attack – it is easy to make links or forms which set GET / POST variables.
Additionally, session identifiers (SIDs) in query strings enable other risk and attack scenarios;
Note: Cookies are shared between tabs and popped up browser windows. If your system requires to be hit with the same domain (?code=site1 and ?code=site2 ), cookies may conflict with one another between tabs.
It may be required to send the session identifier on the URL in order to overcome this limitation. If possible use site1.example.com or site2.example.com so there is not domain conflicts in the cookies. This may incur costs with extra SSL certificates.
This behavior can be seen on many sites by opening another tab and trying to do side by side search results. One of the sessions will become unusable.
[edit] Best solution: Identity ConfirmationThis attack can be largely avoided by changing the session ID when users log in. If every "important" request requires the user to be authenticated with ("logged into") the site, an attacker would need to know the id of the victim's log-in session. When the victim visits the link with the fixed session id, however, they will need to log into their account in order to do anything "important" as themselves. At this point, their session id will change and the attacker will not be able to do anything "important".
A similar technique can be used to solve the phishing problem. If the user protects their account with two passwords, then it can be solved to a great extent.
[edit] Solution: Store session identifiers in HTTP cookiesThe session identifier on most modern systems is stored by default in an HTTP cookie, which has a moderate level of security as long as the session system disregards GET/POST values.[citation needed] However, this solution is vulnerable to cross-site request forgery.
[edit] Solution: Utilize SSL / TLS Session identifierWhen enabling HTTPS security, some systems allow applications to obtain the SSL / TLS session identifier. Use of the SSL/TLS session identifier is very secure, but many web development languages do not provide robust built-in functionality for this.
SSL/TLS session identifiers may be suitable only for critical applications, such as those on large financial sites, due to the size of the systems. This issue, however, is rarely debated even in security forums.[citation needed]
[edit] Regenerate SID on each request