Session Management Attacks – Part 2

If you are unfamiliar with Session Management, you can check out my previous article Session Management Part One

I will focus on prevention in this second part of the Session Management topic.

 It is very crucial to handle sessions properly. That means that the application needs to create, maintain, and destroy session tokens properly over the life cycle of the web session.

The two most common session management attacks are session hijacking and session fixation.

I came across a great  blog  you can check out for nice visually explained attacks.

 Session hijacking is the attack where the hacker can gather the information that will help him to reveal the session ID and hijack it and log in as a victim himself.

 After successful authentication, a session fixation attack happens when an application does not change the session ID.

 Preventing Session Management Vulnerabilities

This is an unordered list of the best prevention practices, so you can create a more secure application with “in theory” no session vulnerabilities.

• Session identifier should remain confidential to the application. That can be achieved with:
• Use HTTPS to transfer the session ID token
• Don’t expose session ID in URL, in page content, hidden elements in DOM
• Set secure flags on session ID token cookies, such as “secure” and “httpOnly” – These restrict cookie transfer to HTTPS, and cookies cannot be accessed by JavaScript. You can also check some flags you can use to secure cookies in the article Path Traversal.
• Session ID token (cookie) should have a browser session lifetime. That means that cookies should not be stored in the file, but in the browser memory, so the content can disappear when the browser closes
• Implementing an inactivity timeout for every session. Bellow in the text is an example how to implement timeout using Angular
• When a user logs out, the session on the server should be terminated (proper logging out)
• New session ID should be generated in response for the authentication to be successful
• Use the latest web server framework to generate a new session ID token.
• Pay attention to:
  
  • Session ID name should not describe details about the meaning of the content
  • Session ID length must be at least 128 bits (16 bytes).
  • Session ID must be random enough to prevent from easily guessing
  • Session ID content must be meaningless to prevent information disclosure
• When the application is created for mobile devices, be aware that when you are invalidating a session, you should do it on the mobile and server sides. We can invalidate the session by calling session.invalidate() to destroy the session. 
• In the mobile app, use the session timeout window. Timeout periods depend on the level of the security of the application, they are often:
  
  • High level – 15 min
  • Medium level – 30 min
  • Low level – 1 hour 
• When resetting cookies, cover all authentication state changes, switch from guest user to logged-in user, one to another logged-in user, refresh after the timeout, etc.
• In order not to be able to access data exchanged within the session, the application should use restrictive cache directives for all data that went through HTTP and HTTPS
• Try to perform identity verification. Check the user’s usual IP address or application usage patterns in the application
• Use a web application firewall (WAF)
• When attackers use Brute-Force/Credential stuffing attacks, they attempt multiple logins. A good practice is to limit failed login attempts.
• Enabling multi-factor authentication (MFA) 
• Implement strong password policies
• Implement all prevention steps to avoid XSS vulnerabilities which can be used to steal session IDs. Check out articles about XSS on Vicarius site
• Don’t store passwords in cleartext
• Implement solutions that match used passwords against a list of breached credentials, so users can know and not use the same credentials (breached password protection)
• When using the secure attribute for cookie application, the “__Host” prefix can also prevent overwriting the user’s cookies.
• Try not to use old legacy frameworks and develop with modern tools. If you need to use old technology, try to add a filter or use a configuration setting to disable dangerous functionalities. For example, J2EE supports session management via URL.
• Use a strict CSP (Content Security Policy)
• Use preloaded HSTS (HTTP Strict Transport Security) to force connections to the website to be encrypted. Enable protection by adding the ‘Strict-Transport-Security’ header. Include subdomains also and enable HSTS. For implementation check out site

Organization protection from session hijacking

It is also good to protect not just the application but your organization from these types of attacks. By organization, I mean the most crucial thing – customers or consumers. To protect consumers sessions, the organization can use certificates: 

• “SSL (Secure Sockets Layer) provides security to the data that is transferred between web browser and server. SSL encrypts the link between a web server and a browser which ensures that all data passed between them remain private and free from attack” – more info on site
• TLS (Transport Layer Security) – which is more secured version of SSL. TLS ensures that no third party may eavesdrop or tampers with any message. More info on the site

Of course, there are also some steps that organizations can use these attacks, such as again

• Keep the system up to date by setting up automatic updates on all devices.
• Use antivirus software that can protect against session hijacking attackers
• Incorporate web frameworks instead of inventing your own session management
• Prevent consumers from using a public hotspot (WiFi)
• Use a Virtual Private Network in the organization
• Implement some checks and prevent phishing attacks. Clicking on an email session can be easily stolen.
• Enabling multi-factor authentication (MFA)
• Enforce using strong passwords

Tools for detecting session management attacks:

• Crashtest Security Suite
• HDIV Security
• Invicti (formerly NetSparker)
• Metasploit
• Nessus

How to implement an Inactivity timer

In this example, I will show how to manually create an inactivity timer. You can also implement an Idle timeout if you want to use a third library for implementing timeout. There is a good article that describes the implementation.

Idle timeout is the time the user is inactive on the application. This timeout is needed for better security and to stop unnecessary API calls.

Implementation

1. Create an array of events that you can check if they are not triggered for some time. That would mean that the user is inactive.

  public inactivityEvents: Array<any>[] = [
    [document, 'click'],
    [document, 'mousemove'],
    [document, 'keyup']
  ];

I added just three events as an example but don’t forget to add all necessary document and window events.

2. Create observable out of the array of events and add subscribers. Here the time should start counting, aka inactive timer. The timer will reset when events are triggered.

Declare observableArray as an array of Observables and inactivityObservable as Observable. Also, declare timeout and implement NgZone.

We need to implement NgZone because we want to use its method runOutsideAngular because we want to do work without triggering Angular change detection.

  this.inactivityEvents.forEach(x => {
    observableArray$.push(fromEvent(x[0], x[1]))
  })
  this.inactivityObservable$ = merge(...observableArray$);
 
  this.ngZone.runOutsideAngular(() => {
 
    this.observeable$ = this.mergedObservable$
    .pipe(
      switchMap(ev => interval(1500).pipe(take(this.timeout))),
 
      tap(value => ...
        //here we can add logic for checking time left to inactivity and show notification to the user
        ),
 
      skipWhile((x) => {
        return x != this.timeout- 1
      })
    );
 
  this.subscription = this.observable$.subscribe((x) => {
   ...  
  })

3. After the set time expires, unsubscribe the observable. That is the moment the timer runs out of time.

      this.subscription.unsubscribe();

Conclusion

I just scratched the Session Management topic and summarized it. I tried to provide some additional documentation on how to implement those preventions. As this topic is a big one, follow my next articles, where I will also present a few more prevention implementations.

You can also check out some OWASP suggestions for prevention on this site.

In the end, secure code is the cheapest code!

#session_management #inactivity_timer

Cover photo by Philipp Katzenberger