Class: Arachni::Checks::SessionFixation

Inherits:
Arachni::Check::Base show all
Defined in:
components/checks/active/session_fixation.rb

Overview

Session fixation check.

It identifies the session cookie by iterating through all cookies in the cookie-jar and performing login checks with each cookie removed. The session cookie is the one which results in a failed check.

It then injects a taint via all page links and forms and checks whether or not the taint ended-up in the session cookie's value. If so, the webapp is vulnerable.

The check requires a login-check and a valid, logged-in session.

Author:

Version:

  • 0.1.3

Constant Summary

Constants included from Arachni::Check::Auditor

Arachni::Check::Auditor::DOM_ELEMENTS_WITH_INPUTS, Arachni::Check::Auditor::ELEMENTS_WITH_INPUTS, Arachni::Check::Auditor::FILE_SIGNATURES, Arachni::Check::Auditor::FILE_SIGNATURES_PER_PLATFORM, Arachni::Check::Auditor::Format, Arachni::Check::Auditor::SOURCE_CODE_SIGNATURES_PER_PLATFORM

Constants included from Arachni

BANNER, Arachni::Cookie, Form, Header, JSON, Link, LinkTemplate, Severity, UIForm, UIInput, VERSION, WEBSITE, WIKI, XML

Instance Attribute Summary

Attributes included from Arachni::Check::Auditor

#framework, #page

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from Arachni::Check::Base

#browser_cluster, #clean_up, elements, exempt_platforms, has_exempt_platforms?, has_platforms?, #initialize, platforms, #plugins, prefer, #preferred, preferred, #prepare, #session, supports_platforms?

Methods included from Arachni::Check::Auditor

#audit, #audit_differential, #audit_signature, #audit_timeout, #audited, #audited?, #buffered_audit, #each_candidate_dom_element, #each_candidate_element, has_timeout_candidates?, #http, #initialize, #log, #log_issue, #log_remote_file, #log_remote_file_if_exists, #match_and_log, #max_issues, #preferred, reset, #skip?, timeout_audit_run, #trace_taint, #with_browser, #with_browser_cluster

Methods inherited from Arachni::Component::Base

author, description, fullname, #shortname, shortname, shortname=, version

Methods included from Arachni::Component::Output

#depersonalize_output, #depersonalize_output?, #intercept_print_message

Methods included from UI::Output

#caller_location, #debug?, #debug_level, #debug_level_1?, #debug_level_2?, #debug_level_3?, #debug_level_4?, #debug_off, #debug_on, #disable_only_positives, #error_buffer, #error_log_fd, #error_logfile, #has_error_log?, #included, #log_error, #mute, #muted?, #only_positives, #only_positives?, #print_bad, #print_debug, #print_debug_backtrace, #print_debug_exception, #print_debug_level_1, #print_debug_level_2, #print_debug_level_3, #print_debug_level_4, #print_error, #print_error_backtrace, #print_exception, #print_info, #print_line, #print_ok, #print_status, #print_verbose, #reroute_to_file, #reroute_to_file?, reset_output_options, #set_error_logfile, #unmute, #verbose?, #verbose_off, #verbose_on

Methods included from Arachni::Component::Utilities

#read_file

Methods included from Utilities

#available_port, available_port_mutex, #bytes_to_kilobytes, #bytes_to_megabytes, #caller_name, #caller_path, #cookie_decode, #cookie_encode, #cookies_from_file, #cookies_from_parser, #cookies_from_response, #exception_jail, #exclude_path?, #follow_protocol?, #form_decode, #form_encode, #forms_from_parser, #forms_from_response, #full_and_absolute_url?, #generate_token, #get_path, #hms_to_seconds, #html_decode, #html_encode, #include_path?, #links_from_parser, #links_from_response, #normalize_url, #page_from_response, #page_from_url, #parse_set_cookie, #path_in_domain?, #path_too_deep?, #port_available?, #rand_port, #random_seed, #redundant_path?, #regexp_array_match, #remove_constants, #request_parse_body, #seconds_to_hms, #skip_page?, #skip_path?, #skip_resource?, #skip_response?, #to_absolute, #uri_decode, #uri_encode, #uri_parse, #uri_parse_query, #uri_parser, #uri_rewrite

Methods included from Arachni

URI, collect_young_objects, #get_long_win32_filename, jruby?, null_device, profile?, windows?

Constructor Details

This class inherits a constructor from Arachni::Check::Base

Class Method Details

.infoObject


67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# File 'components/checks/active/session_fixation.rb', line 67

def self.info
    {
        name:        'Session fixation',
        description: %q{
Checks whether or not the session cookie can be set to an arbitrary value.
},
        elements:    [ Element::Form, Element::Link, Element::LinkTemplate ],
        author:      'Tasos "Zapotek" Laskos <[email protected]>',
        version:     '0.1.2',

        issue:       {
            name:        %q{Session fixation},
            description: %q{
HTTP by itself is a stateless protocol; therefore, the server is unable to
determine which requests are performed by which client and which clients are
authenticated or unauthenticated.

The use of HTTP cookies within the headers allows a web server to identify each
individual client and can thus determine which clients hold valid authentication
from those that do not.
These are known as session cookies or session tokens.

To prevent clients from being able to guess each other's session token, each
assigned session token should be entirely random and be different whenever a
session is established with the server.

Session fixation occurs when the client is able to specify their own session
token value and the value of the session cookie is not changed by the server
after successful authentication.
Occasionally, the session token will also remain unchanged for the user independently
of how many times they have authenticated.

Cyber-criminals will abuse this functionality by sending crafted URL links with a
predetermined session token within the link. The cyber-criminal will then wait
for the victim to login and become authenticated.
If successful, the cyber-criminal will know a valid session ID and therefore have
access to the victim's session.

Arachni has discovered that it is able to set its own session token.
},
            references:  {
                'OWASP - Session fixation' => 'https://www.owasp.org/index.php/Session_fixation',
                'WASC'  => 'http://projects.webappsec.org/w/page/13246960/Session%20Fixation'
            },
            tags:        %w(session cookie injection fixation hijacking),
            cwe:         384,
            severity:    Severity::HIGH,
            remedy_guidance: %q{
The most important remediation action is to prevent the server from accepting
client supplied data as session tokens.

Additionally, the client's session token should be changed at specific key stages
of the application flow, such as during authentication. This will ensure that even
if clients are able to set their own cookie, it will not persist into an authenticated
session.
}
        }
    }
end

Instance Method Details

#runObject


30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# File 'components/checks/active/session_fixation.rb', line 30

def run
    if !session.
        print_info 'No login-check has been set, cannot continue.'
        return
    end

    session.logged_in? do |logged_in|
        if !logged_in
            print_bad 'We seem to have been logged out, cannot continue'
            next
        end

        session.cookie do |cookie|
            name = cookie.name
            print_info "Found session cookie named: #{name}"

            audit(
                token,
                with_raw_parameters: false,
                submit: {
                    response_max_size: 0
                }
            ) do |response, element|
                cookie = cookies_from_response( response ).
                    select { |c| c.name == name }.first
                next if !cookie || !cookie.value.include?( token )

                log(
                    vector:   element,
                    response: response,
                    proof:    cookie.source
                )
            end
        end
    end
end

#tokenObject


26
27
28
# File 'components/checks/active/session_fixation.rb', line 26

def token
    "_arachni_sf_#{random_seed}"
end