New WAS QID - 150129 Insufficient Session Protection/Regeneration - Details
By the end of day, Tuesday 9/2/2014, Qualys will release a new QID for WAS. It is QID 150129 for Insufficient Session Protection/Regeneration. The details for this new QID are as follows:
Insufficient Session Protection/Regeneration can lead to ‘session fixation’ where the victim is forced to use the session ID chosen by an attacker. In order to exploit the vulnerability, an attacker needs to install the trap session ID cookie in a user's browser by leveraging methods such as; executing the client-side to set the cookie header or meta tag injection. An XSS vulnerability needs to be present to leverage these methods. However, there are alternative methods to exploit the 'Insufficient Session Protection/Regeneration' vulnerability.
Another thing to understand is why do ‘we’ care about regenerating the session?
Before a user logs in to an app, their session cookie might be exposed to an attacker who can sniff the traffic (e.g. it's not using HTTPS) or because the attacker can force a value for the cookie (e.g. "fix" the session). Then, when then user logs in, the attacker would know the value of the session cookie and could replay it to impersonate the user. However, if the site regenerates the value of the session cookie after the user logs in, then the attacker won't (or shouldn't) be able to know the new value and therefore wouldn't be able to impersonate them.
The steps taken to detect the Insufficient Session Protection/Regeneration vulnerability are as follows:
1. The test is performed only if authentication is successful and if the session ID cookie is present in the authentication request.
2. The test begins with the verification of the authentication state and by identifying and collecting session ID(s) of the application.
3. If authentication is successful, the test determines whether session ID cookie is present in the authentication request.
4. If the session ID is found, the test extracts the session ID cookie value of the first request after authentication.
5. It will then compares whether the session ID cookie value of pre-authentication request is the same as the post-authentication request's session ID cookie value.
6. We will then report the vulnerability if the session ID cookie value is not regenerated post-authentication.
The remediation in this case would be to invalidate the session after successful authentication and regenerate the session ID value.
If you have any questions, please let me or the WAS team know and feel free to contact me directly or reply to this post.