Sap: Session (Fixation) Attacks And Protections (In Web Applications) presented at Blackhat Europe 2011

by Raul Siles (taddong ),

Tags: Security

Summary : Session fixation is an old and well-known web application vulnerability since 2002, but still today, open-source projects, widely deployed web application frameworks, and mission critical commercial business platforms are vulnerable to it, exposing thousands of production web environments worldwide. In particular, the exposure of business platform web interfaces on the Internet, as well as internally, makes this type of vulnerability the entry point to get access to unauthorized business critical data and infrastructures through targeted, criminal (blackmail, fraud, extortion, sabotage, theft and abuse), and industrial and corporate espionage attacks.
The discovery of session fixation and management flaws in web applications can have a devastating impact, allowing attackers to bypass even the most advanced authentication mechanisms. Due to its nature as a core component on web application architectures, plus the complexity of modern web solutions and too broad session management requirements on industry specifications, fixing session fixation vulnerabilities may require a full reassessment and in-depth analysis of the web application design, impacting third party modules and products also, and requiring (in some cases) several months to get them fixed; meanwhile environments remain vulnerable.
The presentation will provide an updated in-depth look at session fixation attacks through case studies from real-world penetration tests, including the details of how these vulnerabilities were discovered and exploited, the vendor timelines from initial reporting until fix and disclosure, and its impact. Following responsible disclosure and best practices during the last two years, the examples detail vulnerabilities in the open-source Joomla! CMS, plus the public disclosure of a session fixation in a widely used web application server, and a 0-day vulnerability in the core platform of the world's leader in business software.