Chapter 3

Sessions
What is a ● A web session is a series of
contiguous actions by a visitor on an
web individual website within a given time
session? frame.
● This could include your search engine
searches, filling out a form to receive
content, scrolling on a website page,
adding items to a shopping cart,
researching airfare, or which pages
you viewed on a single website. Any
interaction that you have with a
single website is recorded as a web
session to that website property.
What is a web
session?
Session vs Cookies
Cookies
Session Cookies are text files stored on the client
computer and they are kept of use
● A session creates a file in a temporary tracking purpose. Server script sends a
directory on the server where registered set of cookies to the browser. For
session variables and their values are example, name, age, or identification
stored. This data will be available to all number etc. The browser stores this
pages on the site during that visit. information on a local machine for future
use.
● A session ends when the user closes the
When next time browser sends any
browser or after leaving the site, the request to web server then it sends those
server will terminate the session after a cookies information to the server and
predetermined period of time, commonly server uses that information to identify
30 minutes duration. the use
Session ● Session management is the rule set that governs interactions

Management and between a web-based application and users. Browsers and websites
use HTTP to communicate, and a web session is a series of HTTP
User requests and response transactions created by the same user.

Authentication ● Since HTTP is a stateless protocol, where each request and

response pair is independent of other web interactions, each
command runs independently without knowing previous
commands.
● In order to introduce the concept of a session, it is necessary to
implement session management capabilities that link both the
authentication and access control (or authorization) modules
commonly available in web applications.
● There are two types of session management – cookie-based and
URL rewriting. These can be used independently or together. A
web administrator uses session management to track the frequency
of visits to a website and movement within the site
Session
Management ● When user authentication and session
management is not correctly configured,
and User attackers may be able to compromise
Authentication passwords, session tokens to gain access
to users accounts and assume their
identities.
● It’s important for developers to ensure
they’re using the latest version of any
framework, to securely configure session
management options and to adopt
application security testing protocols to
identify and remediate any issues.
Popular Web Frameworks

1. Django- Django is the web framework for choice for most Python users.

2. Rails- Ruby on Rails is the web framework of choice for Ruby developers. It has
a strong community and aims to make web development fast and simple.

3. ASP.Net Core-- ASP.NET Core is the newest kid on the block. Recently released
by Microsoft, ASP.NET Core looks to bring .NET development into the future by
providing a cross-platform, high-performance, open source framework for
building cloud-first web applications.

4. Java Spring- Spring is a Java framework for building applications. It offers

robust tools for building web applications and is a popular choice among
enterprises.
Many cyberattacks exploit session
Session
●
management vulnerabilities that allow

Management
attackers to be recognized as valid
website users.
Vulnerabilities ● 82% percent of Web technology
vulnerabilities relate to Web applications
and that 34% of major Web application
vulnerabilities affect session management
mechanisms.
● Hijacking a Web navigation session is one
of the most studied kinds of attacks
Session Management Vulnerabilities
● Session management tracks a user’s activity across sessions of interaction with a website.
Its most widespread use is login, but it’s also used when the user isn’t required to log in, as
in the case of many ecommerce websites or Web-based social networks.
● The typical way to implement it is to associate each user with a unique identifier—the
session ID or session token. Token implementation typically employs one of these
mechanisms:

1. Tokens are stored in cookies.

2. Tokens are sent in hidden fields of a specific form on the website.

3. Tokens, once created by the server, are added to each link the user clicks on.

● Session management also employs other mechanisms. For example, some applications use
HTTP authentication. The browser could use the HTTP header, rather than the
application’s Web page code, to send user credentials. This kind of authentication isn’t
common
Session Management Vulnerabilities

● This kind of vulnerability lets attackers generate and use a

valid token.
● Tokens can be created by composing some pieces of user
information, such as a username or e-mail address.
● If these schemas are reversible, an attacker could decode
the token and create a valid one. Alternatively, tokens might
be elements of an alphanumeric sequence, with the
requirement that each token be as random as possible.
Session Management Vulnerabilities

● Another way to intercept tokens is by detecting them from log files,

such as browser logs, Web server logs, and server proxy logs. If the
token is passed as a URL parameter, an attacker can read it on the
log.
● Poor session termination policies create many opportunities for
attack. To reduce the temporal window for attacks, the session
should be as short as possible. Some applications provide no
mechanism for a session’s expiration, which enables attackers to try
many values before the session expires.
Session Management Vulnerabilities

● When a user logs out, the server removes that token from the user’s
browser, but if the user (or attacker) sends a previously used token,
the server keeps accepting it. In the worst case, the server receives
no request at logout and doesn’t invalidate the session. If an
attacker obtains this token, the attacker could use the session, just
as the user who never logged out could.

● Finally, if the token is captured in a cookie, cookie parameter

settings might contain other vulnerabilities. If a cookie doesn’t have
the secure flag set, the cookie will be sent in unencrypted
transmissions.
Possible Attacks -Session Sniffing

● This attack intercepts HTTP packets. Attackers must locate a sniffer

in a machine in the network of the victim or the organization
responsible for the Web application. There are FOUR enabling
vulnerabilities.

1. The area of the website that doesn’t use HTTPS is identifiable.

2. The secure flag isn’t set.

3. The application allows HTTP requests for pages under HTTPS.

4. The application uses HTTP before authentication.

Possible Attacks -Session Sniffing

Log sniffing.
● This attack obtains the token by analyzing log files in the different systems
involved in client server communication. There are two enabling vulnerabilities.

1. The token is transmitted as a URL parameter, in which case it might be

recorded in the log files.

2. The token is transmitted as a hidden field, and the server accepts GET requests
in place of POST requests.
Cache sniffing.
● If the attacker accesses the browser or proxy cache, the attacker could obtain the
token in any format containing it (cookie, URL parameter, or hidden field).
Possible Attacks -Session Prediction

● Even if the Web application doesn’t allow interception of the token and the
token-generation algorithm is strong, the attacker can “guess” a token and
connect with the website as a legitimate user.

1. Token tampering

2. Brute-force attack
● The attacker can collect different tokens and analyze their randomness with
tools such as the Burp Suite Sequencer (http://portswigger.net/suite).
Session Fixation

● The attack has three steps:

1. Session setup. The attacker creates a session on the server (trap
session) and receives or creates the token. In some cases, the
attacker must keep the session alive (session maintenance) by
sending requests at regular intervals.
2. Session fixation. The attacker introduces the token into the victim’s
browser.
3. Session entrance. The attacker waits for the user to enter the
session, at which time the attacker can also enter.
Cookies
● Cookies are text files with small pieces of data —
like a username and password — that are used to
identify your computer as you use a computer
network. Specific cookies known as HTTP cookies
are used to identify specific users and improve
your web browsing experience.

● Data stored in a cookie is created by the server

upon your connection. This data is labeled with an
ID unique to you and your computer.

● When the cookie is exchanged between your

computer and the network server, the server
reads the ID and knows what information to
specifically serve to you
● Websites use HTTP cookies to streamline your
web experiences. Without cookies, you’d have
to login again after you leave a site or rebuild
your shopping cart if you accidentally close
the page. Making cookies an important a
part of the internet experience.

What Are 1.
● Here’s how cookie are intended to be used:
Session management. For example, cookies let

Cookies websites recognize users and recall their

individual login information and preferences.

Used For? 2. Personalization. Customized advertising is the

main way cookies are used to personalize your
sessions. You may view certain items or parts
of a site, and cookies use this data to help
build targeted ads that you might enjoy.
3. Tracking. Shopping sites use cookies to track
items users previously viewed, allowing the
sites to suggest other goods they might like
and keep items in shopping carts while they
continue shopping.
What are the different
types of HTTP Cookies?
Two types:
1. Session Cookies
2. Persistent Cookies

Session cookies
● Used only while navigating a website. They
are stored in random access memory and are
never written to the hard drive. When the
session ends, session cookies are
automatically deleted. They also help the
"back" button or third-party anonymizer
plugins work. These plugins are designed for
specific browsers to work and help maintain
user privacy.
What are the different
types of HTTP Cookies?
Persistent cookies
● It’s remained on a computer indefinitely, although
many include an expiration date and are
automatically removed when that date is reached.
Persistent cookies are used for two primary
purposes:

1. Authentication. These cookies track whether a user is

logged in and under what name. They also streamline
login information, so users don't have to remember site
passwords.
2. Tracking. These cookies track multiple visits to the same
site over time. Some online merchants, for example, use
cookies to track visits from particular users, including
the pages and products viewed. The information they
gain allows them to suggest other items that might
interest visitors.
Why Cookies Can Be Dangerous?

● Since the data in cookies doesn't change, cookies themselves aren't

harmful.
● They can't infect computers with viruses or other malware. However,
some cyberattacks can hijack cookies and enable access to your
browsing sessions.
● Zombie cookies are from a third-party and permanently installed
on users' computers, even when they choose not to install cookies.
They also reappear after they've been deleted. When zombie
cookies first appeared, they were created from data stored in the
Adobe Flash storage bin. They are sometimes called “flash cookies”
and are extremely difficult to remove.
Allowing or Removing
Cookies
● Cookies can be an optional part of your internet
experience. If you so choose, you can limit what cookies
end up on your computer or mobile device.
● If you allow cookies, it will streamline your surfing. For
some users, no cookies security risk is more important
than a convenient internet experience.
● Here’s how to allow cookies:

1. Find the cookie section — typically under Settings >

Privacy.
2. Click the boxes to allow cookies. Sometimes the option
says, "Allow local data.”
3. If you don’t want cookies, you can simply uncheck these
boxes.
4. Removing cookies can help you mitigate your risks of
privacy breaches. It can also reset your browser tracking
and personalization.
Allowing or Removing Cookies
● Removing normal cookies is easy, but it could make certain
web sites harder to navigate. Without cookies internet, users
may have to re-enter their data for each visit. Different
browsers store cookies in different places, but usually, you
can:
● Find the Settings, Privacy section — sometimes listed under
Tools, Internet Options, or Advanced.
● Follow the prompts on the available options to manage or
remove cookies.
● To remove tracking cookie infestations and more malicious
types, you’ll want to enlist the help of some internet security
software.
● Before removing cookies, evaluate the ease of use expected
from a website that uses cookies. In most cases, cookies
improve the web experience, but they should be handled
carefully.
Session Hijacking

● Session hijacking is an attack where a user session is taken over by an

attacker.
● A session starts when you log into a service, for example your banking
application, and ends when you log out. The attack relies on the attacker’s
knowledge of your session cookie, so it is also called cookie hijacking or
cookie side-jacking.
● Although any computer session could be hijacked, session hijacking most
commonly applies to browser sessions and web applications.
Session Hijacking

● In most cases when you log into a web application, the

server sets a temporary session cookie in your browser to
remember that you are currently logged in and
authenticated.
● HTTP is a stateless protocol and session cookies attached to
every HTTP header are the most popular way for the server
to identify your browser or your current session
Session Hijacking

● To perform session hijacking, an attacker needs to know the victim’s

session ID (session key). This can be obtained by stealing the
session cookie or persuading the user to click a malicious link
containing a prepared session ID.
● In both cases, after the user is authenticated on the server, the
attacker can take over (hijack) the session by using the same
session ID for their own browser session. The server is then fooled
into treating the attacker’s connection as the original user’s valid
session.
Session Hijacking

● Cross-site scripting (XSS): This is probably the most dangerous and

widespread method of web session hijacking.

● By exploiting server or application vulnerabilities, attackers can

inject client-side scripts (typically JavaScript) into web pages,
causing your browser to execute arbitrary code when it loads a
compromised page.
Session Hijacking
● CSRF is an attack that tricks the victim
into submitting a malicious request. It
Cross Site inherits the identity and privileges of the
victim to perform an undesired function
Request on the victim’s behalf. For most sites,
browser requests automatically include
Forgery any credentials associated with the site,
such as the user’s session cookie, IP
(CSRF) address, Windows domain credentials,
and so forth.
● Therefore, if the user is currently
authenticated to the site, the site will
have no way to distinguish between the
forged request sent by the victim and a
legitimate request sent by the victim.
Cross Site Request Forgery (CSRF)
Session Management and User Authentication

The session management implementation defines the exchange mechanism that will be
used between the user and the web application to share and continuously exchange the
session ID.
There are multiple mechanisms available in HTTP to maintain session state within web
applications, such as cookies (standard HTTP header), URL parameters, URL arguments on
GET requests, body arguments on POST requests, such as hidden form fields (HTML forms),
or proprietary HTTP headers.
Session Management and User Authentication

● Session management is the rule set that governs interactions between a

web-based application and users. Browsers and websites use HTTP to
communicate, and a web session is a series of HTTP requests and response
transactions created by the same user.
● Since HTTP is a stateless protocol, where each request and response pair is
independent of other web interactions, each command runs independently
without knowing previous commands. In order to introduce the concept of
a session, it is necessary to implement session management capabilities that
link both the authentication and access control (or authorization) modules
commonly available in web applications.
Session Management and User Authentication

There are two types of session management

1. cookie-based
2. URL rewriting.
These can be used independently or together. A web administrator uses
session management to track the frequency of visits to a website and
movement within the site.
Fixing Session Management Vulnerabilities

● When user authentication and session management is not correctly

configured, attackers may be able to compromise passwords, session
tokens or keys to gain access to users accounts and assume their
identities. It’s important for developers to ensure they’re using the latest
version of any framework, to securely configure session management
options and to adopt application security testing protocols to identify
and remediate any issues.
END OF CHAPTER 3