Weaknesses in Session Token Generation
Session management mechanisms are often vulnerable to attack because tokens are generated in an unsafe manner that enables an attacker to identify the values of tokens that have been issued to other users.
Meaningful Tokens
Some session tokens are created using a transformation of the user’s user-name or email address, or other information associated with them. This information may be encoded or obfuscated in some way, and may be combined with other data.
For example, the following token may initially appear to be a long random string:
757365723d6461663b6170703d61646d696e3b646174653d30312f31322f3036
However, on closer inspection, it contains only hexadecimal characters. Guessing that the string may actually be a hex-encoding of a string of ASCII characters, we can run it through a decoder to reveal:
user=daf;app=admin;date=10/09/07
Attackers can exploit the meaning within this session token to attempt to guess the current sessions of other application users. Using a list of enumerated or common usernames, they can quickly generate large numbers of potentially valid tokens and test these to confirm which are valid.
Tokens that contain meaningful data often exhibit some structure — that is, they contain several components, often separated by a delimiter, which can be extracted and analyzed separately to allow an attacker to understand their function and means of generation. Components that may be encountered within structured tokens include:
■ The account username.
■ The numeric identifier used by the application to distinguish between accounts.
■ The user’s first/last human name.
■ The user’s email address.
■ The user’s group or role within the application.
■ A date/time stamp.
■ An incrementing or predictable number.
■ The client IP address.
Each different component within a structured token, or indeed the entire token, may be encoded in different ways, either as a deliberate measure to obfuscate their content, or simply to ensure safe transport of binary data via HTTP. Encoding schemes that are commonly encountered include XOR, Base64, and hexadecimal representation using ASCII characters. It may be necessary to test various different decodings on each component of a structured token to unpack it to its original form.
NEXT is..Predictable Tokens.,.,.,.,.,.,.
