Java Reference
In-Depth Information
have brute-forced Web application sessions by tampering with the session identiiers. Session
identiiers generated by the server should be cryptographically strong and random to ensure
that attackers cannot ind patterns in the session IDs generated by the application to gain
access to other user sessions.
Session ixation attacks rely on the fact that several Web applications do not invalidate ses-
sions previously created when the user logs in to the application. It is important that any
existing session created by the application be invalidated and destroyed before a new session
identiier is created for the user logging in to the application.
It is important to transmit sensitive information like passwords and credit card information
over an encrypted channel. Session identiiers are no diferent. Session identiiers should be
sent to a user when he/she successfully logs in to the application over an encrypted HTTP
connection (HTTPS). For medium- and high-criticality applications, it is important that all
the user actions performed during the entire course of a session are encrypted.
It is important to validate session identiiers for certain attributes to ensure that the session
identiier can be trusted. For instance, a user session is set to expire on the following date:
; expires=Fri, 13-Nov-2009 15:35:19 GMT . he attacker might tamper with
the attributes of the cookie by setting a date like ; expires=Fri, 13-Nov-2011
15:35:19 GMT . his would ensure that the attacker can use the same cookie and resubmit
it to the application to gain access to a session until the said date. Other attributes of cook-
ies like the path attribute, domain attribute, and the secure attribute should also be validated
by the server to ensure that the integrity of the session identiier and cookie information is
not compromised. Input validation is covered in great depth in Chapter 10. HTTPOnly is
also an important characteristic for a cookie. he HTTPOnly tag must be set for the cook-
ies issued by the application. his will prevent client-side code from accessing the cookie.
Client-side code access to cookies might result in the propagation of Cross-Site Scripting
attacks.
Session timeout is an important aspects of session management. he Web application should
implement a session timeout based on the number of minutes the user is idle on the applica-
tion. For instance, Bob logs in to his banking application on a public computer and as he is
logged in he receives a call from his mother, for which he gets up and goes outside the oice
to talk. he duration of the call is long and Bob does not return to his computer for over
30 minutes. In the meanwhile, Scott happens to walk past Bob's cubicle and notices that
Bob's e-banking application is open on his browser. He decides to deprive Bob of some of
his money and goes up to the computer and transfers $1000 to his bank account. Bob comes
back after a mammoth phone call and continues his activity on the banking application.
Later that month, Bob is shocked to ind a debit of $1000 on his account. Web applications
should be conigured to have idle session timeouts. he application should measure the time
of the last activity and log the user out after the passing of a stipulated number of idle min-
utes. OWASP recommends a session timeout of 5 minutes for highly critical applications
like banking and share trading applications, 10 minutes for medium-critical applications
like e-commerce and email, and 20 minutes for low-criticality applications like Internet
forum applications or social networking sites.
Certain critical applications have diferent privilege states. For instance, if a user logs in to a
banking application, he/she might be at a higher privilege to perform certain activities like
transfer of funds to diferent bank accounts. Another instance of a privileged state would
be the administrator of an e-commerce application who needs to edit stock item (product)
details for items sold through the Web application. he Web application should enforce
Search WWH ::




Custom Search