Web application session handling is one of the most difficult things to do right. As we move more and more towards standard web frameworks (django, rails, etc.) to handle the basic functionality of a custom web application, this becomes a smaller issue. Unfortunately, there are engineers and developers that insist on going it alone in this realm. There are also legacy applications that require backward compatibility and then there are just plain old out of date applications that still serve publicly.
Note: The following terms all describe the session ID and may be used interchangeably: Session ID, session value, cookie value, session cookie, cookie.
In the course of my penetration testing, on almost every engagement there is at least one failure in the session management category. I would (and so would OWASP) classify these categories as follows:
- Exposed session ID's: http://example.com?sessionid=12345 (seems silly, but it still happens)
Sometimes these are also exposed in plain text as a cookie value, although they are quite often a hash value
- Session fixation attack: The session ID value is re-used or recycled on next login
- Session destruction/creation: The session ID value is not destroyed on logout, timeout or browser close
- Session IDs are not rotated: The logged out (non-authenticated) session ID is re-used for the logged in session value
This does not represent an exhaustive list, just a few items that I see come up regularly during the course of my testing. In Part 3: Exploitation, we'll dive into using these techniques to break things.
A few words on web application testing tools. By far, the single best tool for testing web applications is BurpSuite. At $299 (as of this post) it is the best bang for buck I've seen. I would call this a semi-automatic testing tool. It works as a web proxy to essentially setup a man-in-the-middle by design and as such has access to all traffic and interesting goodies between you and your target site. If you are serious about web application auditing, this is the tool to learn. They do have a free version that is great for learning but with a limited feature set. I am in no way affiliated with Burp or its authors, but I would not step into a web application pentest without it.
Another tool with the right price is Edit This Cookie. It is a Chrome browser extension that allows user manipulation of any cookie on the current site. It is an absolute must-have for this exercise. Firefox has similar add-ons. Do not use IE. Ever.
Edit This Cookie: