Out of Memory !

Enjoy Sharing Technology!

Software,Develope,Devops, Security,TroubleShooting

Monday, November 15, 2021

Home » , » appscan:Session identification is not updated (medium-sangered)

appscan:Session identification is not updated (medium-sangered)

No comments

 1.1, attack principle

   When authenticating a user or establishing a new user session in other ways, if any existing session identifier is not invalidated, an attacker has the opportunity to steal the authenticated session. This vulnerability can be combined with XSS to obtain the user session to initiate a login process attack on the system.

1.2, APPSCAN test process

  AppScan scans the cookies before and after the "login behavior", which records the session information. After the login behavior occurs, if the value in the cookie does not change, it is judged as a "session ID not updated" vulnerability

1.3, repair suggestions

  1. Always generate a new session for the user to log in when the user is successfully authenticated to prevent the user from manipulating the session ID. Do not accept the session ID provided by the user's browser when logging in; revoke any existing session ID before authorizing the new user session.

  2. For platforms that do not generate new values ​​for session identification cookies (such as ASP), please use auxiliary cookies. In this method, the auxiliary cookie on the user's browser is set to a random value, and the session variable is set to the same value. If the session variable and cookie value never match, cancel the session and force the user to log in again.

  3. If you are using the Apache Shiro security framework, you can use the SecurityUtils.getSubject().logout() method, refer to: http://blog.csdn.net/yycdaizi/article/details/45013397


1.4, fix the code sample

  Add the following code to the login page:


<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>

<%

    request.getSession().invalidate();//Clear session

    Cookie cookie = request.getCookies()[0];//Get cookie

    cookie.setMaxAge(0);//Let the cookie expire

%>

  Add the following code before verifying that the login is successful:


try {

    request.getSession().invalidate();

    if (request.getCookies() != null) {

       Cookie cookie = request.getCookies()[0];// Get cookie

       cookie.setMaxAge(0);// Let the cookie expire

    }

} catch (Exception e) {

     e.printStackTrace();

}

session = request.getSession(true);

1.5, exception handling

   The session is indeed updated before and after login, it can be regarded as a false positive

Share:

0 comments:

Post a Comment

Search This Blog

Weekly Pageviews

Translate

Blog Archive