The reason I am writing about this type of vulnerability is the enormous availability of "let-it-be" attitude by most of the developers. Let us first define what a session is and what happens in a website during a session.
A session is the time in which a user logs in and uses his account. To maintain this time slot, website use a session cookie that would store information and authenticate the user to make changes from his or her profile.
Now when this type of faith exists, the session cookie becomes a maximum target for every single attacker. This is because, by compromising a session cookie, the attacker can take out the entire user account. This is a true fact as you see that techniques like XSS and CSRF take advantage of the session cookie somehow or the other, and manage to exploit various services. To understand the effect of a session cookie, let us try out a small test:
1. Open any website where you have an account.
2. Log into your ID.
3. Now use any cookie editor and copy all the cookies you have in that website.
4. Launch another browser and go to the same website.
5. Import all cookies from your logged in browser.
6. Do you see a complete compromise of your ID? Well yes! You can. :)
Mitigation came into existence as soon as the exploit was available. Forms utilize CSRF tokens to prevent many attacks, which is a good coding practice. But, why wait for such an exploit to occur? It is a known fact that new vulnerabilities keep surfacing, exploiting the older coding practices. So how can we stop them? Well we always have the old saying,
Prevention is better then Cure.
This is what most developers fail to understand. Why hackers are always successful is because of the reason that they are security paranoids. So the best feature of a good developer is a paranoid. :)
So what can be done to prevent this? Obviously logging in with the same cookie and different browser isn't the right thing that is happening. However, User Agent spoofing is also something that hackers can employ when doing such an attack.
Best Mitigation Technique:
Someone once said, "It is a session cookie, let it be. It is meant to do that work, it is a foolish person who would lose such an important thing."
But think about the billion people using the internet. How many of them actually understand what exactly is a cookie? How can we leave everything up to them? So ask me what can be done?
It is almost nothing that can be done after a session cookie is compromised is a mistaken notion. What I would recommend is to have password checks at important places. To have password or a 2 Factor authentication at every field would just be stupid, but how about password or an 2 Factor authentication at total hijacking fields like changing Email ID or Changing Password. Such mitigation is way better than checking for IP or checking for UA on the session cookie, and the only way to be totally compromised is to have lost your 2 Factor authentication device or your password, which is better than having lost a single entity called the "SESSION COOKIE".
Maybe you guys can implement this point while building your website next time, and not call anything stupid.
No comments:
Post a Comment