From last few posts we are discussing session hacking or we can say attacks against session management. So after having a small look over session hacking and some of its regular types its time to have a look on its countermeasures. Same as any other web application countermeasures session hacking countermeasures also depend upon type of application and its implementation or you can say type of vulnerability a web application can suffer from. In this following post we will discuss some preventive measures which can be practically implemented over any web application against session hacking.
Generating Strong Tokens:
Following are some tips to generate strong tokens for protecting sessions against predictable token vulnerability.
- Use large value for token.
- Check each value for randomness before implementing in session management.
- Make sure token's complexity can't be broken using brute force, so use real large values with possible random characters.
- Never use weak hashes, hexadecimal values, octal values or something like that which generates predictable values for token generation.
- Don't use time dependent variables to generate token.
- Tokens should consist of nothing more than an identifier used by the server to locate the relevant session object to be used for processing the user’s request and make sure there should be enough number of tokens so that it should not be easy for anyone to attack.
- Token generation method should be different for each token.
Now information that can be used to generate tokens,
- IP address of user.
- Port number from which user sent request.
- User's browser protocol or User Agent details.
- Absolute time of request in milliseconds.
Now why above things can be used for generating tokens though they can be predictable. The reason is we are not actually advising you to use any one of them we are advising you to use each of them, by doing so you'll be able to generate a token which will be highly unpredictable and due to time of request you can manage to terminate session after some specific interval of time.
Protecting Tokens From Mishandling:
Following are some measures that should be taken on behalf of developer against mishandling of tokens.
- All tokens should be passed from HTTPS and not from HTTP.
- A page must not use HTTPS and HTTP simultaneously.
- If possible all pages should be implemented using HTTPS including static and help pages. Use HTTPS for all pages rather than switching from HTTP to HTTPS for specific pages since it can act as vulnerability which can help attacker to steal session.
- Session log should never be transmitted in URL.
- Session token should die after some specific interval of time (10 min - 1 hour not more).
- A user can't be allowed to login from two computers at the same time.
- The domain and path scope of an application’s session cookies should be set as restrictively as possible.
- A site should be checked for XSS and CSRF attacks which can help an attacker attack session.
To protect users in LAN environment the Network admin should implement SniffJoke. SniffJoke is Linux based anti-sniffing technology developed by Delirandom, for download and more information visit http://www.delirandom.net . You can implement any anti-sniffing technology but we are recommending SniffJoke because its free and open so you can not only download and use it but can also modify according to your needs.
So here we end countermeasure against session management attacks. Thanks for reading, have a nice time and keep visiting.