Tag Archives: Security

Session ID in the URL : is it a vulnerability ?

Problem

I noticed at authentication of several JAVA web applications, the Session ID attached at the url like this http://mywebsite.com/function?value=blah&jsessionid=fgd457dfsd7sde4g4df…

When first authenticated, the website reveals in the URL a sensitive information “the session ID”. This is a security risk according to OWASP reference.
http://owasp-aasvs.readthedocs.io/en/latest/requirement-3.6.html
Indeed if an attacker get the session ID it can lead to the vulnerability of session fixation.

Scanner like Acunetix will detect is as a security risk too:
https://www.acunetix.com/vulnerabilities/web/session-token-in-url

Why the session id is passed to the URL ?

According to this post, it is by design of JavaEE:

This isn’t a bug, it’s by design. When a new session is created, the server isn’t sure if the client supports cookies or not, and so it generates a cookie as well as the jsessionid on the URL. When the client comes back the second time, and presents the cookie, the server knows the jsessionid isn’t necessary, and drops it for the rest of the session. If the client comes back with no cookie, then the server needs to continue to use jsessionid rewriting.
You may not explicitly use cookies, but you do implicitly have a session, and the container needs to track that session.

https://stackoverflow.com/questions/4079378/why-is-my-session-id-in-my-url

What is a Session Fixation ?

Session Fixation is an attack that permits an attacker to hijack a valid user session.
https://www.owasp.org/index.php/Session_fixation

This vulnerability is part of Top 10 2013-A2-Broken Authentication and Session Management

How to test for Session Fixation ?

https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)

What is a Session ?

HTTP protocol and Web Servers are stateless, what it means is that for web server every request is a new request to process and they can’t identify if it’s coming from client that has been sending request previously.

But sometimes in web applications, we should know who the client is and process the request accordingly. For example, a shopping cart application should know who is sending the request to add an item and in which cart the item has to be added or who is sending checkout request so that it can charge the amount to correct client.

http://www.journaldev.com/1907/java-session-management-servlet-httpsession-url-rewriting

This is a link to Servlet specification to understand better the session scope in Java :
https://jcp.org/aboutJava/communityprocess/final/jsr154/index.html

SRV.7.3 Session Scope
HttpSession objects must be scoped at the application (or servlet context) level. The underlying mechanism, such as the cookie used to establish the session, can be the same for different contexts, but the object referenced, including the attributes in that object, must never be shared between contexts by the container.

Solution

Validate Session Id on server side
For sometimes i thought that cookies or hidden input fields is the solution against the “session ID” in the url. According to the link below it is a limited solution. Even if it is hard to copy paste cookies and hidden fields it is still possible to retrieve the Session ID information with special tools on unencrypted website.

Depending of the website it is possible that the sessionId on the URL is not a security risk. If the web application is well designed and the session ID is validated on server side, this is not a problem :
https://security.stackexchange.com/questions/14093/why-is-passing-the-session-id-as-url-parameter-insecure

The best practice , in all case is to validate on the server side.
Other solutions are possible : https://en.wikipedia.org/wiki/Session_fixation

Use Filter to get rid of Session ID in URL

Here is an example of using a Filter to get rid of session Id in the URL :
https://stackoverflow.com/questions/1045668/jsessionid-is-occurred-in-all-urls-which-are-generated-by-jstl-curl-tag/4019476#4019476

I believe this solution is not necessary if good validation of session ID is done on the server Side.

Spring Security Framework

Probably the best solution for JavaEE is to use well tested framework like spring security framework. It is also a default security against other common vulnerabilities.
The authentication form using spring security provide high security against common vulnerabilities :
http://docs.spring.io/spring-security/site/docs/current/guides/html5//helloworld-javaconfig.html

The SecurityConfig will:

Require authentication to every URL in your application

Generate a login form for you

Allow the user with the Username user and the Password password to authenticate with form based authentication

Allow the user to logout

CSRF attack prevention

Session Fixation protection

Security Header integration

HTTP Strict Transport Security for secure requests

X-Content-Type-Options integration

Cache Control (can be overridden later by your application to allow caching of your static resources)

X-XSS-Protection integration

X-Frame-Options integration to help prevent Clickjacking

Integrate with the following Servlet API methods

HttpServletRequest#getRemoteUser()

HttpServletRequest.html#getUserPrincipal()

HttpServletRequest.html#isUserInRole(java.lang.String)

HttpServletRequest.html#login(java.lang.String, java.lang.String)

HttpServletRequest.html#logout()

How to verify your java libraries have known security vulnerabilities ?

A maven plugin can check you Java libaries for known vulnerabilities. It is called dependency-check-maven.

The OWASP Dependency Check utility uses NIST’s National Vulnerability Database (NVD) to identify the vulnerable dependencies, so the list is always up-to-date.

  <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>1.4.4</version>
                <configuration>
                    <skip>false</skip>
                    <skipTestScope>false</skipTestScope>
                    <skipProvidedScope>false</skipProvidedScope>
                    <skipRuntimeScope>false</skipRuntimeScope>
                </configuration>
                <executions>
                    <execution>
                        <goals>
                            <goal>check</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>

https://blog.lanyonm.org/articles/2015/12/22/continuous-security-owasp-java-vulnerability-check.html

Requirements

You will need the following to use Owasp Maven dependency Check.

  • Maven version superior to 3.1
  • Tips to quickly check only some libraires

    Let’s say you can not compile all the project because some jars/files are missing. Then you cannot use the plugin immediately. You need to compile the project first. If you don’t need to compile the project entirely, you can just create a simple pom with all dependencies to check.

    Example :

    <?xml version="1.0" encoding="UTF-8"?>
    <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>
    
    	<groupId>com.mytest.framework</groupId>
    	<artifactId>mytestframe</artifactId>
    	<packaging>pom</packaging>
    	<name>com.mytest.framework.mytestframe</name>
    	<version>1.0.0-SNAPSHOT</version>
    		
    	<properties>
    		<spring.version>1.0.0.RELEASE</spring.version>
            </properties>
    
    
    	<build>
    		<pluginManagement>
    			<plugins>
    				
    				  <plugin>
                    <groupId>org.owasp</groupId>
                    <artifactId>dependency-check-maven</artifactId>
                    <version>1.4.4</version>
                    <configuration>
                        <skip>false</skip>
                        <skipTestScope>false</skipTestScope>
                        <skipProvidedScope>false</skipProvidedScope>
                        <skipRuntimeScope>false</skipRuntimeScope>
                    </configuration>
                    <executions>
                        <execution>
                            <goals>
                                <goal>check</goal>
                            </goals>
                        </execution>
                    </executions>
                   </plugin>
                          </plugins>
            </pluginManagement>
             </build>
    
           <dependencies>
    	   <dependency>
    		<groupId>org.springframework</groupId>
    		<artifactId>spring-webmvc</artifactId>
    		<version>${spring.version}</version>
    	  </dependency>
           </dependencies>
    </project>
    
    

    Check maven dependencies with this command :

    mvn dependency-check:check
    

    Reporting

    Check the link above to use reporting for your continuous integration. Otherwise here is an example of reporting once you launch the maven plugin :

    One or more dependencies were identified with known vulnerabilities in my_project:
     
    logback-core-1.1.3.jar (ch.qos.logback:logback-core:1.1.3, cpe:/a:logback:logback:1.1.3) : CVE-2017-5929
    commons-collections-3.2.1.jar (commons-collections:commons-collections:3.2.1, cpe:/a:apache:commons_collections:3.2.1) : CVE-2015-6420

    Troubleshooting

    If you have the following error

    -Dmaven.multiModuleProjectDirectory system property is not set
    

    then you need to modify the java configuration like this in eclipse :owasp_check_maven