Security Can Be Complicated. Session Management Doesn’t Have To Be.

While performing a manual penetration test recently, I encountered a session management system that flew in the face of almost all the recommended security practices. Rather than use a pre-built implementation associated with a development framework, the developers had written one from scratch that, among other things: Generated session tokens based on the user ID and numeric counters. Appended the session token to the end of every URL rather than using a cookie. Allowed multiple concurrent sessions for a single user. Did not destroy the session when a user clicked “Sign Off”. I discovered to my surprise that sessions would terminate after about an hour of inactivity, so it wasn’t all bad. Still, the combination of the flaws above could lead to accounts being hijacked both through a purposeful attack, but also through user naivety. An attacker could perform a brute-force search for valid sessions by generating possible session tokens (since the tokens are based on known counter values and a numeric user ID). The number of possible session tokens per account was 100,000, meaning valid sessions could be found within a matter of minutes provided the user ID was...
Read more