T 5.169 Inadequate session management of web applications

Since the HTTP log used by web applications is stateless, the user of the web application is identified during a session by means of a SessionID. If a third party can determine the SessionID due to the inadequate session management, then they can use the web application within the context of this session. This entails, for example, that an attacker can interact with the web application as legitimate authenticated user without knowing the actual access data (user name, password).

The functions of the web application can thus be used by third parties with the rights of the legitimate user to access data worthy of protection or to execute commands in an unauthorised manner.

The following examples describe scenarios that might result in a compromised session.

• For a session-fixation attack, the attacker has first assigned a SessionID to himself by the web application and transmits this ID to the victim (for example via a link in an email). If the victim follows this link and authenticates subsequently to the web application using the SessionID transmitted by the attacker, then the attacker can use the application afterwards using the SessionID known to him. In this way, the attacker is able to access the web application within the security context of the user attacked and to use functions that are not available to an unauthenticated user.

• In the event of a session hijacking attack (session take-over), the victim has already logged in on the web application using a valid SessionID. If the SessionID is not selected by the web application on a random basis (e.g. simple incrementing of a counter when assigning SessionIDs), an attacker can guess valid SessionIDs trying them in a targeted manner and take over the corresponding sessions of the users logged in.

• If sessions of inactive users of a web application do not become automatically invalid after a specific time interval (session timeout), the sessions of users who did not log out properly of the application (e.g. closing the browser) remain still valid. If an attacker obtains knowledge of such a valid, but no longer used SessionID, then the attacker can still use the web application within the security context of the user who has not logged out.