Session Fixation
Need
Prevention of session hijacking
Context
• Usage of Java 8 for developing applications with enhanced features and performance
• Usage of javax.servlet.http.Cookie for handling HTTP cookies in Java Servlet applications
• Usage of javax.servlet.http.HttpServletRequest for handling HTTP requests in Java Servlets
• Usage of HttpServletResponse for handling HTTP responses in Java Servlets
• Usage of javax.servlet.http.HttpSession for managing user sessions in Java web applications
• Usage of javax.servlet.ServletException for handling servlet exceptions
• Usage of java.io.IOException for handling input/output errors in Java
Description
1. Non compliant code
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class LoginServlet extends HttpServlet {
String username = request.getParameter("username");...The above code snippet is a simple example of a login servlet in a Java web application using the `javax.servlet` package. In this code, when a user tries to log in, their username and password are checked. If they are valid, a new session is created and the username is stored in the session attributes. The vulnerability lies in the session management part of the code. After a successful login, the session ID is not changed. The same session ID is used before and after authentication. This is a classic example of a Session Fixation vulnerability. An attacker can exploit this vulnerability by obtaining a valid session ID (for example, by using the application themselves), and then convincing a victim to use this session ID. Once the victim logs in, the attacker can use the same session ID to access the application as the victim. This is a serious security vulnerability as it can lead to unauthorized access to the application, potentially leading to data theft, data alteration, or other malicious activities.
2. Steps
• Generate a new session ID after a successful login
• Invalidate the old session ID and create a new session
• Regenerate the session ID when the user's privilege level changes
• Use secure and HttpOnly flags for session cookies
• Implement strong session management practices
3. Secure code example
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class LoginServlet extends HttpServlet {
String username = request.getParameter("username");...The fixed code now includes a process to invalidate the old session and create a new one after a successful login. This is done to prevent session fixation attacks where an attacker could use a known session ID to hijack a user's session. The new session ID is then used to create a new cookie which is added to the response. The cookie is marked with the `Secure` flag, ensuring it is only sent over HTTPS, and the `HttpOnly` flag, preventing it from being accessed through client-side scripts. This helps to mitigate the risk of session hijacking through man-in-the-middle or cross-site scripting attacks. The session timeout is also set to 5 minutes with `setMaxInactiveInterval()`. This means the session will automatically expire if there is no activity within this time period, reducing the window of opportunity for an attacker to hijack the session. The `isValidUser()` function is used to validate the username and password. This is a placeholder and should be replaced with actual validation logic.
References
• 280. Session Fixation