Introduction
In this article, we are going to look at Session Fixation in ASP.NET web applications attack using Session Management. Web-based applications normally use sessions to provide users a smooth experience whenever they visit that application. Sessions help in storing user's selected preferences, custom themes, or sometimes where the user left off. Session management is used in web applications because HTTP is a stateless protocol, which means that it cannot provide an integrated way for a web server to maintain states throughout users' subsequent requests.
In Web Session Management, the server generates a session identifier (ID) during user interaction, and sends this session ID to the user’s browser and makes sure that this same ID is used each time the user makes a request to the server. Session IDs thereby become identification tokens for users, and servers can use them to maintain session data (e.g., variables) and create a session-like experience to the users.
The three methods for maintaining sessions on the web are:
- URL arguments
- Hidden form fields
- Cookies
Of the three methods, cookies have proven to be the least insecure and most convenient. To ensure web application security it is not a good practice to expose the Session ID in the URL, so this leaves cookies as the best choice.
What is Session Fixation?
“Session Fixation is the opposite of obtaining the user’s session ID, rather it involves the attacker fixing the user’s session ID before the user even logs on, which eliminates the need to obtain the user’s Session ID at all.”
ASP.NET Session Management
When a user login on a site that accepts cookies ASP.NET generates a Session ID and places it inside a cookie which then is later used as the user's authentication.
Set-Cookie: ASP.NET_SessionId=ascfinmhgtvcfredsghjklpoo; path=/; HttpOnly
When a user logs in for the second time ASP.NET will only look at the validity of the Session ID i.e. a 24-character string consisting of characters a-z and 0-5. If the client does not provide a session ID or provides an invalid session ID, ASP.NET will issue a new one. If the client supplies a valid session ID and there’s no session associated with that ID on the server, ASP.NET will accept the ID and create a new session object for it. Consequently, you will also keep the same session ID until the browser deletes it.
ASP.NET keeps the user's identity by the use of Forms Authentication and Windows Identity Foundation (WIF). Both of these methods use cookies to store the user's identity information. These cookies are known as authentication cookies. Authentication cookies are encrypted and are tamper-proof.
On the other hand, the ASP.NET SessionStateModule handles the session state and it does so without regard to the identity of the current user. At the end of the day, there is no connection between the user’s identity and the ASP.NET session. Session IDs are managed by built-in SessionIDManager and one of its biggest tasks is to create and validate session identifiers.
What this exposes to us are the weaknesses in the Session management which may result in Session Fixation. It is more dreadful when you use cookieless ASP.NET sessions which expose the Session ID in the URL.
Now, let's look at some of the ways an attacker can launch a successful Session Fixation attack using session cookies.
- Using a client-side script that sets a cookie on the browser.
- Using the HTML tag with the Set-Cookie attribute.
- Using the Set-Cookie HTTP response header.
Session Fixation
Attackers are lured by Session IDs because once obtained they can easily access user’s identities at ease. Attackers normally use interception, prediction, or brute force attacks to hijack Session IDs, but let us look at how Session Fixation works.
Session Fixation is the opposite of obtaining the user’s session ID, rather it involves the attacker fixing the user's session ID before the user even logs on, which eliminates the need to obtain the user's Session ID at all.
Here is the Timeline of a session Fixation in ASP.NET,
Prevention Methods
Session Timeout
The most effective way of preventing Session Fixation is to use Sessions that expire. This prompts the application to create another session ID when the user makes another request.
Use Identity
Since the biggest weakness in ASP.NET Sessions is that they do not use a user’s identity on Session Management, it is a good practice to store a username along with the Session ID and force the application to authenticate using both Session ID and stored username. This can shut the attacker out, since he will be using a different identity.
Conclusion
Session fixation is a common method of attack in most ASP.NET applications that utilizes sessions. The above mitigations can be very useful and may help limit the session fixation attacks.