SESSION PROMISCUITY
CONTEXT
Historian Niall Ferguson posits, "Money is not metal. It is trust inscribed." The same goes for
session tokens including cookies, one-time-use URLs, SAML tokens and OAuth tokens. These
session identifiers are the main (and oen only) method for letting the API server know who is
calling it. If these tokens are corrupted, replayed or spoofed, it's difficult, if not impossible for
API servers to distinguish valid access from malice.
VULNERABILITIES IDENTIFICATION & TRACKING
Tokens may be tampered with or replayed
and privileges may be altered
Review security token specification and
implementation
COUNTERMEASURE(S)
Implement token-protection schemes that sign and hash tokens when they are issued. The API
gateway must authenticate the signature and verify the hash to ensure the request is from an
authorized source, and has not been tampered with.
Ensure the tokens are fresh, and use a one-time-use code (nonce) and/or verified timestamp.
ASSURANCE
Session identifiers are visible and they can be reviewed at design and dynamic-testing levels
(proxy tools like Burp work well). A test suite should be developed to ensure that the tokens are
tamper evident, resilient to replay, and only accepted from authorized servers.
06
|
The Curious Case of Session Promiscuity
