OWASP Broken Authentication and Session Management
September 10th, 2022
session
session hijacking
anti-pattern: session id in plain text
ref: cross site scripting (XSS)
session fixation (hacker creates valid session, and tries to get the target to use it)
Anti-pattern: authenticating an existing session
pattern: generate a new session ID when (re)authenticating
session prediction
Anti-pattern: session IDs based on user's own data
Anti-pattern: sequential session ids
just because a session looks random, does not mean it is random
guidelines for handling session IDs
![no description for image available](http://images.ctfassets.net/p2rtto0i6kcn/891a6526-7a14-4d71-8dd4-0cb3d9bad33c/31f138269907b642888f40f1db95240f/IMG_20220908_150933.jpeg)
pattern: long session ID with lots of entropy
pattern: session id from random with cryptographic properties
anti-pattern: session id from language's built-in random function
pattern: protect against XSS
pattern: generate a new session ID when (re)authenticating
pattern: use up-to-date platform session management
pattern: use ONLY cookies to exchange session IDs (disable all other ways)
anti-pattern: accept session IDs via query parameters
exercise: write a cURL command for a TLS-secured call to a development server using a self-signed certificate
Antipattern Metaphor: pie-crust defense
You had to authenticate to cross a boundary,
but services inside the "pie" could call each other freely
![no description for image available](http://images.ctfassets.net/p2rtto0i6kcn/9fde1880-623d-4888-b380-931950085ae0/795e09503dc5644014f9148177a58579/IMG_20220908_152511.jpeg)
Authentication options:
first-party (build it yourself)
third-party (eg. Kerberos, NTLM, Oauth)
(src:
This post was referenced in: