Critical New Web Application Vulnerability Alert BOB23203115

["Arian J. Evans" <arian () anachronic com>]

Critical New Web Application Vulnerability:

Cross X Double-Free Session Riding Turbo Champion Gold
"A Widespread Vulnerability in Tomorrow's Web Applications"

http://www.anachronic.com/modules.php?op=modload&name=News&file=article&sid=9&mode=thread&order=0&thold=0
(if you prefer HTML)

Issue:

(P1) If a web application implements dual-factor entity authentication using dynamically generated session
tokens in the URL, and

(P2) If this secondary token is used to control per-resource access (resource=URL), in addition to a primary
session token (e.g.-session cookie, etc.) which controls general session state, then

---------------------------------------------------------------------

(C) Any attacker who can harvest the dynamically generated session token can send a user to that resource via
URL link or embedded script including the aforementioned session token, and execute commands within the
application on the user's behalf.

As the user's browser will automatically provide the primary session token (e.g.-session cookie) or auth like
NTLM, Kerberos, etc., inclusion of this secondary resource token is all that's needed to allow the attacker to
arbitrarily execute commands in the application on behalf of the user.

Recommendation: All web applications should implement Best Practices:

(1) a cryptographically secure primary session token
(2) a cryptographically secure user identifier (hidden in the page)
(3) a cryptographically secure, dynamically-generated per-page resource token

::And to mitigate the above risk::

(4a) Provide a separate application the user can use to generate OTPs. Require OTPs to be entered on *every*
page before undertaking _any_ action.

-or-

(4b) Require a user-supplied secret that the user must enter on *every* page before they can undertake _any_
action.

Additional notes:
HTTP is STATELESS.
Web Applications have no control over web clients.
Web Applications have no control over webapp users.

Background:

My esteemed appsec colleague Ed Welsh brought to my attention a paper Entitled "Session Riding" published by
SecureNet GmbH.

Overall the SecureNet paper is well written and well organized. It facilitates an intelligent discussion of:

-State Management general issues
-Session Management particulars
-Authentication

However, this paper suffers from overzealous marketing statements. Paragraph o-ne: this is clearly covered by
the OWASP Top 10 (how does this not fall under A3?); a separate discussion is the alleged 'Top-10' document's
illogical mixing of Category, Class, and Particulars.

While 'Session Riding' is an interesting read, I assumed this was common knowledge. There is *nothing* new in
this paper especially about so-called 'session riding'. Am I very wrong about this being common knowledge (in
the appsec community)?

This paper essentially explains the concept of using dual-factor authentication, and specifically a
dynamically-generated token, for per-resource access in a web application to prevent access to default or
static URL strings. Not a bad design idea, though the solution has more options than this paper suggests.
Additionally, SecureNet's primary solution can introduce other issues.

I would have liked this paper a lot better if it weren't positioned with MarketingMyth(tm) jargon.

For a more detailed analysis of this issue:

Session Riding Analysis: more webappsec hype & confusion just in time for Christmas!
http://www.anachronic.com/modules.php?op=modload&name=News&file=article&sid=10&mode=thread&order=0&thold=0

Note: anachronic.com is vulnerable to 'Session Riding' but not to
'Cross X Double-Free Session Riding Turbo Champion Gold'. Yet.
So, like, watch how you get there.

Watch your back. Trust no one. Keep your Lynx handy.

Arian J. Evans