Using Foundstone CookieDigger to Analyze Web Session Management

Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005

Web Session Management Managing web sessions has become a critical component of secure coding techniques. Malicious intruders, e- shoplifters, and hackers are increasingly targeting poorly designed applications which do not properly manage web sessions. Web session management encompasses the techniques used by web applications to transparently authenticate users over HTTP without having them repeatedly login. The HTTP protocol is inherently stateless in nature and so the application needs some way of performing session management. Session management entails the server sending a token of identity to the client (e.g. web browsers) after successful authentication. The most common way of performing session management is via the Set-Cookie directive of HTTP which stores a token on the client. Every subsequent request made by the client includes that token as a means to prove its identity. The application server has a database of user information corresponding to every token issued. Upon receiving a request that includes a token the application server correlates the user state with the token received. If the token is recognized, the request is processed, if it is not recognized, the request is rejected. Therefore, the token set on the client is the most critical information which provides a user access to his / her resources. This token is popularly called a Cookie. Foundstone CookieDigger CookieDigger, designed by Foundstone, is a free tool to help identify weak cookie generation and insecure implementations of session management by web applications. The tool works by collecting and analyzing cookies issued by a web application for multiple users. The tools functionality can be divided into 3 broad categories; 1. Cookie Collection 2. Cookie Analyses 3. Results www.foundstone.com 2005 Foundstone, Inc. All Rights Reserved - 1

To use CookieDigger, the user needs to point the tool to the web application that is being analyzed. When the tool is launched a scaled down version of a web browser is presented. 1. The user needs to browse to the website using this browser. www.foundstone.com 2005 Foundstone, Inc. All Rights Reserved - 2

2. Login in as a regular user on the web site with valid credentials. www.foundstone.com 2005 Foundstone, Inc. All Rights Reserved - 3

3. Logout of the web site. This is required because some websites do not allow multiple logins simultaneously. www.foundstone.com 2005 Foundstone, Inc. All Rights Reserved - 4

4. Click on Replay URLs. This shows all the URLs that have been visited. www.foundstone.com 2005 Foundstone, Inc. All Rights Reserved - 5

5. The Visited URLs panel displays a tree view of all the URLs visited along with the associated parameter names and values. 6. Identify the request that has the credentials that were used to log on to the website. The application tries to make the best guess of the User ID and Password parameter but that may not be accurate in all cases. Select the right User ID and Password parameter using the drop down box. www.foundstone.com 2005 Foundstone, Inc. All Rights Reserved - 6

www.foundstone.com 2005 Foundstone, Inc. All Rights Reserved - 7

7. Enter a set of credentials which can be used by the tool to log on the web application to collect the cookies. The tool does not use the initially entered credentials if not they are not reentered during this phase. The user needs to enter a minimum of one set of credentials and a maximum of 20 sets of credentials can be entered. 8. Select the number of times you want to repeat the login process for each set of credentials. The tool collects cookies set for each login attempt. The minimum is 2 and the maximum is 100. Press Done after having selected the number of attempts. www.foundstone.com 2005 Foundstone, Inc. All Rights Reserved - 8

9. Depending on the number of credentials and number of login attempts the tool can take from a few seconds to a few minutes to collect the cookies. 10. After the cookie collection is complete, you can choose to save the cookies in XML files for more extensive testing, manually analyze the results with the options provided, display the report with the default analyses performed on the collected cookies, or just ignore the collected cookies and the analyses. www.foundstone.com 2005 Foundstone, Inc. All Rights Reserved - 9

11. Save the cookies as an XML file. 12. The user can choose to manually test the cookies collected for commonly known mistakes. 13. The users can choose the instance of cookie that they wants to analyze. The tool provides the ability to choose the user and the instance number of the cookie that the user wants to see. www.foundstone.com 2005 Foundstone, Inc. All Rights Reserved - 10

14. The user can hash strings using MD5 and SHA1 algorithms and compare them with the cookies collected to check if the web application is using hashes of predictable string, or timestamps as cookies. The string value entered is hashed and compared to all the cookie values collected. The results are included in the report generated at the end of manual testing. www.foundstone.com 2005 Foundstone, Inc. All Rights Reserved - 11

15. The user can decode the cookie values to check for useful information passed in the cookies. The user currently has the option to perform Base64 and URL decoding on the collected cookies. www.foundstone.com 2005 Foundstone, Inc. All Rights Reserved - 12

Choose the cookie name value pair that you want to decode. Select the type of decoding and click ok. The decoded value will appear under Covert Value. www.foundstone.com 2005 Foundstone, Inc. All Rights Reserved - 13

16. The tool provides the user with the ability to search for particular strings and/or substrings across all the cookie values collected. This is particularly useful if the user is aware of the encryption algorithm and key used but is not sure of the plain text that is being encrypted. 17. The user has the option to directly go to the Manual Testing panel from the main window to continue performing the manual analyses on the cookies. The user needs to Load Cookies to access the stored XML files. www.foundstone.com 2005 Foundstone, Inc. All Rights Reserved - 14

18. The results of the analyses performed on the collected cookies and the analyses results can be seen through the Show Report tab. www.foundstone.com 2005 Foundstone, Inc. All Rights Reserved - 15

Analyses: CookieDigger performs the following analysis on the cookies collected: Average Length of the Cookie: If the average length of the cookie that is used as an authenticator is small then it would take fewer brute force attempts to hijack another users session. On a popular site we can assume many users to be logged in at the same time, therefore the chances of a successful brute force attempt might be high. Character Set of the Cookie: The character set employed in the generation of cookie value plays an important role in the entropy of the cookie. For any given cookie length, a large character set increases the strength of the authenticator. If the attacker can determine the character set employed by the application, the brute force attempts can be crafted more efficiently. The combination of the length of the cookie and the character set used determines the strength of the authenticator. Critical Information: The tool checks the cookie values set by the application to see if any of the cookies contains the usernames or password values in it. The check is performed on both the plain text value of the cookie and on the base64 decoded value of the cookie. Other common useful information passed in the cookie values are account numbers, names, privilege levels, etc. Entropy of the Cookies: The tool compares the different values of the cookie values to check how many characters are changing for every subsequent login. If the cookie value remains the same on subsequent logins, it shows that the algorithm used for generating the cookies is vulnerable to chosen plain text attacks. Furthermore, if the cookie values remain the same on subsequent logins it gives the attacker longer periods of time to perform the brute forces attempts. www.foundstone.com 2005 Foundstone, Inc. All Rights Reserved - 16

The screen shots below shows a sample report output collected from www.threatsandcountermeasures.com. The report provides a summary of the findings. It generates a predictability index based upon the cookie values collected. The analyses results are displayed in the report. The base line analyses performed on the cookies provides a user with a good indication on how strong the session identifiers are. www.foundstone.com 2005 Foundstone, Inc. All Rights Reserved - 17

The report shows all the collected cookie values in the report for the user to view and analyze the results. The report displays the findings of the manual analyses at the end of the report. If there was any positive finding during the manual testing the report displays the cookie values for user s reference. www.foundstone.com 2005 Foundstone, Inc. All Rights Reserved - 18

Known Issues 1. The tool does not work on the websites that requires scripting on parameter values before being sent back to the application. 2. The tool fails in cases where it the websites sends and expects a nonce for every new login. About Foundstone Professional Services Foundstone Professional Services, a division of McAfee, offers a unique combination of services and education to help organizations continuously and measurably protect the most important assets from the most critical threats. Through a strategic approach to security, Foundstone identifies, recommends, and implements the right balance of technology, people, and process to manage digital risk and leverage security investments more effectively. Foundstone s Secure Software Security Initiative (S3i ) services help organizations design and engineer secure software. By building in security throughout the Software Development Lifecycle, organizations can significantly reduce their risk of malicious attacks and minimize costly remediation efforts. Services include: Source Code Audits Software Design and Architecture Reviews Threat Modeling Web Application Penetration Testing Software Security Metrics and Measurement For more information about Foundstone S3i services, go to www.foundstone.com/s3i. Foundstone S3i training is designed to teach programmers and application developers how to build secure software and to write secure code. Classes include: Building Secure Software Writing Secure Code Java (J2EE) Writing Secure Code ASP.NET (C#) Ultimate Web Hacking For the latest course schedule, go to www.foundstone.com/education. www.foundstone.com 2005 Foundstone, Inc. All Rights Reserved - 19