Session ID Session Fixation 1 1 1, 2 Session Fixation Session Fixation ID Session Fixation ID ID ID ID Session Fixation Session Fixation Detection of Session Fixation Vulnerabilities with Session ID Monitoring Masataka Utsumi, 1 Yuji Kosuga 1 and Kenji Kono 1, 2 In recent years, session fixation has become one of the most critical security flaws in web applications. Session fixation is an attack technique that forces a visitor of a web application to use a session identifier (SID) that the attacker prepared. After the visitor s login, the attacker can masquerade as the visitor by accessing the web application with the SID. It is well-known, effective technique for preventing session fixation to assign a new SID each time user logs in. However, many web applications in the real world do not properly accomplish the prevention technique. In this paper, we propose a technique to detect session fixation vulnerabilities in web applications by monitoring the change of SIDs before and after a user s login. Since our technique performs the checks web applications without requiring source code of the applications, it is useful for check legacy web applications already running. In the experiment, our system successfully detected vulnerabilities in our original test cases and in a real world web application. 1. ID ID Session Fixation Cross-Site Request Forgery CSRF Session Hijack Session Fixation Session Fixation ID Session Fixation ID ID ID ID 1 Keio University 2 JST CREST 1 c 2010 Information Processing Society of Japan
Session Fixation ID ID ID ID WhiteHat Security 1) 12% Session Fixation MBSD 2) Session Fixation Session Fixation ID ID ID ID ID Session Fixation ID ID ID ID ID ID Session Fixation 2 3 Session Fixation 4 5 6 7 2. 2.1 Session Fixation acros 3) MBSD 2) BASS 4) BASS BASS BASS Session Fixation 1 Cross-Site Request Forgery CSRF CSRF Referere URL NoForge 5) NoForge ID CSRF Referere Origin 6) Origin Origin 2 c 2010 Information Processing Society of Japan
K Google Chrome 4 7) CSRF Session Fixation 2.2 Session Fixation SecuBat 8) WAVES 9) SQL SQL HTML JavaScript SecuBat WAVES 3. Session Fixation 3.1 Session Fixation Session Fixation 1 ID H@I.J LM(N I O / 0 # $ % < $ $ %% = A B,, C 4 576 - "!.9 8 ;: "!# >@? &(' )+* DEGF 1.- / 0 132 Session Fixation Session Fixation 1 ID 1 2 ID Session Fixation ID 3 Session Fixation ID ID ID ID ID 4 ID ID 5 ID ID 3.2 Session Fixation Session Fixation ID ID "! 3 c 2010 Information Processing Society of Japan
3.1 Session Fixation ID ID ID ID Session Fixation 3.3 WhiteHat Security 1) 12% Session Fixation MBSD 2) Session Fixation Session Fixation 4. 4.1 Session Fixation 4.2 ID ID Session Fixation Session Fixation ID ID ID Session Fixation MONQPR P&S$M MYNQPR TUVXW #% "!$#&% ' (*) "!$#&% ' (*) ID +, -. / 0 1 2 3 45 6 7 6 8 9 :; < = >? @BADC E FHG I J K L 2 P&S$M TUVXW #% ID ID ID 2 ID 2 4.3 4.4 4.3 ID 2 3 HTML ID 4 c 2010 Information Processing Society of Japan
R " 5TSTUOV:W @B> 687:9<;X >G*O/+0 "!$#"% & ')("* + &,+-."/+01"!$#"% 3 4.4 ID ID URL ID ID ID ID ID 4.4.1 URL URL URL after_login.php?sid=abcdef URL? URL ID? = 4.4.2 Cookie Cookie: sid=abcdef ID Cookie ID Cookie URL = 4.4.3 ID ID ID ID ID &, -. "IJ -P/+0Q(+LM6N7:9N;= >G*O/+0 + &,+-.I"J -K/+08(+LM6N7:9N;= >G*O/+0 #% 2 3 4 5687:9<;= >1?1@BADC EGFH@ 4 ID ID ID ID ID ID ID Session Fixation ID Session Fixation ID 5 c 2010 Information Processing Society of Japan
I! #"%$ && 8 9%: C : D : 8 9%: A/B C : D : A/B 8 9%: ')(+*-,/. 021 3 4/576 C : D : 1 ID ID ID 1 URL 2 URL 3 4 5 URL 6 EFHG J K=L!M & ;=< >@? 5 4.4 ID 4.3 ID ID 5 6. ID ID / / ID 4 ID ID / ID 5. ID Java 6.1 phpbb Session Fixation firefox 3.5.7 3 / ID 1 / ID 6.2 6.2.1 1 ID ID 1 1 4 6 c 2010 Information Processing Society of Japan
2 1 2 3 4 5 6 ID ID 5 6 1 4 ID ID Apache 2.2.13 Unix MySQL 5.1.39 6.2.2 1 2 ID ID ID 1 4 5 6 6.3 6.3.1 phpbb phpbb SourceForge 10) 410,449 phpbb NoForge 5) CSRF Session Fixation Apache 2.0.63 Unix MySQL 5.1.37 phpbb SourceForge 10) phpbb 2.0.12 6.3.2 phpbb Session Fixation 6 6 CookieAnalyze beforeset phpbb2mysql data phpbb2mysql sid PHPSESSID 3 CookieAnalyze afterset phpbb URLRewritingAnalyze beforeset logout sid URLRewritingAnalyze beforeset 2 3 phpbb2mysql sid ID phpbb2mysql sid phpbb Session Fixation ID phpbb2mysql sid Session Fixation phpbb2mysql sid phpbb2mysql sid phpbb2mysql sid phpbb 3.0.6 Session Fixation 7. Session Fixation 7 c 2010 Information Processing Society of Japan
情報処理学会研究報告 不十分なまま稼働しているウェブアプリケーションに脆弱性があることを開発者に通知する ことを目的とし すべてを手動で行うよりも容易に脆弱性を検出することが可能となる 提 案手法はログイン前のリクエストとログイン後のリクエストからセッション ID を取得し 両者を比較することで対策が施されているかを検査する 実験では 実際に運用されている / 021 3 4 ウェブアプリケーションに Session Fixation に対する脆弱性が存在することを示した 今後の課題として さらに多くのウェブアプリケーションに提案手法を検査できるように ログインページの判別やセッション ID の抽出精度の向上を行うことが挙げられる また 現段階ではページの遷移やユーザ名 パスワードの入力は手動で行っているため 検査をよ り容易に行えるようにするために検査の自動化を行いたいと考えている 参 3 4 V 3 4HW 2 X 文 献 1) WhiteHat Security, Inc.: Website Security Statics Report 8th Edition Fall 2009, http://www.whitehatsec.com/home/resource/stats.html. 2) Mitsui Bussan Secure Directions (MBSD), Inc. : 2008 年度 Web アプリケーショ ン脆弱性検査レポート http://www.mbsd.jp/news/pressrelease img/20090717/ websec2008report.pdf. 3) acros: Session Fixation Vulnerability in Web-based Applications, http://www. acrossecurity.com/papers/session fixation.pdf. 4) Yu, D., Chander, A., Inamura, H. and Serikov, I.: Better abstractions for secure server-side scripting, WWW 08: Proceeding of the 17th international conference on World Wide Web, pp.507 516 (2008). 5) Jovanovic, N., Kirda, E. and Kruegel, C.: Preventing Cross Site Request Forgery Attacks, Securecomm 06: Second International Conference on Security and Privacy in Communication Networks, pp.1 10 (2006). 6) Barth, A., Jackson, C. and Mitchell, J. C.: Robust Defenses for Cross-Site Request Forgery, CCS 08: Proceedings of the 15th ACM conference on Computer and Communications Security, pp.75 88 (2008). 7) Google, Inc.: Google Chrome, http://www.google.com/chrome. 8) Kals, S., Kirda, E., Kruegel, C. and Jovanovic, N.: SecuBat: a web vulnerability scanner, WWW 06: Proceedings of the 15th international conference on World Wide Web, pp.247 256 (2006). 9) Huang, Y.-W., Huang, S.-K., Lin, T.-P. and Tsai, C.-H.: Web application security assessment by fault injection and behavior monitoring, WWW 03: Proceedings of the 12th international conference on World Wide Web, pp.148 159 (2003). 10) SourceForge, Inc.: phpbb, http://sourceforge.net/projects/phpbb/. OQPSR>T F =U J N 5 687 *:9 ; <>=? @2A B 5 CED F *HG I =? J < K L =? M N 考 W #%$'( 0 Y "! #%$'&)(+*-,. 図 6 phpbb における検査結果 8 c 2010 Information Processing Society of Japan