Saturday, 15 October 2016

HOW TO SECURE COOKIES FROM ATTACKERS

In the previous blog, we discuss the requirement of the session because of statelessness of HTTP Protocol and Session ID Structure and Security at Generation Time in that blog we conclude that cookies are the best method for passing session id.

COOKIES:

Cookies are simply a file which contains small data e.g. what the language used by the client, visiting time to the website, it contains all the links to click on, most importantly the items to be added to the shopping baskets while doing online shopping on the client side.
we are using cookies for exchanging the session id data because cookies provide several security features in terms of its attributes.

COOKIES ATTRIBUTES:

1. Secure Attribute
2. HttpOnly Attribute
3. Expire Attribute
4. Domain and Path Attribute

SECURE ATTRIBUTE:

Secure attribute sends the cookie data through encrypted channel because it informs the web browser.
if the secure attribute is not used then the attacker can intercept the packet by Burpsuite, Paros Proxy, Owasp Zap tools to do the MITM(Man In The Middle) attack.

HTTPONLY ATTRIBUTE:

If the HttpOnly attribute is not on then attacker can steal your session id by accessing the document.cookie object through Cross-Site Scripting attack. so, HttpOnly object informs the browsers to not allowed the scripts(e.g. JavaScript, VBScript).
EXPIRE ATTRIBUTE:

The Attacker can hijack your session because Expire Attribute is not set for active sessions, so, it is mandatory to set expiration time it depends on the purpose of web applications to balance the usability and security for each session.it will decrease the time for attackers to hijack your session.

DOMAIN AND PATH ATTRIBUTE:

DOMAIN: In a simple way this attribute determines those hosts to which the cookies will be sentto set this attribute is a major concern to developers but it should not be set to loose.The domain is set for that server where the client wants to send cookies.
For Example: Important for Tester to check this

PATH: This attribute signifies the path for which the cookies are valid.Just like DOMAIN attribute this will not set loosely because it may leads to active attacks by other vulnerable applications on the same server.Important part is that if path attribute is set to "/" then cookies is sent to each applications within the same domain.
For Example, Important for Tester to check this
                          

Cookies attributes are perfectly set by GMAIL specially DOMAIN and PATH attribute:


Example of GMAIL


TESTING TOOLS:

INTERCEPTING PROXY:

  
TESTING BY OWASP ZAP

BROWSER EXTENSION:

Firebug in Mozilla Firefox to check the cookies attributes set properly or not
FIREBUG

SUMMARY:

In this post i highly focused on cookies Secure, HttpOnly, Expire, Domain and Path attributes which are important to prevent session hijacking attack.

Saturday, 27 August 2016

SESSION ID STRUCTURE AND SECURITY AT GENERATION TIME

                                             
In a previous blog, we discuss Statelessness of HTTP Protocol due to which we implement session. once authenticated session is established then SESSION ID is temporarily equivalent to
strongest authentication methods such as Username and Password, OTP, Smartcards, Biometrics etc


SESSION ID STRUCTURE:

Session ID sturcture is like "name=value"                       example: JSESSIONID=21D9189EF4375A7D820B90B3B050500B
our basic goal is to secure session ID

FOR DEVELOPERS:
 Developers must remember these points in the generation of Session ID:

  SESSION ID NAME:

  It should not be descriptive, session ID name like 
  1. PHPSESSID(PHP), 
  2. ASP.NET_Sessionid(ASP.NET),
  3. JSESSIONID(J2EE) etc 
  can disclose the technologies and programming languages. Best thing is that if we replace the default session ID  name to  Generic Name like "id".

 SESSION ID LENGTH:

 To prevent the BRUTE FORCE attacks length of the Session ID must be long enough.  Session ID length must be 128 bits.

 SESSION ID UNPREDICTABLE OR RANDOM ENOUGH:

 That the attacker can't predict it easily if Session ID  has 64 bits entropy (randomness)  then it will take at least 292 years to successfully guess a valid session ID, assuming the attacker can try 10,000 guesses per second with 100,000 valid simultaneous session available  at any given time.


TIME TAKEN FOR SUCCESSFUL BRUTE FORCE ATTACK
We can use good PRNG(Pseudo Random Number Generatorto increase the  Entropy

SESSION ID CONTENT:


This content must be meaningless to prevent information disclosure attacks.

Session ID simply an identifier at Client Side
                 

METHODS OF PASSING SESSION ID:
    There are basically three methods for passing Session ID:
 
     1.In the URL (avoid it)
     2.HIDDEN FIELD
     3.COOKIES (preferred it)


  • Among these three COOKIES is preferred because in that we can set the EXPIRATION date and time of Session ID and some other advance things.
  • URL is not used because ID is included in URL and ID can disclose in web browser history, bookmarks etc. which can lead to SESSION FIXATION attack.

Tuesday, 2 August 2016

REQUIREMENT OF SESSION

HTTP PROTOCOL:
    HTTP is a HYPER TEXT TRANSFER PROTOCOL . It is used to deliver data on the world wide web (www),data may be HTML files,image files,query results, etc but HTTP is the STATELESS protocol because each command we request is executed separately, without any knowledge of the requests that were executed before it IN SHORT HTTP protocol don't have brain .


DEMONSTRATION OF STATELESSNESS OF HTTP


EFFECT OF THAT :
for example-
  •  if we login to any social n/w site like facebook or any other sites
  • we put our username and password and hit enter if we authentic then we login 
  • if we rely only on HTTP protocol if we send same request then we have to again enter the user name and password for authentication purpose



HOW TO REMOVE THAT PROBLEM:

by introducing the SESSION ID



DEMONSTRATION OF SESSION ID





Sunday, 24 July 2016

HOW SSL WORKS AND IMPORTANCE OF SSL


SSL:


  SSL abbreviate Secure Socket Layer Protocol this protocol provides secure 
communication between web server and client machine.

In short it create a encrypted(secure) link between web server and client.

It ensures the INTEGRITY of data i.e.data remains unchanged during communication.


Without SSL enforcement what happens:


GENERAL FIGURE



PACKETS ARE CAPTURES BY WIRESHARKFOR THAT WEBSITE WHICH DOESN'T ENFORCE SSL


Types of SSL certificate:

1.Extended validation:

       In that certificate authority checks the Domain ownership,organisational information and legal existence of organization.its trust level is very high.


2.Organization Validation:

        In that certificate authority checks the Domain ownership,organisational information.

3.Domain Validation:

   In that certificate authority only checks the Domain name.its trust level is low.

HOW SSL WORKS:

STEPS:

  1. Client sends "Hello message" to server.
  2. Client sends some details to server like which TLS/SSL version it is running and what cipher suites it can used and what type of encryption it want to used.
  3. Sever checks highest version of TLS/SSL client can support,picks the cipher suite and encryption method.
  4. After all these negotiation completed between client and server.
  5. Sever sends the certificate and symmetric key exchange.
  6. Handshake finished.
Now data is send and receive in encrypted form

Note: client can be browser

example: capture the packets through Wireshark. click on image for better view.

COMMUNICATION BETWEEN CLIENT AND SERVER
WHILE ENFORCING SSL 



After proper enforcement of SSL: