Session Fixation Security Feature
Overview
HTTP Session Fixation is an exploit that permits an attacker to hijack a valid user session. It is a common attack in web applications and Java frameworks. An application is vulnerable to session fixation attacks when:
-
The web application authenticates a user without first invalidating the existing session, thereby reusing the same user session already associated with that user.
-
An attacker is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session.
It must be noted that:
-
Session fixation is a subcategory of Session Hijacking attacks.
-
The session fixation threat model assumes that the attacker has no session ID theft capabilities (for example, by means of a Man-In-The-Middle or an XSS attack).
- Waratek recommend that the ARMR XSS security feature is enabled together with the ARMR Session Fixation security feature.
Session fixation vulnerabilities are covered by CWE-384.
The ARMR Session Fixation security feature protects against session fixation attacks by regenerating the session ID when the user authenticates. This rule only supports applications whose Authentication Management system sets authentication and identity information on every HTTP request and, as such, will not regenerate the session ID of requests that do not carry such identity information.
In the very rare case that the target web application depends on having the same HTTP session ID both before and after user authentication, then enabling this security rule may break normal application functionality.
Given (Condition)
The ARMR Session Fixation security feature is enabled using the ARMR http rule. With this rule the user can specify a single condition - request.
| request | This declaration allows the user to define an ARMR http rule that will act upon receiving a user request. |
When (Event)
| authenticate | This condition allows the user to specify that the ARMR http rule should authenticate a user at login. The following parameter is supported:- user |
Then (Action)
| protect | This is the only available action for the ARMR Session Fixation security feature and, in addition to the standard log message and severity parameters, must also be specified with the following parameter:- http-session: regenerate-id |
Example
The following ARMR http rule switches on the ARMR Session Fixation security feature. The sessionID of a user of an application that is vulnerable to session fixation attacks is regenerated at login.
app("Session Fixation mod"):
requires(version: ARMR/2.6)
http("Enable protection from Session Fixation attacks"):
request()
authenticate(user)
protect(http-session: regenerate-id, message: "HTTP Session ID regenerated", severity: 6)
endhttp
endapp
Logging
In general, all ARMR security features generate a log entry when the agent detects an attack. The ARMR Session Fixation security feature is different in that it provides a pro-active protection, acting before an attack occurs. This removes the attack vector, preventing the possibility of performing a session fixation attack, and therefore no log entry is generated.