Session Puzzling : Solving the puzzle!

Session puzzling is an application level vulnerability that occurs when the application session variable is using more than one purpose. The other name of session puzzling is session variable overloading.

The attacker tries to access application entry points. The session objects creation can be indirectly initiated while exploiting session puzzles, and later exploited, by accessing an entry point such as web services, web pages, remote procedure calls, etc.

Session puzzle enables the attackers to bypass authentication, Impersonate legitimate users, elevate privileges, bypass flow restrictions, and even execute additional attacks.

Session puzzle vulnerability that can enable an attacker to impersonate valid users, by accessing a public entry point that stores the input in a temporary session variable named username the password recovery page, and then directly accessing internal application pages that rely on the username session variable for authentication enforcement or privileges validation.

The following schema describes a simple session puzzle vulnerability that can enable an attacker to impersonate valid users, by accessing a public entry point that stores input in a temporary session variable named "username" (the password recovery page), and then directly accessing internal application pages that rely on the "username" session variable for authentication enforcement / privileges validation:

How does it happen?

Session puzzles can be detected and exploited by enumerating all of the session variables used by the application and in which context they are valid. And even though it’s much easier to detect instances in source code reviews.

Attack Vectors:

The Attacker can perform some application-level attacks they are:
•    Gather sensitive information (user data, system data)
•    Flood the application with Requests (Dos, DDos)
•    send malicious input to the application (injections, memory attacks, parameter manipulation)
•    Redirect users to entry points (csrf, clickjacking, and phishing via redirection)
•    Privilege Escalation (permissions,flags)
•    Authentication Bypass (password recovery modules, registration modules)

In Authentication Bypass, the attacker can find the victim information in the password recovery options, and registration modules. The attackers steal the user information and doing some malicious activities.
The attacker can steal the information from the session id like sometimes sensitive information like username such as the attacker steal that and doing the authentication bypass malicious activity.
Example: Forgot password functionality

In the entry point request the user to provide some identifying information such as the username or the e-mail address.

Steps:
1. Open the application login page. 
2. In that login page set URL to view profile.
3. Now in another tab open forgot password page, enter a necessary username and proceed forward.
4. Now refresh the profile page (as in step 2), it will show profile details for that username.

Remediation:
•    Store objects instead of variables
•    Use different objects for authenticated / unauthenticated zones
•    The login module should populate the identity and privilege values
•    Only populate the session with values after validations
•    Do not store unnecessary values in the session.

Authored By - Saheli Mitra
TCS Cyber Security Practice

References:
http://www.triadsquare.com/session-puzzling/
https://www.owasp.org/index.php/Testing_for_Session_puzzling_(OTG-SESS-008) 
 

Rate this article: 
Average: 5 (5 votes)
Article category: