Web Applications Attacks: Attacking Session Management

Share if you likedShare on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn0

The session management mechanism is a major security element in the majority of web applications. It is what allows the application to uniquely recognize a given user across a number of various requests and to handle the data that it accumulates about the state of that user’s interaction with the application. Where an application implements login functionality, session management is of particular importance, because it is what allows the application to persist its assurance of any given user’s identity beyond the request in which he provides his credentials.

Because of the important role played by session management mechanisms, they are a top target for malicious attacks against the application. If a hacker can break an application’s session management, he can completely bypass its authentication controls and pretend as other application users without knowing their credentials. If an attacker compromises an administrative user in this way, the attacker can own the whole application.

As with authentication mechanisms, many types of defects can commonly be found in session management functions. In the most vulnerable cases, an attacker simply needs to increment the value of a token assigned to him by the application to switch his session to a different user. In this condition, the application is wide open for anyone to access all areas. An attacker may have to work very hard, deciphering several layers of obfuscation and devising a complex automated attack, before finding a flaw in the web application.

Share if you likedShare on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn0
The following two tabs change content below.

Eslam Medhat

is a professional pen-tester with over 9 years of IT experience bringing a strong background in programming languages and application security, ranging from network and system administration to exploit research and development. He reported various vulnerabilities for high profile companies and vendors and was successfully acknowledged by them.

Eslam Medhat

is a professional pen-tester with over 9 years of IT experience bringing a strong background in programming languages and application security, ranging from network and system administration to exploit research and development. He reported various vulnerabilities for high profile companies and vendors and was successfully acknowledged by them.

Leave a Reply