Broken Session Management is a type of authentication vulnerability that emerges when session persistence is not implemented correctly. Broken Session Management is part and parcel of the Broken Authentication category of web application security risk, and as with the other listings on the OWASP Top 10, Broken Session Management is neither a new, nor overly complex method of attack.
Web sessions enable persistence between consecutive HTTP requests and responses, ensuring every request the application receives from the same user is related. This, in turn, enables subsequent requests, security access control provision, private data access, and even pre and post authentication. Once established, the Session ID is effectively the highest level authentication used by the application, and a very attractive target to any interested malicious actor.
Successful Broken Session Management attacks can result in a malicious actor gaining complete access to all data in the web application, assuming administrator rights, and compromising the confidentiality, integrity, and availability of the application. This could result in user impersonation, loss of sensitive data, and fraud.
Session Fixation and Improperly Invalidated Session Logouts are two primary attack vectors in the Broken Session Management category that can lead to the compromise of application sessions.
Session Fixation exploits a limitation in the way a vulnerable web application manages the session ID. An application does not assign a new session ID when authenticating a user; rather, it reuses the ID supplied by the user, making it possible to use an existent session ID. An attacker can obtain a session ID by sending an unauthenticated HTTP request to the application and then inducing a user to authenticate him/herself into using that session ID. The attacker would then be able to browse the victim’s session with the knowledge of the used session ID.
Broken Session Management vulnerabilities also result from web applications Improperly Invalidating Session Logouts. An all too common mistake is to only invalidate the client-side cookie value. An attacker that has already intercepted the session cookie (with access to the logs or physical access to the Browser’s cache) will then be able to reuse it after the logout.
Developers can prevent Broken Session Management issues from arising by strictly adhering to authentication, session control, and validation processes.
When dealing specifically with Session Fixation issues, developers must ignore session IDs provided at login by the user’s browser and mandate new session generation for the user to log into if authenticated successfully.
Developers must also ensure that upon logout, the user’s server-side session is invalidated.
Ensure that a verified application satisfies the following high-level session management requirements:
- Sessions are unique to each individual and cannot be guessed or shared.
Sessions are invalidated when no longer required and timed out during periods of inactivity.
- OWASP ASVS: 3
- OWASP Testing Guide: Testing for Session Management Schema