Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-16785 | APP3405 | SV-17785r1_rule | ECTM-2 | High |
Description |
---|
Session tokens can be compromised by various methods. Using predictable session tokens can allow an attacker to hijack a session in progress. Session sniffing can be used to capture a valid session token or session id, and the attacker uses this session information to gain immediate unauthorized access to the server which is a loss of confidentially and potentially a loss of integrity. Also, the Man-in-the-Middle (MITM) attack can be accomplished over an TLS connection with a session in progress. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-12-22 |
Check Text ( C-17769r1_chk ) |
---|
Ask the application representative for the threat model. Review the threat model for threats regarding session hijacking. Review the threat model for common session hijacking attacks. Examples of session hijacking vulnerabilities can be obtained from the OWASP website. - Predictable session token - Session sniffing - Client-side attacks addressed in APP3580 - MITM attack - Man-in-the-browser attack 1) If the threat model documentation does not address predictable session tokens and provide details regarding the countermeasures taken within the application to mitigate this risk, or if the application representative cannot demonstrate how this risk is mitigated within the application itself, this is a CAT I finding. - Application should utilize a random method of generating session tokens so as to avoid predictable patterns or sequential numbering of session token values. Session identifiers should also utilize the largest character set available to assist randomization. - Application should expire and destroy session identifiers upon logout. - Session identifiers should never be logged. 2) If the threat model documentation does not address session sniffing and provide details regarding the countermeasures taken within the application to mitigate this risk, or if the application representative cannot demonstrate how the risk is mitigated within the application itself, this is a CAT I finding. - Application should set the secure flag when generating cookies that store or transmit session identifiers to ensure values are transmitted via SSL. If the application utilizes URLs with embedded session ids, these URLs can be forwarded in e-mails and e-mail recipients gain access to a system without authentication. Example URL with embedded session id: https://10.10.10.10:443/login.do;jsessionid=F2EE8C97B24635C9995A9D08E69D7B44 3) If URLs containing embedded session ids can be forwarded and used to gain access to the application without authentication, this is a CAT I finding. 4) If the threat model documentation does not address MITM attack, this is a CAT II finding. |
Fix Text (F-16991r1_fix) |
---|
Use TLS encryption to protect session information. Do not use predicable session tokens. Implement protection from client side attacks. |