Web Security : Automating with LibWWWPerl - Testing Session Fixation

1. Problem

Session fixation is a problem where the server receives a session token from the web browser that does not correspond to a valid session. Rather than issue a new session token of its own making, the server accepts the browser-provided session token. Such situations can be leveraged by attackers to steal session information and credentials. This Perl script in Example 8-6 checks for an application server that behaves badly in this way.

2. Solution

See Example 1.

Example 1. Testing for session fixation with Perl

#!/usr/bin/perl use LWP::UserAgent; use HTTP::Cookies; use HTTP::Request::Common; $URL = "https://www.example.com/w/signup.php"; $UA = LWP::UserAgent->new(); $myCookies = HTTP::Cookies->new( file => "cookies.txt", autosave => 1, ignore_discard => 1, ); $UA->cookie_jar($myCookies); # Find a particular cookie from a particular domain. Uses an external # namespace ($find::) to get the key, path, and domain to search for. # Puts found cookie into array @find::cookie. sub findCookie { my ( $version, $key, $val, $path, $domain, $port, $path_spec, $secure, $expires, $discard, $rest ) = @_; if ( ( $domain eq $find::domain ) and ( $path eq $find::path ) and ( $key eq $find::key ) ) { print "$version, $key, $val, $path, $domain, $expires\n"; @find::cookie = @_; } } # Our Malicious Cookie: Contains a known session ID. my $version = 0; my $key = "session_id"; my $val = "1234567890abcdef"; my $path = "/"; my $domain = "example.com"; my $expires = "123412345"; # Add the malicious cookie to our jar. Fields we don't care # about are undefined. $myCookies->set_cookie( $version, $key, $val, $path, $domain, undef, undef, undef, $expires, undef, undef ); $req = HTTP::Request->new( GET => $URL ); $UA->prepare_request($req); $resp = $UA->request($req); $find::domain = "example.com"; $find::path = "/"; $find::key = "session_id"; # See if we have any cookies for that site, path, and key. $myCookies->scan( \&findCookie ); if ( ( $domain eq $find::cookie[4] ) and ( $path eq $find::cookie[3] ) and ( $key eq $find::cookie[1] ) ) { # We have one. See if it contains our value. if ( $val eq $find::cookie[2] ) { print "Test failed: cookie returned was ours.\n"; } else { print "Test passed: cookie returned was new.\n"; } } else { print "Test script failure: no matching cookie found.\n"; }

3. Discussion

In this example we know something about the target application, so our call to set_cookie() (line 42) sets only the fields of the cookie that matter. You might have a slightly different script for testing your application if different cookie fields matter to your application.

The goal of a session fixation attack is to send a cookie to a victim (e.g., in a URL) and have the victim use it. When the victim uses that cookie, they are vulnerable to various session-stealing attacks because the attacker knows their cookie—he created it in the first place. To find out more about session fixation attacks, search for “session fixation attack pattern” on Google.

In this test we test for it by creating a bogus cookie that is easy to recognize. We send the contrived cookie to the server and then check what cookie the server sends back to us. If the server sends us our malicious cookie back, then the application fails the test.