Tuesday, July 26, 2011

OWASP Session Management Cheat Sheet

The results and conclusions obtained from dozens of web application penetration tests completed during the last few years confirm that session management is still today one of those web application critical components prone to suffer multiple and critical vulnerabilities.

Session management is a core and very complex module in modern web application architectures, and has to integrate smoothly and securely with other critical components, such as the authentication and access control modules:
Sessions, represented by a session ID or token, bind the user authentication credentials to the user HTTP traffic and the appropriate access controls enforced by the web application. The stateless nature of the HTTP protocol, the complexity of these three components (authentication, session management, and access control) in modern web applications, plus the fact that its implementation and binding resides on the web developer’s hands (as web development framework do not provide strict relationships between these modules), makes the implementation of a secure session management module very challenging.

Unfortunately most people put the focus on the top two or three risks or vulnerabilities, injection (being SQL injection the top one), Cross-Site Scripting (XSS) and (if lucky) Cross-Site Request Forgery (CSRF), but the OWASP Top 10 already reflected the importance of session management flaws on its 2007 version (7th position - A7), and highlighted this fact even more in the 2010 version, raising authentication and session management risks ("A3: Broken Authentication and Session Management") to the 3rd position.

Although the emphasis goes to authentication, due to all the weaknesses of the current authentication mechanisms (mainly based on username and password), session management tends to suffer serious vulnerabilities even for the most secure web applications. Do not forget that, once an authenticated session has been established, the session ID (or token) is temporarily equivalent to the strongest authentication method used by the web application, such as username and password, passphrase, one-time password (OTP), client-based digital certificate, smartcard, or biometrics (such as fingerprint or eye retina).

For all these reasons, the OWASP Session Management Cheat Sheet has been released, with the goal of providing guidance and best practices to web application architects, developers, and information security professionals when building or auditing the session management module of web applications.

The whitepaper with the original content that has inspired and has been used for the creation of the first version of this OWASP cheatsheet is available in PDF format for easy download, distribution, and usage at Taddong's lab.

I encourage anyone involved in web application security to provide comments, feedback, and improvements to the OWASP Session Management Cheat Sheet, for the benefit of the whole web application community.

Saturday, July 16, 2011

Our latest Security Challenge

In the past few years, some of us have had the opportunity to participate in some security challenges organized by different teams in different events. It has always been an experience where we have had a lot of fun and where we have learned a very useful knowledge. The way the sponsor have created the challenges it is always different and this point of view make you acquire another perspective. Also, the way that other participants or people in your team approach a problem is also extremely interesting and didactic. When the challenge finishes you always have this feeling of a very good job by everyone, and a very rich experience in the technical and personal area.

Other times, we have been in charge of designing and prepare one or more security challenges in the context of a particular event. In this case, it is also a very interesting experience, because preparing a challenge makes your kwnowledge go deeper and wider. You also have a lot of fun trying to guess how the participant will behave when he is in front of the problems you are creating for him and, after that, you have the opportunity to check whether you were right or wrong, watching the participants make their way to the solution. Also, participants usually provide solutions that are different from those that you designed.

For all these reasons we always encourage any person that likes computer security to participate in such activities.

At present, we are involved in a security challenge of the second flavour: Movistar Mexico, sponsor of Campus Party Mexico 2011, has asked us to prepare a set of security challenges in the context of the event. The challenge has been named "Retos Movistar - Security Geek" and this is the official website.

We have designed seven security challenges, grouped into two main categories:
  • offline challenges, accessible by everyone that can be solved using only your own PC
  • online challenges, that are online accessible through internet if you have registered into the challenge
The tests that we have prepared cover different areas of security: from malware analysis to web security, from forensics to pen testing, and more... Tests are absolutely independent, so that participants can solve one test without even starting other.

The challenge has just started and will last until Saturday 23th of July. We hope that the experience will be fun and motivating for all participants. All the information can be found in the web page of the challenge and news and notifications can be followed through the official twitter account @SecurityGeekCP3 (hashtag #secgeekcpmx3)

Sunday, July 10, 2011

TLSSLed v1.1

A few weeks ago we released TLSSLed v1.0 with the goal of helping organizations to test their SSL/TLS (HTTPS) implementation for common flaws and misconfigurations. Today, we release an updated version, v1.1, that includes some additional tests.

The new tests check the certificate public key length, the certificate subject and issuer (CA), as well as the validity period, but besides that, they focus on the existence of HTTP secure headers on the target website main page (by using the HTTP/1.0 HEAD method), such as Strict-Transport-Security and cookies with and without the "secure" flag set.

TLSSLed v1.1 can be downloaded from Taddong's lab.

Future versions of the tool are open to improvements and new tests. Do not hesitate to contact me with ideas!