Idea ID: 1652394

Application assessment - HPOM adminUI session fixation

Status : Archived
over 3 years ago

Description:
It is possible to set the session ID to a previously issued value when accessing unauthenticated parts of the website. Upon successful authentication, the session ID is not invalidated and continues being used. This vulnerability is known as 'session fixation'.

Impact / Technical Details:
Failing to regenerate the session ID after authentication renders the application vulnerable to session fixation attacks. This attack consists in a user being coerced into using a chosen session ID determined by an attacker. Once the victim logs in to the system, the attacker can hijack this authenticated session by re-using the fixed session ID attached to the victim. Particularly, the tested application fails to reissue a new JSESSIONID cookie.

Recommendation:
To prevent session fixation attacks, it is recommended that the application issues a new randomly generated session identifier when the user moves into the authenticated part of the website. For more information, please see article http://www.owasp.org/index.php/Top_10_2007-A7

Troubleshooting:
We tried to set the parameter "token.per.request=true" what are described in Administration Manuals, but afterwe unable to use AdminUI. After login if we click to some button in menu, any page can not be opened.
QCCR1A116412 Security Compliancy in OMU Admin GUI(CSRF-protection)

we change parameter in security.properties from false to true:

token.per.request=true

            and executed the

adminui start –clean


Original setting:
synchronization.token.name=SYNC_TOKEN
token.per.request=false
number.generator=SHA1PRNG
token.session.key=TOKEN_SESSION_KEY
protect.ajax.requests=true
number.generator.provider=SUN
ignore.TokenServlet=/midas/TokenServlet

Labels:

OM(L-U-W)
Parents
  • Dear Submitter,

    regarding this request, the mentioned QCCR1A116412 should be able to address that. If the AdminUI does not work with “token.per.request=true”, then that is a defect, and you can raise a support case.

     Please be aware of the following:

    Using “token.per.request=true” is tricky. Since a new token is created for every request, several things will not work:

    - Using browser back button

    - Using multiple tabs (an “old” tab will have an old ID and thus going back to that tab and trying to use it again will fail)

    So, if there are security requirements that need this, you can use AdminUI only with one tab at a time and only forward navigation (using links and menues within the adminUI web page, no brower navigation). If even that doesn’t work, then that is a defect.

    Please confirm the above.

    Thanks,

    Moderator, OpsBridge Idea Exchange

Comment
  • Dear Submitter,

    regarding this request, the mentioned QCCR1A116412 should be able to address that. If the AdminUI does not work with “token.per.request=true”, then that is a defect, and you can raise a support case.

     Please be aware of the following:

    Using “token.per.request=true” is tricky. Since a new token is created for every request, several things will not work:

    - Using browser back button

    - Using multiple tabs (an “old” tab will have an old ID and thus going back to that tab and trying to use it again will fail)

    So, if there are security requirements that need this, you can use AdminUI only with one tab at a time and only forward navigation (using links and menues within the adminUI web page, no brower navigation). If even that doesn’t work, then that is a defect.

    Please confirm the above.

    Thanks,

    Moderator, OpsBridge Idea Exchange

Children
No Data