Application assessment - HPOM adminUI session fixation

Application assessment - HPOM adminUI session fixation

Description:
It is possible to set the session ID to a previously issued value when accessing unauthenticated parts of the website. Upon successful authentication, the session ID is not invalidated and continues being used. This vulnerability is known as 'session fixation'.

Impact / Technical Details:
Failing to regenerate the session ID after authentication renders the application vulnerable to session fixation attacks. This attack consists in a user being coerced into using a chosen session ID determined by an attacker. Once the victim logs in to the system, the attacker can hijack this authenticated session by re-using the fixed session ID attached to the victim. Particularly, the tested application fails to reissue a new JSESSIONID cookie.

Recommendation:
To prevent session fixation attacks, it is recommended that the application issues a new randomly generated session identifier when the user moves into the authenticated part of the website. For more information, please see article http://www.owasp.org/index.php/Top_10_2007-A7

Troubleshooting:
We tried to set the parameter "token.per.request=true" what are described in Administration Manuals, but afterwe unable to use AdminUI. After login if we click to some button in menu, any page can not be opened.
QCCR1A116412 Security Compliancy in OMU Admin GUI(CSRF-protection)

we change parameter in security.properties from false to true:

token.per.request=true

            and executed the

adminui start –clean


Original setting:
synchronization.token.name=SYNC_TOKEN
token.per.request=false
number.generator=SHA1PRNG
token.session.key=TOKEN_SESSION_KEY
protect.ajax.requests=true
number.generator.provider=SUN
ignore.TokenServlet=/midas/TokenServlet

Tags (1)
4 Comments
Micro Focus Expert
Micro Focus Expert
Status changed to: Waiting for Votes
 
Micro Focus Expert
Micro Focus Expert

Dear Submitter,

regarding this request, the mentioned QCCR1A116412 should be able to address that. If the AdminUI does not work with “token.per.request=true”, then that is a defect, and you can raise a support case.

 Please be aware of the following:

Using “token.per.request=true” is tricky. Since a new token is created for every request, several things will not work:

- Using browser back button

- Using multiple tabs (an “old” tab will have an old ID and thus going back to that tab and trying to use it again will fail)

So, if there are security requirements that need this, you can use AdminUI only with one tab at a time and only forward navigation (using links and menues within the adminUI web page, no brower navigation). If even that doesn’t work, then that is a defect.

Please confirm the above.

Thanks,

Moderator, OpsBridge Idea Exchange

Michal Szekely Frequent Contributor.
Frequent Contributor.

 

Hello,

if we use token.per.request=true we able to login to Admin UI, but navigation is not possible. Any of Admin UI menu buttons causes:  "This page can't be displayed" .
see attached picture:

1. Login to AdminUI
2. Click to HPOM button on top menu
3. Page can't be displayed

 adminui_session.png

 

 

 

 

Micro Focus Contributor
Micro Focus Contributor
Status changed to: Archived

Moving this Idea to “Archived” status as it has been open for > 1 year and has not gathered broad customer interest.

NOTE: Archived ideas may be commented upon but cannot receive votes. Archived ideas may be re-opened based on community input.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.