Session Puzzles are application-level vulnerabilities that
can be exploited by overriding session attributes.The “Session Puzzling” exploitation process is referred
as “Session Variable Overloading” by OWASP.
Possible Attacks with Session Puzzling:
► Bypass authentication and authorization enforcement
► Elevate privileges
► Impersonate legitimate users
► Avoid flow enforcement restrictions
► Execute “traditional attacks” in “safe” locations
► Affect content delivery destination
► Cause unexpected application behaviors
Auth Bypassing with Session Puzzling:
Authentication mechanisms that enforce authentication by validating the existence of identity-related session variables can be bypassed by accessing public entry points that might populate the session with identical values (registration modules, password recovery modules, contact-us forms, question challenges, etc.).
Elevating Priveleges:
Attackers might be able to elevate their privileges in the application by accessing entry points that populate their session memory with additional values, permissions and flags, which might be required by other modules that were previously inaccessible.
Possible Attacks with Session Puzzling:
► Bypass authentication and authorization enforcement
► Elevate privileges
► Impersonate legitimate users
► Avoid flow enforcement restrictions
► Execute “traditional attacks” in “safe” locations
► Affect content delivery destination
► Cause unexpected application behaviors
Auth Bypassing with Session Puzzling:
Authentication mechanisms that enforce authentication by validating the existence of identity-related session variables can be bypassed by accessing public entry points that might populate the session with identical values (registration modules, password recovery modules, contact-us forms, question challenges, etc.).
Bypassing Flow Enforcement Restrictions:
Flow enforcement mechanisms (in processes such as
password recovery, registration and transactions) that rely
on identical session flags, can be bypassed by activating
the processes simultaneously (for example, performing
the registration process in parallel to the password
recovery or transaction, to enable “skipping” phases).
Elevating Priveleges:
Attackers might be able to elevate their privileges in the application by accessing entry points that populate their session memory with additional values, permissions and flags, which might be required by other modules that were previously inaccessible.
User Impersonation:
Applications that rely on the session for storing user
identities can be misled by malicious users that “overrun”
their own identifying values with those of other users,
through the use of modules that temporarily populate the
session with client-originating identity values.
Content Theft via Session Puzzling:
Applications use a variety of content delivery methods to
keep in touch with their consumers (SMS, email, etc.).
Attackers can use session puzzles to initiate content
delivery processes and affect their destination (for
example, affect the destination of an SMS password
recovery by simultaneously registering with a new
number)
Indirect Traditional Attacks:
The same “indirect” method used in the previous
instances can also be used to execute injections,
reflections, manipulations and other “traditional” attacks
in locations that were previously considered safe, simply
by affecting session values which are used in entry points
that treat their origin as trusted (and thus avoid validation).
Potential Entry Points
► Login modules with premature session value population.
► Registration, password recovery and recovery challenge
modules.
► Multiphase processes.
► Contact forms.
► Test pages and obsolete content.
► Security mechanisms.
► Any module that stores values in the session.
► Etc.
Session Puzzling Walkthrough
Mitigations:
► Avoid storing unnecessary values in the session.
► Avoid using session variables with identical names in
different modules, multiphase processes, and particularly
in public vs. private entry points.
► Store objects in the session instead of variables. The
name of the objects should include the origin process /
module.
► Don’t use the session as a temporary container for values.
► Perform validations on session originating values before
using them in the application code.
A Couple of Prominent Examples:
► Oracle E-Business Suite
Authentication Bypass
Privilege Escalation and Admin Takeover
► Sony Network Account Service System
Reset passwords of Sony Playstation users
Undisclosed Vulnerabilities in Banks
Skip verification phases in multiphase
transactions