Can We Puzzle Sessions...??

Session Puzzles are application-level vulnerabilities that can be exploited by overriding session attributes.The “Session Puzzling” exploitation process is referred as “Session Variable Overloading” by OWASP.

Possible Attacks with Session Puzzling:

► Bypass authentication and authorization enforcement
► Elevate privileges
► Impersonate legitimate users
► Avoid flow enforcement restrictions
► Execute “traditional attacks” in “safe” locations
► Affect content delivery destination
► Cause unexpected application behaviors

Auth Bypassing with Session Puzzling:

Authentication mechanisms that enforce authentication by validating the existence of identity-related session variables can be bypassed by accessing public entry points that might populate the session with identical values (registration modules, password recovery modules, contact-us forms, question challenges, etc.).

Bypassing Flow Enforcement Restrictions:

Flow enforcement mechanisms (in processes such as password recovery, registration and transactions) that rely on identical session flags, can be bypassed by activating the processes simultaneously (for example, performing the registration process in parallel to the password recovery or transaction, to enable “skipping” phases). 

Elevating Priveleges:

Attackers might be able to elevate their privileges in the application by accessing entry points that populate their session memory with additional values, permissions and flags, which might be required by other modules that were previously inaccessible.

User Impersonation:

Applications that rely on the session for storing user identities can be misled by malicious users that “overrun” their own identifying values with those of other users, through the use of modules that temporarily populate the session with client-originating identity values. 

Content Theft via Session Puzzling:

Applications use a variety of content delivery methods to keep in touch with their consumers (SMS, email, etc.). Attackers can use session puzzles to initiate content delivery processes and affect their destination (for example, affect the destination of an SMS password recovery by simultaneously registering with a new number)

Indirect Traditional Attacks:

The same “indirect” method used in the previous instances can also be used to execute injections, reflections, manipulations and other “traditional” attacks in locations that were previously considered safe, simply by affecting session values which are used in entry points that treat their origin as trusted (and thus avoid validation).

Potential Entry Points

► Login modules with premature session value population. 

► Registration, password recovery and recovery challenge modules. 

► Multiphase processes. 

► Contact forms. 

► Test pages and obsolete content. 

► Security mechanisms. 

► Any module that stores values in the session. 

► Etc. 

Session Puzzling Walkthrough

Mitigations:

► Avoid storing unnecessary values in the session. 

► Avoid using session variables with identical names in different modules, multiphase processes, and particularly in public vs. private entry points. 

► Store objects in the session instead of variables. The name of the objects should include the origin process / module. 

► Don’t use the session as a temporary container for values. 

► Perform validations on session originating values before using them in the application code. 

A Couple of Prominent Examples:

► Oracle E-Business Suite

          Authentication Bypass

          Privilege Escalation and Admin Takeover 

► Sony Network Account Service System 

          Reset passwords of Sony Playstation users

          Undisclosed Vulnerabilities in Banks 

          Skip verification phases in multiphase transactions

Introduction to Forensics

 

 

What is Forensics ? 

Etymologically forensics is derived from a latin word forensis which basically means public discussion, technically, by which i mean in the modern context Forensics means application of scientific procedures and techniques for the conviction of suspects.

Applications of Forensics:

Forensics is not a new branch it started in the early 16th century. As with the evolution of time forensics also spread its roots across various departments of science and technology. Some of the common applications of forensics are as follows:

  Digital Forensics : Is the application of proven scientific methods and techniques in order to recover data from electronic / digital media. Digital Forensic specialists work in the field as well as in the lab.
 Computational Forensics : concerns the development of algorithms and software to assist forensic examination.
Criminalistics : Is the application of various sciences to answer questions relating to examination and comparison of biological evidence, trace evidence, impression evidence (such as fingerprints, footwear impressions, and tire tracks), controlled substances, ballistics, firearm and toolmark examination, and other evidence in criminal investigations. In typical circumstances evidence is processed in a crime lab.
.
Forensic Chemistry: Is the study of detection and identification of illict drugs, accelerants used in arson cases, explosive and gunshot residue.

Forensic DNA analysis: This  takes advantage of the uniqueness of an individual's DNA to answer forensic questions such as paternity/maternity testing and placing a suspect at a crime scene, e.g. in a
rape investigation.
 There are many more applications of Forensics the above listed are very few applications of Forensics. With that being said now lets focus on the buzz words of forensics.

Forensic Buzz words:
 The first term that comes to my mind when i think of forensic terminology is Evidence, which basically refers to information or object that can be submitted to the judge  as a support to your argument against the suspect  or towards proving the innocence of the suspect. We will focus on types of evidences and admissibility of evidence in court in the subsequent articles.

The next term that i want emphasize is chain of custody, which is nothing but just a piece of paper telling us who is the predecessor of the evidence. chain of custody is mostly created by the incident response team who visits the crime scene in the first place. Chain of custody is mainly does two things  1) Keeps track of the evidence 2) Maintains the integrity of the evidence.

 One more term which i want to emphasize is Forensically sound methods, which means nothing the procedure/best practices  that has to be followed while gathering the evidence so that there is no loss of integrity and potential evidence from the crime scene which may lead to improper judgement in the case.
 One other term is in the forensic world is suspect, which means a person who is likely to to to found guilty of a crime
  One term is the First responder, a person who visits the crime scene in first place to gather the evidence.  

That's it for today guys. In the future articles i will be focusing on digital Forensics and procedures followed in digital Forensics