Case of Session Identifier not Updated

Background

Rational AppScan is an automated web testing tool that can be used to produce reports of web application vulnerabilities. So we usually use it to ensure our apps well protected before releasing them to the wild internet.

The problem

The problem with detection tools is that it sometimes raises a false alarm - such as when it declared that session identifier not updated :

[1 of 2]  Session Identifier Not Updated
Severity: High
Test Type:  Application
Vulnerable URL:  https://myinternalapp.com/application name/  
Remediation Tasks: Do not accept externally created session identifiers
Variant 1 of 1  [ID=26]
The following may require user attention:
 My normal reaction, because the app is a Yii framework-based PHP application, is that I should add Yii::()-app->session->regenerateID() call during login action.

Imagine my surprise that upon retesting using Rational AppScan, it spits errors like these :
Stopping scan due to out of session detection
I vaguely recall that the reason for errors like this is that the session ID in the HTTP header are unlike what the tool expected.

Analysis

So I opened Firefox, and started to check for the HTTP Header anomalies. Examining Firebug's output, it seems that during each login there are two session ID header issued in the HTTP Response by the PHP application. Both of them are different from the session ID sent in the HTTP Request. So the Rational AppScan is confused when there are two session ID header issued.
Further search reveals that Yii framework's login mechanism already issue regenerateID calls, doubling my effort in the actionLogin function.
If the application already regenerate the session ID, why on earth it reports that session ID not changed ?
Then I realize.. the application is being tested twice, first without logging in and second with a login. So during the first phase the tool don't know what user/password should be tried to login, and it naively apply blank username and blank password. And naively expecting that session ID be regenerated. Which doesn't happen because the login is not successful...

The Cure ..(Updated)

For now, I will add a regenerateID call IF the login _failed_. Lets see tomorrow whether it could shut up the testing tool. UPDATE : Seems that it is not the case. It still complains that the session ID is not regenerated. Debugging alternative flow paths in the controller shows that blank username and password makes $_POST['LoginForm'] empty.
So I add another regenerateID call even if the $_POST['LoginForm'] is empty. This do the trick.

Comments

Post a Comment

Popular posts from this blog

Long running process in Linux using PHP

Background To do stuff, I usually create web-based applications written in PHP. Sometimes we need to run something that takes a long time, far longer than the 10 second psychological limit for web pages. A bit of googling in stack overflow found us this  http://stackoverflow.com/questions/2212635/best-way-to-manage-long-running-php-script , but I will tell the similar story with a different solution. One of the long running tasks that need to be run is a Pentaho data integration transformation. Difficulties in long running PHP scripts I encountered some problems when trying to make PHP do long running tasks : PHP script timeout. This could be solved by running set_time_limit(0); before the long running tasks. Memory leaks. The framework I normally use have a bit of memory issues, this can be solved either by patching the framework (ok, it is a bit difficult to do, but I did something similar in the past ) or splitting the data to process into several batches. And if you
Read more

Reverse Engineering Reptile Kernel module to Extract Authentication code

Image
 This time I will show how to (partially) reverse engineer a linux kernel module. The linux kernel module is larger than usual kernel module because it is actually a Reptile-based rootkit dropped by some hacker.  Part 1. Get basic module information First we gather basic module info by using modinfo : [root@lb lkrg-0.9.1]# modinfo falc0n filename:       /lib/modules/3.10.0-1127.10.1.el7.x86_64/kernel/sdc/falc0n.ko intree:         Y license:         GPL retpoline:       Y rhelversion:     7.8 srcversion:     81F508029A53F7490CCDB44 depends:         vermagic:       3.10.0-1127.10.1.el7.x86_64 SMP mod_unload modversions   We could also refer to the kernel module file not yet installed in the OS : [root@lb lkrg-0.9.1]# file falc0n.ko falc0n.ko: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=1bde6abf4732eb620983032a47fbcf07689ece11, not stripped [root@lb lkrg-0.9.1]# modinfo falc0n.ko filename:       /root/lkrg-0.9.1/falc0n.ko intree:         Y license:         GPL retp
Read more

SAP System Copy Lessons Learned

Image
Background Earlier this year I was part of a team that does System Copy for a 20 terabyte plus SAP ERP RM-CA System. And just now I am involved in doing two system copy in just over one week, for much lesser amount of data. I think I would note some lessons learned from the experience in this blog. For the record, we are migrating from HP/UX and AIX to Linux x86 platform. Things that go wrong First, following the System Copy guide carefully is quite a lot of work - mainly because some important stuff are hidden in references in the guide. And reading a SAP note that are referenced in another SAP note, that are referenced in Installation Guide.. is a bit too much. Let me describe what thing goes wrong. VM Time drift The Oracle RAC Cluster have time drift problem, killing one instance when the other is shutting down. The cure for our VMWare-based Linux database server is hidden in SAP Note 989963 "Linux VMWARE Timing", which is basically add a tinker panic 0 in the
Read more