[ SOURCE: http://www.secureroot.com/security/advisories/9755050620.html ] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- MIS Corporate Defence Solutions - NST Advisory (001) Possible session hijacking with website implementations using middleware products. Written: 13/11/00 Revised: 20/11/00 Released: 21/11/00 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Systems affected: ----------------- Any web systems / farms utilising middleware software to help run all or parts of their website using some form of session id tokens that are stored within the URL. Affected: --------- Users that visit websites that are affected (see above). Vendor status: -------------- N/A - no single vendor. However, BroadVision was contacted about this issue and they are aware of this problem. They are currently implementing changes and recommendations to it's customers as you read. Overview: --------- There are a number of companies that utilise middleware software within their websites / farms, due to the "all-in-one" nature of the packages on offer. Some of the features (not naming all of them) allow a company to track user's browsing and buying habits throughout their site, tailored content depending on the visitor, and real-time analytic reports. This issue seems not to be publicised and from conversations we have had with people at the software houses, they seem to be sweeping this under the carpet and changing their systems on the quiet. Issue: ------ BroadVision will be used as our example middleware product because it is the one we have been using for testing. An example site of www.site.com utilising BroadVision software, passes it's parameters required for identification into JavaScript Pages (.jsp) that display site content and run any back-end commands / applications that may be required. We assume from here on, that www.site.com is an e-commerce and a service provider of some sort. When a user views a site using BroadVision as well as Session IDs and Engine IDs to display content, the IDs are present within the URL. From the limited experience we have had with BroadVision, it seems that the session ID is a random 20 digit number (xxxxxxxxxx.xxxxxxxxxx) and the Engine ID represents what server is serving the content. Therefore it can be determined how many servers are presenting the content. The first part (10 digits) of the BV_SessionID is a random number. The second part (10 digits) however, seems to be an incremental counter that could be used as a primary key in a database or as a reference: An example where the engine IDs are constant (taken from a sample of 100 hits): BV_SessionID BV_EngineID 2nd part ^^^^^^^^^^ 0857833937.0974830784 caljgjejmdfbekfcflcfhfcggl.0 2030451565.0974830918 caljgjejmdfbekfcflcfhfcggl.0 0013750567.0974830947 caljgjejmdfbekfcflcfhfcggl.0 1966354090.0974830997 caljgjejmdfbekfcflcfhfcggl.0 An example where the engine IDs are different (sequential hits from a sample of 100 hits): 2nd part ^^^^^^^^^^ 0303470036.0974831433 kaljgjejmfmbekfcflcfhfcggm.0 1662867632.0974831449 ialjgjejmfkbekfcflcfhfcggm.0 0534620068.0974831462 faljgjejmfhbekfcflcfhfcggm.0 0325859633.0974831480 haljgjejmfjbekfcflcfhfcggm.0 1626080627.0974831494 galjgjejmfibekfcflcfhfcggm.0 0654920185.0974831506 ealjgjejmehbekfcflcfhfcggm.0 1323165012.0974831517 laljgjejmgebekfcflcfhfcggm.0 For example, visit www.site.com that is running Broadvision software. You will notice that your address bar will read something like this: http://www.site.com/cgi-bin/iminst2-1/dev/globalframe.jsp?browser=4&plugin=no&startcat=/Main&startloc=%2fdev%2fsinglecontent.jsp%3fid%3dpage_home%26type%3dEDITORIAL%26property%3dCONTENT_TXT%26fullimage%3dtrue%26crmb%3dcrumb_home&lit=cre&titl=THE+Site+-+price+lists&BV_SessionID=@@@@0265483420.0974078984@@@@&BV_EngineID=haljfclmegjbekfcflcfhfcggm.0 (this will be wrapped :( ) The important part of this URL is: ... &BV_SessionID=@@@@0265483420.0974078984@@@@&BV_EngineID=haljfclmegjbekfcflcfhfcggm.0 For other middleware applications, the parameter name might be &IdKey or &SessionID. It is possible to derive the number of engines or servers that serve pages for www.site.com. This is derived from the way the engine ids are structured. The problem exists when a user is viewing www.site.com in normal HTTP mode and decides to move into the secure area of the site (HTTPS), such as logging in to check your bill / account details for the service been provided by www.site.com. The session ID that the user has remains the same, so in essence, follows him/herself into the secure zone. Therefore, if you were able to sniff the BV_SessionID and BV_EngineID parameters whilst the user is still browsing the "unsecure" area of the site, it is possible to "hijack" or "join" the session by replacing the ID strings within any of the URLs displayed in the address bar, providing the session timeout hasn't expired. The "hijack" or "join" is possible from either the same IP address or from a different IP address. By registering yourself as a valid customer of www.site.com, it is possible to determine the full URL for accessing say a user's billing details, billing address, etc... This will enable a malicious user to insert a stolen set of ids into the URL to gain unauthorised access to another customers data. Please note that retrieving a list of valid BV_EngineIDs is trivial. Just repeatedly close and open a browser and take a note of the value. Both the session and engine IDs would be trivial to pick up if you knew users were visiting www.site.com on a LAN for example. Set up a sniffer, retrieve the IDs and hey presto! Although this is not as widespread as a number of other website / middleware vulnerabilities, we still deem this as a large security issue that is largely undocumented. In theory, it is possible to brute force the BV_SessionID if there are no restrictions on the server side, and the client side has enough bandwidth available. Although this would take some time to brute force a randomly generated 20 digit number, it may be possible for an evil cracker to get lucky. If you specify an invalid session id / engine id or your session has timed out, an error is displayed (applicable to this example, may differ from implementation to implementation). Workaround / Fix / Solution: ---------------------------- There is no silver bullet solution, but a number of workarounds can be applied to prevent this type of session hijacking. 1) Send all HTTP communication containing the session and engine ids over HTTPS to help prevent them from being "stolen". 2) Utilise a session cookie, i.e. a cookie that is linked to the middleware's session management system. The cookie will contain the session ID details. Each time a user visits the page, the middleware application should check for the existance of this cookie and verify the values held within the cookie against the ones held within it's own internal system. If they are the same, it is a valid request. However if they are not the same or the cookie does not exist, this is not a valid request and should be declined. Please note that with some middleware software, it may be the responsibility of the web application running on top of the middleware software, to utilise a library that enables session cookies to be utilised. Please check with the vendor regarding this. 3) Utilise URL re-writing to prevent the contents of the query string from appearing in the URL that is displayed in the address bar of a browser. 4) When a user is directed into the secure area of www.site.com to view their account details, site.com should generate a new session id within the HTTPS request and reply. This prevents a user being followed into the secure area. 5) Request further documentation from the vendor on how to implement a higher level of security whilst using their middleware products. The reasoning behind this is because BroadVision have further documentation available, but we understand clients need to request it. Disclaimer: ----------- Nothing is 100% secure, the risk of being hacked / cracked is always improbable, never impossible. Thanks: ------- NST @ MIS. Eric Golin, Kevin Wharton @ BroadVision Steve Fagg. Thanks for taking the time to read this advisory, WWW: ---- http://www.mis-cds.com/news/corporate/20001121bv.html Network Security Team. MIS Corporate Defence Solutions Limited Tel: +44 (0)1622 723400 (Switchboard) Fax: +44 (0)1622 728580 Website: http://www.mis-cds.com/