界: Time and State

分散式運算與時間和狀態相關。也就是說,為了使多個元件進行通訊,必須共用狀態,並且這一切都需要時間。

大多數的程式設計師將他們的工作擬人化。他們想採用一種控制執行緒來執行整個程式,就像他們必須自己完成這項工作一樣。但是,現代的電腦可以非常快速地切換工作,並且在多核心多 CPU 或分散式系統中,兩個事件可能恰好同時發生。瑕疵急於填補程式設計師在程式執行模型與實際情況之間的差距。這些瑕疵與執行緒、處理序、時間和資訊之間的意外互動有關。這些互動透過共用狀態發生:信號、變數、檔案系統,以及基本上任何可以儲存資訊的項目。

Session Fixation

Abstract
在未使任何現有階段作業識別碼無效的情況下驗證使用者,會讓攻擊者有機會竊取通過驗證的階段作業
Explanation
Session Fixation 弱點會在以下情況中出現:

1.Web 應用程式驗證一個使用者時,事先沒有使現有階段作業失效,而繼續使用已經與使用者相關聯的階段作業。
2.攻擊者可奪取使用者的階段作業識別碼,所以,在使用者驗證之後,攻擊者就可以存取驗證的階段作業。

在一般情況下,攻擊者會利用 Session Fixation 弱點,在 Web 應用程式中建立一個新的階段作業,並記錄關聯的階段作業識別碼。接著,攻擊者會讓受害者使用該階段作業識別碼驗證伺服器,這樣一來,會讓攻擊者透過作用中的階段作業取得存取使用者帳戶的權限。

有些架構 (例如 Spring Security) 在建立新的階段作業時,會自動使現有階段作業無效。若不採取此行為,應用程式會容易遭受此類攻擊。

範例 1:以下範例顯示受 Spring Security 保護之應用程式的片段,其中 Session Fixation 保護已停用。


<http auto-config="true">
...
<session-management session-fixation-protection="none"/>
</http>


即使是易受攻擊的應用程式,此處說明的特定攻擊是否會成功取決於數個受攻擊者青睞的因素:存取未受監視的公用終端機、讓已受攻擊的網路連線保持繼續運作的能力、被吸引登入公用終端機上易受攻擊應用程式的受害者。在大多數情況下,只要肯花時間,前面兩個因素是可以克服的。只要網站有趣,不難找到使用公用終端機、也有興趣登入到易受攻擊的應用程式的受害者。網站越不受歡迎,那麼使用這個公用終端機的人就會越少,這樣一來,前述攻擊成功的可能性也越低。

攻擊者攻擊 Session Fixation 弱點所面臨的最大挑戰是:誘導受害者使用攻擊者已知的階段作業識別碼來驗證易受攻擊的應用程式。在 Example 1 中,攻擊者使用直接明顯的方法並不高明,對於攻擊知名度較低的網站並不適用。但是,千萬不要過於大意,攻擊者有許多手段來突破上述攻擊的限制。攻擊者最常採用的技術包括:利用目標網站中的 Cross-Site Scripting 或 HTTP Response Splitting 弱點 [1]。透過誘使受害者向一個易受攻擊的應用程式提交惡意要求,讓應用程式將 JavaScript 或者其他程式碼反映到受害者的瀏覽器,這樣一來,攻擊者就可以建立 Cookie,使受害者重新使用受攻擊者控制的階段作業識別碼。

要特別注意的是,通常 Cookie 會與某個已知 URL 相關聯的上層網域繫結在一起。如果多個應用程式位於同一個上層網域 (例如 bank.example.comrecipes.example.com),其中一個應用程式存在弱點,那麼攻擊者便可以透過此弱點設定一個 Cookie,並在其中包含已修改的階段作業識別碼,且該階段作業識別碼可以在 example.com [2] 網域上的所有應用程式中交互使用。

其他攻擊方向還包括 DNS Poisoning 和其他以網路為基礎的攻擊,攻擊者會透過重新指向對有效網站的要求,誘使攻擊者存取惡意網站。一般來說,以網路為基礎的攻擊包括:實際出現在受害者的網路上,或是控制網路上已受攻擊的機器。雖然透過遠端方式發動攻擊比較困難,但是這類攻擊不容忽視。安全性較差的階段作業管理機制 (例如在 Apache Tomcat 中的預設實作),可以將通常儲存在 Cookie 中的階段作業識別碼也指定給 URL。這可讓攻擊者只要透過電子郵件發送惡意 URL,就可以誘使受害者使用修改過的階段作業識別碼。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 384
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001664, CCI-001941, CCI-001942
[3] Standards Mapping - FIPS200 IA
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-10 Concurrent Session Control (P3), IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-10 Concurrent Session Control, IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity
[7] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.2.1 Session Binding Requirements (L1 L2 L3), 3.2.3 Session Binding Requirements (L1 L2 L3), 3.3.1 Session Logout and Timeout Requirements (L1 L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling
[10] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[11] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[15] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[16] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3405 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3405 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3405 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3405 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3405 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3405 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3405 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000010 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000010 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Session Fixation (WASC-37)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Session Fixation
desc.config.java.session_fixation
Abstract
在未使任何現有階段作業識別碼失效的情況下驗證使用者,會讓攻擊者有機會竊取通過驗證的階段作業。
Explanation
Session Fixation 弱點會在以下情況中出現:

1.Web 應用程式驗證一個使用者時,事先沒有使現有階段作業失效,而繼續使用已經與使用者相關聯的階段作業。

2.攻擊者能夠奪取使用者的階段作業識別碼,所以在使用者驗證後,攻擊者就可以存取驗證的階段作業。

在一般情況下,攻擊者會利用 Session Fixation 弱點,在 Web 應用程式中建立一個新的階段作業,並記錄關聯的階段作業識別碼。接著,攻擊者會讓受害者使用該階段作業識別碼驗證伺服器,這樣一來,會讓攻擊者透過作用中的階段作業取得存取使用者帳戶的權限。

範例 1:以下程式碼停用階段作業 Cookie 的 use_strict_mode 屬性。

ini_set("session.use_strict_mode", "0");
References
[1] D. Whalen The Unofficial Cookie FAQ
[2] The PHP Group PHP Use Strict Mode Documentation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 384
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001664, CCI-001941, CCI-001942
[5] Standards Mapping - FIPS200 IA
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-10 Concurrent Session Control (P3), IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-10 Concurrent Session Control, IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity
[9] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.2.1 Session Binding Requirements (L1 L2 L3), 3.2.3 Session Binding Requirements (L1 L2 L3), 3.3.1 Session Logout and Timeout Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[15] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[16] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[18] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3405 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3405 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3405 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3405 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3405 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3405 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3405 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000010 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000010 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Session Fixation (WASC-37)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Session Fixation
desc.structural.php.session_fixation