Friday, October 9, 2009

ColdFusion Session Fixation

I usually see session fixation vulnerabilities with Java web applications. Just recently I found a ColdFusion application vulnerable to session fixation. This nasty security hole greatly increases the risk that legitimate sessions will be hijacked. Both HP WebInspect and Burp Pro's active scanner failed to find this vulnerability. Testing for session fixation is quite easy to do, so I ran a quick test for it manually, and I'm very glad I did.

When testing for session fixation, I like to use two different browsers: IE and Firefox. If the login page for an application is https://someapp.com/login, my test for session fixation consists of the following steps:

    1. Launch Firefox and navigate directly to the login page.

    2. Inspect the cookie(s) assigned by the application. For a Java web app, a JSESSIONID cookie is normally set. In the case of ColdFusion, CFID and CFTOKEN cookies are typically set.

    3. Copy the session ID from the cookie.

    4. Construct a special URL that contains the session ID.
    For Java, it looks like this:
    https://someapp.com/login.jsp;jsessionid=[sessid]
    For CF, it looks like this:
    https://someapp.com/login.cfm?cfid=[cfid]&cftoken=[cftoken]

    5. Open IE and configure it to run through a proxy (Burp, Paros, Fiddler2, etc.).

    6. Paste the special URL into the IE address bar and hit Enter (this step simulates a victim clicking on a link in an email or Internet post).

    7. Observe the HTTP response from the server. Is there a "Set-Cookie" header? If so, what is the session ID being set? You have a problem if it's the same value that appears in the URL. On the other hand, you're probably okay if the value is different.
The ColdFusion site I tested was handling the situation even more poorly than usual. It was not necessary to visit the site initially to obtain legitimate session IDs from the server, so steps 1-3 above weren't required. An attacker could make up *any* 6 digit value for "cfid" and *any* 8 digit value for "cftoken", embed the made-up values in the malicious URL, and the application happily accepted them. The server responded by assigning CFID and CFTOKEN cookies based on the made-up values as illustrated below.

The URL of the request was:
https://someapp.com/login.cfm?cfid=999555&cftoken=29292929

The HTTP response contained the following headers:
Set-Cookie: CFID=999555; path=/; Secure
Set-Cookie: CFTOKEN=29292929; path=/; Secure

Posted by Dave Ferguson at 10/09/2009 08:27:00 PM
Labels:

2 comments:

jackob 9/10/2010 5:17 AM  

Wow this is AWESOME, soooo cool! I didn't even think this was possible! Definately donate!!!!
Thank You
ColdFusion Developer

Troy 10/07/2010 1:07 PM  

Hi,

I just wanted to say that I really enjoyed your blog and this post. You make some very informative points. Keep up the great work!

-
Delphi development

Post a Comment

Subscribe to: Post Comments (Atom)

  © Blogger templates The Professional Template by Ourblogtemplates.com 2008

Back to TOP