Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bad session management? #67

Closed
janssen-bart opened this issue Dec 28, 2020 · 1 comment
Closed

Bad session management? #67

janssen-bart opened this issue Dec 28, 2020 · 1 comment
Assignees
@ryannewington
Labels
pinned wontfix This will not be worked on

Comments

@janssen-bart
Copy link

Background
The sessions used in this web app are reused, and there is no logout button although a logout function is implemented in the
backend.
This means that if a user signs in on a device to administer the web application he or she has no easy way to leave his session.
This allows someone to hijacking the session by using the same machine. On top of that we noted that a logout functionality is
implemented in the backend but that it does not kill the session which allows an attacker to force a user to sign with a session id
already known by the attacker.

Remediation
Make sure the session expires client-side and server-side when a user signs out or when a user is inactive for a reasonable
amount of time and that a new session is generated when a user signs in.
More information on secure session management can be found here:
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet

Evidence
There was no logout functionality in the application, so it was not possible to log out. This allows someone to hijacking the session
by using the same machine.

Authentication used/tested:

Integrated windows authentication
Negotiate.

Extra, ;-)
Negotiate not working in FireFox
@janssen-bart janssen-bart added the bug Something isn't working label Dec 28, 2020
@ryannewington
Copy link
Member

@janssen-bart

Logout functionality is only available in the application when using OpenID Connect or WS-Federation authentication.

'Logging out' with integrated windows auth isn't implemented, because it's managed between by the browser, rather than the app. There are no session cookies to clear, as the user identity is coupled to the browser session established by the client. Even if there was a session cookie to clear on our side, as soon as you refresh a page, the browser would automatically re-authenticate the user.

We really don't recommend using IWA in production scenarios. The whole point of AMS is to help prevent lateral movement across your organization. IWA is the primary cause of lateral movement. MFA protected OIDC and smart-card based auth are where we are investing our efforts.

Happy to discuss further if you have anything else to add.

@ryannewington ryannewington self-assigned this Jan 26, 2021
@ryannewington ryannewington added wontfix This will not be worked on and removed bug Something isn't working labels Jan 26, 2021
@Wolfhound905 Wolfhound905 mentioned this issue May 5, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ryannewington ryannewington

Labels
pinned wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ryannewington @janssen-bart