Your company sells toys on a web site. A hacker hijacked a victim customer’s session by replaying the HTTP cookie as the access token. The system administrator disabled the compromised user account immediately, but the hacker’s toy orders keep coming in. Which of the following is the best solution to suppress this attack?
A. Resolve the race condition between HTTP requests
B. Ensure the time of use (TOU) is ahead of the time of check (TOC)
C. Conduct complete mediation
D. Validate user inputs
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Conduct complete mediation.
In this question, since the system administrator has disabled the compromised user account, the webserver should validate every request (conduct complete mediation) and reject requests from the hijacked session.
Session, Session ID, and Access Token
In the web context, a user session is established after the user has authenticated to the webserver. The session id and/or related information, typically called an access token (or token for short), is then transmitted to the browser through the header, cookie, content, or redirection URL in an HTTP response.
The webserver authorizes based on the access token, which represents the authenticated user. A bearer token (a “bearer”) is a special form of the access token; any party that possesses a bearer token can use it to get access to the associated resources without re-authentication.
Session hijacking means the situation that an attacker captures a user’s access token through cross-site scripting (XSS), traffic sniffing, or any other means so that the attacker can impersonate the user and exercise his privileges on the system.
- Validating user inputs can effectively prevent XSS, but it cannot mitigate a compromise of session hijacking. In this question, it suggests the session has been hijacked that the attacker keeps placing orders.
- HTTP requests that compete for the same resources can cause the race condition, leading to deadlock affecting availability and the time sequence problem (TOC/TOU). So, resolving the race condition between HTTP requests may not help stop fake orders.
- TOU/TOC is a time sequence problem where access to resources is granted (time of use) before or without validation (time of check); the correct sequence should be TOC/TOU. “Ensure the time of use (TOU) is ahead of the time of check (TOC)” is an implementation bug; the correct way should be “ensure the time of use (TOU) is after the time of check (TOC).” However, even if the time sequence of program logic is correct, it can be crumbled by the race condition.
Saltzer and Schroeder introduced the principle of complete mediation in their paper, “Basic Principles of Information Protection:”
Complete mediation: Every access to every object must be checked for authority. This principle, when systematically applied, is the primary underpinning of the protection system. It forces a system-wide view of access control, which in addition to normal operation includes initialization, recovery, shutdown, and maintenance. It implies that a foolproof method of identifying the source of every request must be devised. It also requires that proposals to gain performance by remembering the result of an authority check be examined skeptically. If a change in authority occurs, such remembered results must be systematically updated.
If a session is hijacked, complete mediation may reduce the adverse impact. For example, issuing short-lived and limited-scope tokens and checking the expiration time, scope, and authenticity of the access token may prevent the attack or invalidate the hijacked token earlier.
In this question, since the system administrator has disabled the compromised user account, the webserver should validate every request and reject requests from the hijacked session.
The following is the summary of security recommendations from RFC 6750:
- Safeguard bearer tokens
- Validate TLS certificate chains
- Always use TLS (https)
- Don’t store bearer tokens in cookies
- Issue short-lived bearer tokens
- Issue scoped bearer tokens
- Don’t pass bearer tokens in page URLs
- Access token
- Race conditions and deadlocks
- Race Conditions and Critical Sections
- Cookies vs. Tokens: The Definitive Guide
- RFC 6750, The OAuth 2.0 Authorization Framework: Bearer Token Usage
- HTTP authentication
- The Protection of Information in Computer Systems
- Complete Mediation
- Time-of-check to time-of-use
- How Secure Are Query Strings Over HTTPS?
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
貴公司在網站上銷售玩具。 駭客透過重播HTTP cookie作為訪問令牌(access token)來劫持受害客戶的會話(session)。 系統管理員立即禁用了該客戶的使用者帳號，但駭客的玩具訂單仍不斷湧入。以下哪項是抑制此攻擊的最佳解決方案？
A. 解決HTTP請求之間的競爭條件(race condition)