Skip to content

Session Layer

links: SPA TOC - Layered Security - Index


Session Layer

  • Establishes and terminates communication sessions between host processes
  • Provides synchronization and translation between name and address databases
    • Synchronization: Keeping client and server in sync
    • Translation: URL to IP (DNS)
  • Relevant topics: TLS, TCP

Vulnerabilities

  • Weak authentication mechanisms
  • Passing of session credentials such as user ID and password in the clear, allowing intercept and unauthorized use
  • Session identification may be subject to spoofing and hijacking
    • If session IDs are predictable, an attacker might be able to guess another users session ID and hijack the session
  • Leakage of information based on failed authentication attempts
    • Login form returns "Username is correct but the password is incorrect"
  • Unlimited failed sessions allow brute-force attacks on access credentials
    • Can be mitigated with lockouts after a given amount of failed tries or CAPTCHAs

Attacks

  • TCP session hijacking
    • Possible if the attacker can predict the sequence number
    • Server will accept the packet if the sequence number matches
    • Requirement: IP Spoofing to get the same IP as victim
  • (TLS / SSL) Man-in-the-middle
    • Attacker intercepts unencrypted connections, reads the data and then sends it to the intended recipient without them knowing
    • With TLS the attacker also needs a forged certificate to intercept and decrypt the communication
  • Session ID / Cookie attack
    • Attacker steals or predicts the session identifier to impersonate a user
  • Downgrade attack
    • Attacker forces the use of an older less secure version of the protocol
  • SSH brute-force attack
    • Attacker repeatedly attempts to log in to an SSH server with different username / password combinations
  • TCP connection hijacking / MITM
    • Host A and host B go through the TCP handshake to establish a connection
    • Attacker can exploit a "desynchronized state" in TCP communication where the sequence numbers between Host A and B do not match up
    • Attacker can trigger this state by sending packets to one or both Hosts
    • Once the sequence numbers are out of sync, host A and B are ignoring each others packets
    • Attacker can then inject forged packets with the correct sequence numbers
    • Requirement: IP Spoofing to get the same IP as victim

Controls

  • Encrypted password exchange and storage
    • Using HTTPS and hashing / salting passwords
    • Mitigates eavesdropping attacks
  • Accounts have specific expirations for credentials and authorization
    • Mitigates against unauthorized access from stolen credentials
    • Reduces window of opportunity
  • Protect session identification information via random/cryptographic means
    • Use secure RNG to generate session IDs
    • Mitigates against session hijacking
    • Attackers can't guess / predict session IDs
  • Limit failed session attempts via timing mechanism, not lockout
    • Mitigates against brute force attacks
  • Use correct certificates on servers and clients
    • Mitigates against MITM attacks

links: SPA TOC - Layered Security - Index