On Sun, Jul 16, 2023 at 7:39 PM Jens Timmerman <j...@caret.be> wrote: > > On 03/07/2023 16:59, i...@esec-service.de wrote: > > Document Title: > > =============== > > Citrix Gateway&Cloud MFA - Insufficient Session Validation Vulnerability > > > > > > Technical Details & Description: > > ================================ > > An insufficient session validation web vulnerability was discovered in > > the Citrix Gateway (ADC/NetScaler) 13.0 & 13.1 web-application, Cloud > > and AAA Feature. > > The security vulnerability allows remote attackers to bypass the mfa > > function by hijacking the session data of an active user (non expired > > session) to followup > > with further compromising attacks. > > > I've been working with a lot of products I believe that are vulnerable > to a very similar exploit, and I was wondering how one should fix > this/protect against this attack? > > I looked at > https://owasp.org/www-community/attacks/Session_hijacking_attack > <https://owasp.org/www-community/attacks/Session_hijacking_attack> but > the page linking to the related controls doesn't seem to exist. > > On > https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html > I can read. > > With the goal of detecting (and, in some scenarios, protecting against) > user misbehaviors and session hijacking, it is highly recommended to > bind the session ID to other user or client properties, such as the > client IP address, User-Agent, or client-based digital certificate. If > the web application detects any change or anomaly between these > different properties in the middle of an established session, this is a > very good indicator of session manipulation and hijacking attempts, and > this simple fact can be used to alert and/or terminate the suspicious > session. > > So binding a session server side to an ip address and browser > fingerprint can detect if this is ongoing, but a sophisticated attacker > could still pull this off. > > Can someone point me to some information on what the industry best > practices are to protect against this type of attack?
There's also https://en.wikipedia.org/wiki/Session_hijacking#Prevention One thing Jim Manico of OWASP recommends is to (re)prompt the user for their password on occasion, like when performing a high value operation. That will effectively re-authenticate a user before a high value operation. Attackers with a cookie but without the user's password should fail the re-authentication challenge. Jeff _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
