Chapter 7. Attacking Session Management
The session management mechanism is a fundamental security component in the majority of web applications. It is what enables the application to uniquely identify a given user across a number of different requests, and to handle the data that it accumulates about the state of that user's interaction with the application. Where an application implements login functionality, session management is of particular importance, as it is what enables the application to persist its assurance of any given user's identity beyond the request in which they supply their credentials.
Because of the key role played by session management mechanisms, they are a prime target for malicious attacks against the application. If an attacker can break an application's session management, then she can effectively bypass its authentication controls and masquerade as other application users without knowing their credentials. If an attacker compromises an administrative user in this way, then the attacker can own the entire application.
As with authentication mechanisms, there is a wide variety of defects that can commonly be found in session management functions. In the most vulnerable cases, an attacker simply needs to increment the value of a token issued to them by the application in order to switch their context to that of a different user. In this situation, the application is wide open for anyone to access all areas. At the other end of the spectrum, an attacker may ...