CWE-6 J2EE误配置：会话ID长度不充分

J2EE Misconfiguration: Insufficient Session-ID Length

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: unkown

基本描述

The J2EE application is configured to use an insufficient session ID length.

扩展描述

If an attacker can guess or steal a session ID, then they may be able to take over the user's session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID.

相关缺陷

• cwe_Nature: ChildOf cwe_CWE_ID: 334 cwe_View_ID: 1000 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围	影响	注释
Access Control	Gain Privileges or Assume Identity	If an attacker can guess an authenticated user's session identifier, they can take over the user's session.

可能的缓解方案

Implementation

策略:

Session identifiers should be at least 128 bits long to prevent brute-force session guessing. A shorter session identifier leaves the application open to brute-force session guessing attacks.

Implementation

策略:

A lower bound on the number of valid session identifiers that are available to be guessed is the number of users that are active on a site at any given moment. However, any users that abandon their sessions without logging out will increase this number. (This is one of many good reasons to have a short inactive session timeout.) With a 64 bit session identifier, assume 32 bits of entropy. For a large web site, assume that the attacker can try 1,000 guesses per second and that there are 10,000 valid session identifiers at any given moment. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is less than 4 minutes. Now assume a 128 bit session identifier that provides 64 bits of entropy. With a very large web site, an attacker might try 10,000 guesses per second with 100,000 valid session identifiers available to be guessed. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is greater than 292 years.

示例代码

例

The following XML example code is a deployment descriptor for a Java web application deployed on a Sun Java Application Server. This deployment descriptor includes a session configuration property for configuring the session ID length.

bad XML

This deployment descriptor has set the session ID length for this Java web application to 8 bytes (or 64 bits). The session ID length for Java web applications should be set to 16 bytes (128 bits) to prevent attackers from guessing and/or stealing a session ID and taking over a user's session.

Note for most application servers including the Sun Java Application Server the session ID length is by default set to 128 bits and should not be changed. And for many application servers the session ID length cannot be changed from this default setting. Check your application server documentation for the session ID length default setting and configuration options to ensure that the session ID length is set to 128 bits.

分类映射

映射的分类名	ImNode ID	Fit	Mapped Node Name
7 Pernicious Kingdoms			J2EE Misconfiguration: Insufficient Session-ID Length

相关攻击模式

• CAPEC-21
• CAPEC-59

引用

• REF-482 Hold Your Sessions: An Attack on Java Session-id Generation

文章来源于互联网:scap中文网