How to prevent tomcat session hijacking?

后端 未结 3 697
既然无缘
既然无缘 2021-01-31 21:00

In my web.xml I\'ve defined a user-data-constraint for some resources:


    
        

        
相关标签:
3条回答
  • 2021-01-31 21:24

    If it's a recent version of Tomcat, you may not have a problem. However, this depends on your checking the SSL ID associated with the session. This is available using code such as

    String sslId = (String) req.getAttribute("javax.servlet.request.ssl_session");
    

    (Note that the attribute key may change in the future to javax.servlet.request.ssl_session_id - as part of the Servlet 3.0 spec).

    I set up a servlet with the following doGet method:

    protected void doGet(HttpServletRequest request, HttpServletResponse response)
                        throws ServletException, IOException {
        HttpSession session = request.getSession(true);
        String sid = session.getId();
        String sslId = (String) request.getAttribute(
                    "javax.servlet.request.ssl_session");
        String uri = request.getRequestURI();
        OutputStream out = response.getOutputStream();
        PrintWriter pw = new PrintWriter(out);
        HashMap<String, Object> secrets;
        Object secret = null;
        Object notSecret;
        Date d = new Date();
    
        notSecret = session.getAttribute("unprotected");
        if (notSecret == null) {
            notSecret = "unprotected: " + d.getTime();
            session.setAttribute("unprotected", notSecret);
        }
        secrets = (HashMap<String, Object>) session.getAttribute("protected");
        if (secrets == null) {
            secrets = new HashMap<String, Object>();
            session.setAttribute("protected", secrets);
        }
        if (sslId != null) {
            if (secrets.containsKey(sslId))
                secret = secrets.get(sslId);
            else {
                secret = "protected: " + d.getTime();
                secrets.put(sslId, secret);
            }
        }
        response.setContentType("text/plain");
        pw.println(MessageFormat.format("URI: {0}", new Object[] { uri }));
        pw.println(MessageFormat.format("SID: {0}", new Object[] { sid }));
        pw.println(MessageFormat.format("SSLID: {0}", new Object[] { sslId }));
        pw.println(MessageFormat.format("Info: {0}", new Object[] { notSecret }));
        pw.println(MessageFormat.format("Secret: {0}", new Object[] { secret }));
        pw.println(MessageFormat.format("Date: {0}", new Object[] { d }));
        pw.close();
    }
    

    I then invoked a suitable unprotected URL using Firefox and the Live HTTP Headers extension, to get the session cookie. This was the response sent when I navigated to

    http://localhost:8080/EchoWeb/unprotected
    

    (my web.xml, like yours, only protects /user/* and /personal/*):

    URI: /EchoWeb/unprotected
    SID: 9ACCD06B69CA365EFD8C10816ADD8D71
    SSLID: null
    Info: unprotected: 1254034761932
    Secret: null
    Date: 27/09/09 07:59
    

    Next, I tried to access a protected URL

    http://localhost:8080/EchoWeb/personal/protected
    

    and, as expected, I got redirected to

    https://localhost:8443/EchoWeb/personal/protected
    

    and the response was

    URI: /EchoWeb/personal/protected
    SID: 9ACCD06B69CA365EFD8C10816ADD8D71
    SSLID: 4abf0d67549489648e7a3cd9292b671ddb9dd844b9dba682ab3f381b462d1ad1
    Info: unprotected: 1254034761932
    Secret: protected: 1254034791333
    Date: 27/09/09 07:59
    

    Notice that the cookie/session ID is the same, but we now have a new SSLID. Now, let's try to spoof the server using the session cookie.

    I set up a Python script, spoof.py:

    import urllib2
    
    url = "https://localhost:8443/EchoWeb/personal/protected"
    headers = {
        'Host': 'localhost:8080',
        'User-Agent': 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
        'Accept-Language': 'en-gb,en;q=0.5',
        'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
        'Cookie' : 'JSESSIONID=9ACCD06B69CA365EFD8C10816ADD8D71'
    }
    req = urllib2.Request(url, None, headers)
    response = urllib2.urlopen(req)
    print response.read()
    

    Now, you don't need to know Python, particularly - I'm just trying to send an HTTP request to a (different) protected resource with the same session ID in the Cookie. Here's the response when I ran my spoof script twice:

    C:\temp>spoof
    URI: /EchoWeb/personal/protected
    SID: 9ACCD06B69CA365EFD8C10816ADD8D71
    SSLID: 4abf0eafb4ffa30b6579cf189c402a8411294201e2df94b33a48ae7484f22854
    Info: unprotected: 1254034761932
    Secret: protected: 1254035119303
    Date: 27/09/09 08:05
    
    
    C:\temp>spoof
    URI: /EchoWeb/personal/protected
    SID: 9ACCD06B69CA365EFD8C10816ADD8D71
    SSLID: 4abf0eb184cb380ce69cce28beb01665724c016903650539d095c671d98f1de3
    Info: unprotected: 1254034761932
    Secret: protected: 1254035122004
    Date: 27/09/09 08:05
    

    Notice in the above responses that the session data (a value with a timestamp of 1254034761932) which was set in the first, unprotected request, has been sent throughout, because Tomcat is using the same session because the session ID is the same. This is of course not secure. However, note that the SSL IDs were different each time and if you use those to key into your session data (e.g. as shown), you should be safe. If I refresh my Firefox tab, here's the response:

    URI: /EchoWeb/personal/protected
    SID: 9ACCD06B69CA365EFD8C10816ADD8D71
    SSLID: 4abf0d67549489648e7a3cd9292b671ddb9dd844b9dba682ab3f381b462d1ad1
    Info: unprotected: 1254034761932
    Secret: protected: 1254034791333
    Date: 27/09/09 08:05
    

    Notice that the SSLID is the same as for the earlier Firefox request. So, the server can tell the sessions apart using the SSL ID value. Notice particularly that the "protected data" is the same for each request made from the Firefox session, but different for each of the spoofed sessions and also different from the Firefox session.

    0 讨论(0)
  • 2021-01-31 21:31

    I think it works like this by design. You can't base your access control on session. You need to use other parameters. You need to add authentication and use role-based control.

    In Tomcat, there is protection but exactly opposite. If you get a session in secure area, that session is not transfered to unprotected area. Tomcat achieves this by setting "secure" flag on the cookie so the cookie is not sent to the HTTP connections.

    0 讨论(0)
  • 2021-01-31 21:35

    I suggest to change the sessionId when you authenticate the session.
    In this way the old sessionId becomes useless and session hijacking is impossible.
    To change the sessionId in a servlet container:

    • copy all the attributes of the current session on a temp collection
    • session.invalidate()
    • session = req.getSession(true)
    • fill the new session with the attributes from the temp collection

    About SSLID, please note that both client and server are free to close the connection at any time. When closed a new SSL handshake will happen and a new SSID generated. So, IMO SSLID is not a reliable way to track (or help to track) sessions.

    0 讨论(0)
提交回复
热议问题