What is Session Puzzling?
- An attacker can exploit the vulnerability to access the unauthorized information or features and perform privilege escalation and IDOR.
- An attacker may access the admin console to access and manipulate the data which can lead to DoS attacks.
- An attacker can bypass the authentication mechanism using Session Puzzling.
- An attacker can bypass the required phases of verification.
- An attacker can manipulate the server-side environment that can make impact of multiple users.
- An attacker can access unreachable features and areas to perform other attacks.
Example:
- Let's consider an example of an application of a university where there are multiple roles like students, professors, administrators, etc.
- Please assume that the student role is having a session variable named is_qualified_for_exam to identify if the student is qualified to appear the exam or not.
- Let's consider that the teacher user is also using the same variable name is_qualified_for_exam for the purpose to identify that if the teacher is qualified for the "Exam Management" module or not.
- This scenario is vulnerable to Session Variable Overloading and a student can exploit this situation to access the "Exam Management" module if this module does not have any further authorization mechanism.
- A student can have access to lots of sensitive information regarding examinations.
What is Session Puzzling?
Session puzzling which is also known as Session Variable Overloading arises when the same session variable name for multiple purposes.
How does a Session Puzzling work?
A session puzzling attack allows an attacker to abuse the configuration level vulnerability which uses the same session variable names for different purposes. This allows an attacker to access unauthorized features and information.
What attacker can do by exploiting Session Puzzling?
- An attacker can exploit the vulnerability to access the unauthorized information or features and perform privilege escalation and IDOR.
- An attacker may access the admin console to access and manipulate the data which can lead to DoS attacks.
- An attacker can bypass the authentication mechanism using Session Puzzling.
- An attacker can bypass the required phases of verification.
- An attacker can manipulate the server-side environment that can make impact of multiple users.
- An attacker can access unreachable features and areas to perform other attacks.
Example:
- Let's consider an example of an application of a university where there are multiple roles like students, professors, administrators, etc.
- Please assume that the student role is having a session variable named is_qualified_for_exam to identify if the student is qualified to appear the exam or not.
- Let's consider that the teacher user is also using the same variable name is_qualified_for_exam for the purpose to identify that if the teacher is qualified for the "Exam Management" module or not.
- This scenario is vulnerable to Session Variable Overloading and a student can exploit this situation to access the "Exam Management" module if this module does not have any further authorization mechanism.
- A student can have access to lots of sensitive information regarding examinations.
How to prevent XSS?
How to prevent XSS?
The application must use different session variable names to prevent Session Puzzling. Moreover, for authorization checks the application must verify the user roles and should not be dependent on session values only as session values can be changed by the user. For 2FA, the application must verify the details like OTP on the server-side and should not rely on the session variables.
0 Comments