J2EE Misconfiguration: Insufficient Session-ID Length| ID: 6 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Variant |
Description
The J2EE application is configured to use an insufficient
session ID length.
Extended DescriptionIf an attacker can guess or steal a session ID, then he/she may be able to
take over the user's session (called session hijacking). The number of
possible session IDs increases with increased session ID length, making it
more difficult to guess or steal a session ID.
Enabling Factors for ExploitationIf attackers use a botnet with hundreds or thousands of drone computers,
it is reasonable to assume that they could attempt tens of thousands of
guesses per second. If the web site in question is large and popular, a high
volume of guessing might go unnoticed for some time.
Applicable PlatformsLanguage: Java
Time Of Introduction
- Architecture and Design
- Implementation
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_Control | Gain privileges / assume
identity | If an attacker can guess an authenticated user's session identifier,
they can take over the user's session. |
| | | |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Implementation | | Session identifiers should be at least 128 bits long to prevent
brute-force session guessing. A shorter session identifier leaves the
application open to brute-force session guessing attacks. | | |
| Implementation | | A lower bound on the number of valid session identifiers that are
available to be guessed is the number of users that are active on a site
at any given moment. However, any users that abandon their sessions
without logging out will increase this number. (This is one of many good
reasons to have a short inactive session timeout.) With a 64 bit session
identifier, assume 32 bits of entropy. For a large web site, assume that
the attacker can try 1,000 guesses per second and that there are 10,000
valid session identifiers at any given moment. Given these assumptions,
the expected time for an attacker to successfully guess a valid session
identifier is less than 4 minutes. Now assume a 128 bit session
identifier that provides 64 bits of entropy. With a very large web site,
an attacker might try 10,000 guesses per second with 100,000 valid
session identifiers available to be guessed. Given these assumptions,
the expected time for an attacker to successfully guess a valid session
identifier is greater than 292 years. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-6 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following XML example code is a deployment descriptor for a Java
web application deployed on a Sun Java Application Server. This deployment
descriptor includes a session configuration property for configuring the
session ID length. (Demonstrative Example Id DX-47)
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| 7 Pernicious Kingdoms | | J2EE Misconfiguration: Insufficient Session-ID
Length | |
References:
- ..
