Session Management / Session Puzzling

Description

Session Puzzling is a session management vulnerability that occurs in Web and API applications and is categorized in the Common Weakness Enumeration (CWE) directory as CWE-384. It is a type of attack where an attacker can guess session IDs and hijack active sessions, allowing them to access data and services of another user. This vulnerability can be identified through a number of different methods, including manual testing, dynamic application security testing (DAST), and static application security testing (SAST). It is also listed in the OWASP Testing Guide under Session Management Testing.

Risk

Session Puzzling can have serious implications for an application and its users. The attacker is able to access the application with the privileges of the user whose session ID they have guessed correctly. This could lead to the theft of sensitive data, or the ability to modify the application in a malicious manner. As such, it should be given a critical assessment on the risk scale.

Solution

The way to prevent Session Puzzling is to ensure that session IDs are randomly generated and hard to guess. An application can also implement additional measures to ensure that session IDs are not exposed, such as encryption and authentication. Additionally, session IDs should be changed at regular intervals to make them harder to guess.

Example

The following example is taken from CVE-2017-11673, a vulnerability in the LiveZilla Chat Server:

GET /chat.php?acid=<session_id> HTTP/1.1

In this example, the application is using a predictable session ID which can be guessed by an attacker.