摘要:序本文主要講一下以及對它的防范。會話固定攻擊,是利用那些登錄前和登錄之后沒有變化的漏洞來獲取登錄態,進而獲取用戶的相關信息等。
序
本文主要講一下session fixation attacks以及spring security對它的防范。
session fixation attacks會話固定攻擊,是利用那些登錄前和登錄之后sessionId沒有變化的漏洞來獲取登錄態,進而獲取用戶的相關信息等。
servlet3.1規范servlet3.1規范中,HttpServletRequest.java明確規定了一個changeSessionId的方法
tomcat-embed-core-8.5.23-sources.jar!/javax/servlet/http/HttpServletRequest.java
/** * Changes the session ID of the session associated with this request. This * method does not create a new session object it only changes the ID of the * current session. * * @return the new session ID allocated to the session * @see HttpSessionIdListener * @since Servlet 3.1 */ public String changeSessionId();SessionAuthenticationStrategy
spring-security-web-4.2.3.RELEASE-sources.jar!/org/springframework/security/web/authentication/session/SessionAuthenticationStrategy.java
/** * Allows pluggable support for HttpSession-related behaviour when an authentication * occurs. ** Typical use would be to make sure a session exists or to change the session Id to guard * against session-fixation attacks. * * @author Luke Taylor * @since */ public interface SessionAuthenticationStrategy { /** * Performs Http session-related functionality when a new authentication occurs. * * @throws SessionAuthenticationException if it is decided that the authentication is * not allowed for the session. This will typically be because the user has too many * sessions open at once. */ void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) throws SessionAuthenticationException; }
spring security 提供了SessionAuthenticationStrategy接口,用來在登陸成功之后的處理session相關邏輯,它有個抽象類AbstractSessionFixationProtectionStrategyAbstractSessionFixationProtectionStrategy
spring-security-web-4.2.3.RELEASE-sources.jar!/org/springframework/security/web/authentication/session/AbstractSessionFixationProtectionStrategy.java
/** * Called when a user is newly authenticated. ** If a session already exists, and matches the session Id from the client, a new * session will be created, and the session attributes copied to it (if * {@code migrateSessionAttributes} is set). If the client"s requested session Id is * invalid, nothing will be done, since there is no need to change the session Id if * it doesn"t match the current session. *
* If there is no session, no action is taken unless the {@code alwaysCreateSession} * property is set, in which case a session will be created if one doesn"t already * exist. */ public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) { boolean hadSessionAlready = request.getSession(false) != null; if (!hadSessionAlready && !alwaysCreateSession) { // Session fixation isn"t a problem if there"s no session return; } // Create new session if necessary HttpSession session = request.getSession(); if (hadSessionAlready && request.isRequestedSessionIdValid()) { String originalSessionId; String newSessionId; Object mutex = WebUtils.getSessionMutex(session); synchronized (mutex) { // We need to migrate to a new session originalSessionId = session.getId(); session = applySessionFixation(request); newSessionId = session.getId(); } if (originalSessionId.equals(newSessionId)) { logger.warn("Your servlet container did not change the session ID when a new session was created. You will" + " not be adequately protected against session-fixation attacks"); } onSessionChange(originalSessionId, session, authentication); } }
如果是servlet3.1的話,則spring security默認的SessionAuthenticationStrategy就是ChangeSessionIdAuthenticationStrategySessionManagementConfigurer
spring-security-config-4.2.3.RELEASE-sources.jar!/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
/** * Creates the default {@link SessionAuthenticationStrategy} for session fixation * @return the default {@link SessionAuthenticationStrategy} for session fixation */ private static SessionAuthenticationStrategy createDefaultSessionFixationProtectionStrategy() { try { return new ChangeSessionIdAuthenticationStrategy(); } catch (IllegalStateException e) { return new SessionFixationProtectionStrategy(); } }ChangeSessionIdAuthenticationStrategy
spring-security-web-4.2.3.RELEASE-sources.jar!/org/springframework/security/web/authentication/session/ChangeSessionIdAuthenticationStrategy.java
/** * Uses {@code HttpServletRequest.changeSessionId()} to protect against session fixation * attacks. This is the default implementation for Servlet 3.1+. * * @author Rob Winch * @since 3.2 */ public final class ChangeSessionIdAuthenticationStrategy extends AbstractSessionFixationProtectionStrategy { private final Method changeSessionIdMethod; public ChangeSessionIdAuthenticationStrategy() { Method changeSessionIdMethod = ReflectionUtils .findMethod(HttpServletRequest.class, "changeSessionId"); if (changeSessionIdMethod == null) { throw new IllegalStateException( "HttpServletRequest.changeSessionId is undefined. Are you using a Servlet 3.1+ environment?"); } this.changeSessionIdMethod = changeSessionIdMethod; } /* * (non-Javadoc) * * @see org.springframework.security.web.authentication.session. * AbstractSessionFixationProtectionStrategy * #applySessionFixation(javax.servlet.http.HttpServletRequest) */ @Override HttpSession applySessionFixation(HttpServletRequest request) { ReflectionUtils.invokeMethod(this.changeSessionIdMethod, request); return request.getSession(); } }
通過反射調用changeSessionId方法,具體是調用Request#changeSessionIdRequest#changeSessionId
tomcat-embed-core-8.5.23-sources.jar!/org/apache/catalina/connector/Request.java
/** * Changes the session ID of the session associated with this request. * * @return the old session ID before it was changed * @see javax.servlet.http.HttpSessionIdListener * @since Servlet 3.1 */ @Override public String changeSessionId() { Session session = this.getSessionInternal(false); if (session == null) { throw new IllegalStateException( sm.getString("coyoteRequest.changeSessionId")); } Manager manager = this.getContext().getManager(); manager.changeSessionId(session); String newSessionId = session.getId(); this.changeSessionId(newSessionId); return newSessionId; }
這里調用了manager.changeSessionId(session)ManagerBase#changeSessionId(session)
tomcat-embed-core-8.5.23-sources.jar!/org/apache/catalina/session/ManagerBase.java
@Override public void changeSessionId(Session session) { String newId = generateSessionId(); changeSessionId(session, newId, true, true); } protected void changeSessionId(Session session, String newId, boolean notifySessionListeners, boolean notifyContainerListeners) { String oldId = session.getIdInternal(); session.setId(newId, false); session.tellChangedSessionId(newId, oldId, notifySessionListeners, notifyContainerListeners); } /** * Generate and return a new session identifier. * @return a new session id */ protected String generateSessionId() { String result = null; do { if (result != null) { // Not thread-safe but if one of multiple increments is lost // that is not a big deal since the fact that there was any // duplicate is a much bigger issue. duplicates++; } result = sessionIdGenerator.generateSessionId(); } while (sessions.containsKey(result)); return result; }StandardSessionIdGenerator#generateSessionId
tomcat-embed-core-8.5.23-sources.jar!/org/apache/catalina/util/StandardSessionIdGenerator.java
public class StandardSessionIdGenerator extends SessionIdGeneratorBase { @Override public String generateSessionId(String route) { byte random[] = new byte[16]; int sessionIdLength = getSessionIdLength(); // Render the result as a String of hexadecimal digits // Start with enough space for sessionIdLength and medium route size StringBuilder buffer = new StringBuilder(2 * sessionIdLength + 20); int resultLenBytes = 0; while (resultLenBytes < sessionIdLength) { getRandomBytes(random); for (int j = 0; j < random.length && resultLenBytes < sessionIdLength; j++) { byte b1 = (byte) ((random[j] & 0xf0) >> 4); byte b2 = (byte) (random[j] & 0x0f); if (b1 < 10) buffer.append((char) ("0" + b1)); else buffer.append((char) ("A" + (b1 - 10))); if (b2 < 10) buffer.append((char) ("0" + b2)); else buffer.append((char) ("A" + (b2 - 10))); resultLenBytes++; } } if (route != null && route.length() > 0) { buffer.append(".").append(route); } else { String jvmRoute = getJvmRoute(); if (jvmRoute != null && jvmRoute.length() > 0) { buffer.append(".").append(jvmRoute); } } return buffer.toString(); } }
這段是tomcat生成sessionId的邏輯小結
spring security通過SessionAuthenticationStrategy,在登錄成功之后進行相關session處理,如果servlet3.1+,則使用ChangeSessionIdAuthenticationStrategy來更換sessionId,以防范session fixation attacks。
docSession fixation
會話固定攻擊
文章版權歸作者所有,未經允許請勿轉載,若此文章存在違規行為,您可以聯系管理員刪除。
轉載請注明本文地址:http://specialneedsforspecialkids.com/yun/11322.html
摘要:前提條件在源碼中可以看到,部署命令的操作是將模塊文件上傳在運行中的執行安裝操作。從幫助上看,部署命令的使用為模塊路徑網站用戶名密碼使用示例注意點閱讀源碼可以發現該命令只是安裝或者升級模塊的文件,并不會更新已經在運行的代碼。閱讀源碼的cli模塊發現一個遠程部署模塊的命令,在官方文檔并沒有說,發現隱藏功能! 解決的問題 在odoo里面寫界面是很煩人的,每次寫完需要重啟服務器并且到app界面點擊升...
摘要:學開發半年多,之前一直有個疑問為什么要用,好好的用不好嗎其實就是新技術與老技術,但是還是想弄懂這個問題之前一直疑惑,今天搞懂了,整合了一下學習過程,先對比一下與一簡述的生成方式與的生成方式的生成方式瀏覽器第一次訪問服務器時,服務器創建一個, 學開發半年多,之前一直有個疑問:為什么要用token,好好的用sessionID不好嗎(其實就是新技術與老技術,但是還是想弄懂)這個問題之前一直疑...
摘要:反序列化安全問題一這一段時間使用做開發,使用了存儲,閱讀了源碼,發現在存儲到過程中,利用了模塊進行序列化以及反序列化正好根據該樣例學習一波反序列化相關的安全問題,不足之處請各位表哥指出。 Python 反序列化安全問題(一) 這一段時間使用flask做web開發,使用了redis存儲session,閱讀了flask_session源碼,發現在存儲session到redis過程中,利用了...
摘要:,意為跨網站請求偽造,也有寫為。攻擊者偽造目標用戶的請求,然后此請求發送到有漏洞的網站,網站執行此請求后,引發跨站請求偽造攻擊。 CSRF(Cross Site Request Forgeries),意為跨網站請求偽造,也有寫為XSRF。攻擊者偽造目標用戶的HTTP請求,然后此請求發送到有CSRF漏洞的網站,網站執行此請 求后,引發跨站請求偽造攻擊。攻擊者利用隱蔽的HTTP連接,讓目標...
閱讀 1599·2021-11-02 14:48
閱讀 3651·2019-08-30 15:56
閱讀 2767·2019-08-30 15:53
閱讀 3208·2019-08-30 14:09
閱讀 3094·2019-08-30 12:59
閱讀 2853·2019-08-29 18:38
閱讀 2693·2019-08-26 11:41
閱讀 2209·2019-08-23 16:45