So you can grok the title of this post, anyone remember that awful '50s documentary that tried to scare everyone into not smoking marijana? Reefer Madness! What I am getting at is this: back in early 2004 I reported a vulnerability in PHP and got ridiculed by a developer for even pointing out the issue. He said in a round about way that I was suffering from the Reefer Madness Syndrome, that is to say, that I was hyping an essentially benign issue and trying to scare everybody with it. Well, I was really busy back then and didn't feel like debating the issue so I let it drop. The flaw was later silently fixed in some 5 dot dot something release in 2006.
But still, the idea interests me because I am curious the degree to which its a localized problem in older versions of PHP or a broader issue. The root cause of what I called Session ID Pollution during my talk at OWASP Appsec 2007 is a failure to sanitize the session id of a web application, allowing an attacker to append some junk to it which gets passed around by the web application. The appended junk is essentially ignored by the application itself, but as its passed between content brokers like proxies or content portals, it has the potential to do harm. One specific example that I cited was appending <script>foo<script> to a valid session ID token and as that information is passed around, it can become cached or directly execute within a web portal when a user follows a link. Wrapping your head around this issue is really a two part process:
1. A web application allows a user to append arbitrary data to a Session ID token, and this data is not filtered or sanitized, but is transmitted as if it were part of the valid session id, like so:
SessionID=24378923479<script>malicious code</script>
The script gets more or less tacked on to the end of the session id and it doesn't affect the session or disrupt it, but its not stripped away or sanitized either, so it effectively becomes part of the session ID as its passed around, its just not a part of the session Id that the application cares about. This is the benign aspect of the vulnerability. But don't read benign to literally, because in the same way a person or animal can carry a disease, manifest no outward symptoms, but spread it around just like the monkey in the movie Outbreak with Dustin Hoffman.
2. The session ID that has been polluted is then passed around various applications, and thus it has the potential to be executable as one of these other applications parse the URI in question when presenting data to the user. This is the part of the movie where the monkey gives the disease to everybody in the village and the UN has to drop a fuel air bomb on it. The original application hands off its polluted session ID to a content broker, content portal, proxy, or web logging server. Thus a user follows a link to a web application, the application does not filter the session ID and the malicious content contained in the link is preserved. In fact, the application goes so far as to assign the user a new session ID but preserves the data appended onto the session id in the original request. But when the user receives the response from the application, the malicious code executes in their browser as the polluted session ID is parsed by the proxy sitting between the user and the application.
Ok... so what? (The "so what" test is venerable tradition of college debaters. Subjecting an argument to the rigors of the "'So What' test" requires asking does anybody give a damn.) Evidently, when I reported this issue back in 2004 it didn't pass the so what test of the developer to whom I reported it. Objections to the significance of so called "Session ID Pollution" were as follows:
1. Its not the fault of the application, or a bug in the application, its the Proxy's problem. I.E. The content portal, proxy, or broker should filter hazardous characters from input not pass potentially harmful data off to the user.
2. The issue is not new, its just lame old boring cross-site scripting.
3. You're a lamer for bringing this issue to my inbox.
My rejoinder: Applications and servers should ensure that the session ID doesn't contain harmful or dangerous characters and that it has not been modified. Failure to do so means increased risk that some other application will recieve dangerous input from the application. One simple example is webtrends-like software that logs browsed urls in and does so in an insecure fashion. When someone views the log the script executes in their browser. Yes its a problem of the logging software, but the application, which transmits the information unsanitized, is being abused by the attacker to get their exploit into proper attack vector where it can have its impact. Now we shouldnt' go about blunting our scissors because its unsafe to run with them, but in the case of sanitizing the session ID, there really is no good reason for someone to be able to append arbitrary data onto it, and failure to check and prevent its modification is, I suggest, a vulnerability.
At OWASP Appsec 2007 I called this vulnerability "Session ID Pollution." Because I'm interested in the topic and have been for a few years, you will be hearing more about this from me as I continue to research the issue. Consequently, at the conference where I recently presented on this topic I was challenged that the problem is only a PHP problem, and for that, at the present, I have no answer. More to follow.
-Tom S.
Your blog Is very informative , I am really pleased to post my comment on this blog . It helped me with ocean of knowledge so I really belive you will do much better in the future . Good job web master .
http://www.taxforeclosurecurrentevents.com
Posted by: John beck | October 20, 2008 at 08:37 PM
I am glad to post my views and points in this blog, but I must say that webmaster of this blog has done a very great job to make his blog more informative and more discussable but unfortunately everything is same here that more than 80% in this and other blogs post their comments for making spam!!!, so i will really all this spam links to google band tool, because webmaster makes blogs for making discuss and for sloving each other problems.
thanks
http://www.weightlossproductz.com
Posted by: Acomplia | October 24, 2008 at 11:21 PM
Hello, i am glad to read the whole content of this blog and am very excited and happy to say that the webmaster has done a very good job here to put all the information content and information at one place, i will must refer this information with reference on my website i.e www.gordoniihoodia.net
Posted by: hoodia gordonii | January 20, 2009 at 10:07 AM
We provides best natural herbal health care products and reviews on mens health, womens health, general health, sexual health, skin care, oral care, vitamins and nutrition, colon health and beauty products at www.herbalproductsreview.com
Posted by: Herbal products | January 28, 2009 at 01:45 AM
Great information, I've bookmarked your post. You've provide awesome information here. Might I suggest three additional resources that I
have found very helpful as well:
1. Health diets reviews and related information at
http://www.DietInstitute.net
and diet pills ratings at
http://www.ConsumerDietReview.com
2. The newly launched adipex health and weightloss website by the NIHH at
http://www.Phenhermine.com/Adipex
3. Also for more Adipex reviews see
http://www.PhentermineReviews.com
Posted by: Sophie on dietpills | February 23, 2009 at 11:07 AM
Hello, i am glad to read the whole content of this blog and am very excited and happy to say that the webmaster has done a very good job here to put all the information content and information at one place, i will must refer this information with reference on my website i.e www.weightlossproductz.com
http://www.weightlossproductz.com
Posted by: weight loss products | March 16, 2009 at 01:51 AM
Do you want to increase your penile size. Learn clinically proven penis enlargement methods at http://www.pennisenlargementproducts.com
Posted by: Penis enlargement pills | May 25, 2009 at 11:09 AM
There have not been conclusive studies in the event of taking Avodart [Dutasteride] in the presence of hepatic failure or renal failure. This drug is highly metabolized in the liver and advisable to be avoided in hepatic failure.
Posted by: プロペシア | May 27, 2009 at 04:32 AM
Finpecia (Generic Propecia) is a prescription medicine applied for the treatment of hair loss in men only. This drug belongs to a group of medicines called “5 alpha reductase inhibitors”. It is a tan octagonal tablet, which is swallowed and is available in just one strength - 1mg.
Posted by: buy generic propecia | May 27, 2009 at 04:50 AM
Cialis works the same way as Viagra. Both the drugs enhance blood flow to the groin area. The major point of difference is that Cialis remains effective for a 36-hour time period, compared to just four hours with Viagra. In addition, Cialis can take effect slightly faster than Viagra. They each take effect in up to 30 minutes, give or take a few minutes. The best part about Cialis is that it offers the couple more flexibility.
Posted by: generic viagra cialis | July 15, 2009 at 10:20 PM
Look smarter than ever before by getting your hair back with generic Propecia. It is the most effective and safest drug available in the market. Propecia reduces DHT level in the scalp which is responsible for hair loss. After taking its pills regularly, you’ll witness a reversal of hair loss in affected areas.
Posted by: Generic Propecia | September 13, 2009 at 10:54 PM
although Viagra is consider ageneric drug in many places arround the world it is not for the US market. but note that other similar products both chemically systetized or herbal extracts are trully a non prescription drug for example Kamagra and levitra that have similar results to treat the erectyle disfuction.
Posted by: Pharma Merchant accounts | September 16, 2009 at 06:21 AM
I like so much this part or article... thanks for wrote.. have a nice day!
Posted by: Generic Viagra | September 18, 2009 at 09:29 AM
If the respective changes do not think we could have more problems by allowing any application which would make an even bigger problem.
Posted by: Generic Viagra | October 08, 2009 at 01:58 PM
Hello
Thank you for sharing this useful information with us and also explains, I do not quite understand the issue but I'm sure if many people find it useful.
Thanks
Posted by: Impotence | October 09, 2009 at 06:39 AM
This article about "Reefer Madness or Session ID Pollution, you choose", is very interesting and important because the earth is in danger for the pollution..I really enjoyed this information thanks for sharing =D
Posted by: Soft Cialis | October 09, 2009 at 12:01 PM
errmmm he is not talking about the pollution I think you are talking about!
lol
kat ;)
Posted by: Male Sexual Health | November 03, 2009 at 07:35 AM
This article about "Reefer Madness or Session ID Pollution, you choose", is very interesting and important because the earth is in danger for the pollution..
http://www.prohairlosspills.com
The Best Drug For Betterment Of Hairs http://www.prohairlosspills.com/propecia3.html
Posted by: Generic Propecia | November 03, 2009 at 08:29 PM
hahaha
yes we all ready saw is about Session ID Pollution... haha
and yes is very interesting!
Posted by: Buy Viagra Online | November 04, 2009 at 05:45 AM
ID pollution what do you mean with that ?
Posted by: Food For Libido | November 06, 2009 at 08:58 AM
is like a system pollution, thought!!
dunno very well!
Posted by: Pharmacy No Prescription | November 09, 2009 at 06:13 AM
Hi great article I really enjoy reading this blog,thanks, good topic
Posted by: Viagra Online | November 13, 2009 at 09:59 AM
Hello people want to express my satisfaction with this blog very creative and I really like the views of the focus very good indeed Interesting post because many people ignore this information so important
and clear.
Posted by: Skin Cancer | November 17, 2009 at 02:12 PM
This is some very valueable information, thank you very much.
Posted by: us drugstore | November 18, 2009 at 08:11 AM
What difficult decision ...I don't know which is right choice.
Posted by: Autumn Mist Out Fitters | November 24, 2009 at 06:29 AM