Re: Citrix Gateway & Cloud MFA - Insufficient Session Validation Vulnerability

[Jeffrey Walton <noloader () gmail com>]

On Sun, Jul 16, 2023 at 7:39 PM Jens Timmerman <jens () caret be> wrote:
> On 03/07/2023 16:59, info () esec-service de wrote:
> > Document Title:
> > ===============
> > Citrix Gateway&Cloud MFA - Insufficient Session Validation Vulnerability
> >
> >
> > Technical Details & Description:
> > ================================
> > An insufficient session validation web vulnerability was discovered in
> > the Citrix Gateway (ADC/NetScaler) 13.0 & 13.1 web-application, Cloud
> > and AAA Feature.
> > The security vulnerability allows remote attackers to bypass the mfa
> > function by hijacking the session data of an active user (non expired
> > session) to followup
> > with further compromising attacks.
>
>
> I've been working with a lot of products I believe that are vulnerable
> to a very similar exploit, and I was wondering how one should fix
> this/protect against this attack?
>
> I looked at
> https://owasp.org/www-community/attacks/Session_hijacking_attack
> <https://owasp.org/www-community/attacks/Session_hijacking_attack> but
> the page linking to the related controls doesn't seem to exist.
>
> On
> https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
> I can read.
>
> With the goal of detecting (and, in some scenarios, protecting against)
> user misbehaviors and session hijacking, it is highly recommended to
> bind the session ID to other user or client properties, such as the
> client IP address, User-Agent, or client-based digital certificate. If
> the web application detects any change or anomaly between these
> different properties in the middle of an established session, this is a
> very good indicator of session manipulation and hijacking attempts, and
> this simple fact can be used to alert and/or terminate the suspicious
> session.
>
> So binding a session server side to an ip address and browser
> fingerprint can detect if this is ongoing, but a sophisticated attacker
> could still pull this off.
>
> Can someone point me to some information on what the industry best
> practices are to protect against this type of attack?

There's also https://en.wikipedia.org/wiki/Session_hijacking#Prevention

One thing Jim Manico of OWASP recommends is to (re)prompt the user for
their password on occasion, like when performing a high value
operation. That will effectively re-authenticate a user before a high
value operation. Attackers with a cookie but without the user's
password should fail the re-authentication challenge.

Jeff
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/