Session can be closed by already used signature

hnb · 2015-11-04 19:38:03

if someone wants to make life difficult for mORMot user, there is possible to close session by already used session_signature

(1) http://localhost:8888/root/Person?session_signature=0008277fd9e786aded76b248

first captured URL

(2) http://localhost:8888/root/auth?UserName=Admin&Session=534399&session_signature=0008277fd9e786aded76b248

new prepared URL with the same signature

ab · 2015-11-04 23:43:31

In which context?

hnb · 2015-11-05 07:22:20

If you know last session_signature is possible to close session by using the same session_signature used before in other context (for example for viewing some data). IMO this behavior should be blocked.

Maybe is good to store somehow last used session_signature generated by TSQLRestServerAuthenticationDefault for blocking purpose?

danielkuettner · 2015-11-05 17:12:09

How do you know the last session_signature of an other user?

ab · 2015-11-05 17:26:25

@hnb

Which authentication are you using?
Are you using the latest framework version, including ticket http://synopse.info/fossil/tktview?name=7723fa7ebd ?

AFAIK
http://localhost:8888/root/auth?UserName=Admin&Session=534399&session_signature=0008277fd9e786aded76b248
should be rejected in TSQLRestServerAuthentication*.RetrieveSession() so Ctxt.Session=0, and therefore TSQLRestServerAuthentication.AuthSessionRelease should not release the session.

hnb · 2015-11-05 19:35:37

@danielkuettner by using websniffer?

@ab

1. tested with fresh rev. 2fbeef2825
2. used authentication is TSQLRestServerAuthenticationDefault
3. tested with modified RESTserver demo - Sample 28 with authentication:

...
aRestServer := TSQLRestServerDB.Create(aModel,':memory:',true); // authentication=true
...

4. for testing modified Sample 28 I have created small tool:

{$APPTYPE CONSOLE}

{$R *.res}

uses
  System.SysUtils,
  SynCrossPlatformJSON,
  SynCrossPlatformSpecific,
  SynCrossPlatformCrypto,
  SynCrossPlatformREST;

var
  Login, Passwd, nonce: string;
  aServerNonce, aClientNonce: string;
  PasswordHashHexa, aPassHash, IdAndKey, fSessionIDHexa8, aSessionID: string;
  fSessionPrivateKey: Cardinal;
  i: integer;
  c: char;
begin
  Login := 'Admin';
  Passwd := 'synopse';

  WriteLn('Server nonce:');
  ReadLn(aServerNonce);

  aClientNonce := SHA256Compute([Copy(NowToIso8601,1,16)]);
  PasswordHashHexa := SHA256Compute(['salt',Passwd]);
  aPassHash := Sha256Compute(['root',aServerNonce,aClientNonce,
    Login,PasswordHashHexa]);
  WriteLn('Client nonce = ', aClientNonce);
  WriteLn('Pass = ', aPassHash);
  WriteLn('SessionID+PrivateKey:');
  ReadLn(IdAndKey);

  i := 1;
  GetNextCSV(IdAndKey,i,aSessionID,'+');

  fSessionIDHexa8 := LowerCase(IntToHex(StrToInt(aSessionID),8));

  repeat
  fSessionPrivateKey := crc32ascii(crc32ascii(0,IdAndKey),PasswordHashHexa);
  nonce := LowerCase(IntToHex(trunc(Now*(24*60*60)),8));

  WriteLn(fSessionIDHexa8+nonce+LowerCase(IntToHex(
    crc32ascii(crc32ascii(fSessionPrivateKey,nonce),'root/Person'),8)));
    readln(c);
  until c = 'q';
end.

as first parameter for attached tool pass "Server nonce" - result of http://localhost:8888/root/Person/auth?UserName=Admin
you will receive "Pass" and "Client nonce" from tool
as second parameter for attached tool pass result of http://localhost:8888/root/Person/auth?UserName=Admin&PassWord={Pass}&ClientNonce={Client nonce}
you will receive session_signature for testing purpose. by pressing enter in tool you will get next session_signature.

Last edited by hnb (2015-11-05 19:48:16)

danielkuettner · 2015-11-05 20:01:42

@hnb
Why don't you use SSL and basic auth when you want a secure solution? If you sniff this you won't find a session_signature.
Perhaps you have find a "bug" under using http+session, but even if you "close" it, you won't have a secure solution.

If you can sniff a session_signature you can also sniff the whole communication. Sure, you can encrypt it, but you have the unencrypted initialization part (you can read the URI) and than you will come to SSL.

hnb · 2015-11-05 20:34:07

@danielkuettner

This is only bug report. I want perfect mORMot framework as possible. I want to see mORMot as alternative for Java EE .

ab · 2015-11-05 20:48:12

@hnb
I do not understand what your sample shows: it is a way to create a new session when you know the user and password, right?

hnb · 2015-11-05 21:16:51

@ab Yes, you are right. It was created for fun to see how is created session_signature "step-by-step", without using debugger to track code inside mORMot framework, just minimal code usage to create new session for modified "Sample 28". Unexpectedly useful to finding bugs in authorization scheme (like mentioned problem in this topic or like http://synopse.info/forum/viewtopic.php?id=2977 ).

mORMot Open Source

#1 2015-11-04 19:38:03

Session can be closed by already used signature

#2 2015-11-04 23:43:31

Re: Session can be closed by already used signature

#3 2015-11-05 07:22:20

Re: Session can be closed by already used signature

#4 2015-11-05 17:12:09

Re: Session can be closed by already used signature

#5 2015-11-05 17:26:25

Re: Session can be closed by already used signature

#6 2015-11-05 19:35:37

Re: Session can be closed by already used signature

#7 2015-11-05 20:01:42

Re: Session can be closed by already used signature

#8 2015-11-05 20:34:07

Re: Session can be closed by already used signature

#9 2015-11-05 20:48:12

Re: Session can be closed by already used signature

#10 2015-11-05 21:16:51

Re: Session can be closed by already used signature

Board footer