#1 2015-11-04 19:38:03

hnb
Member
Registered: 2015-06-15
Posts: 290

Session can be closed by already used signature

if someone wants to make life difficult for mORMot user, there is possible to close session by already used session_signature

(1) http://localhost:8888/root/Person?session_signature=0008277fd9e786aded76b248

first captured URL

(2) http://localhost:8888/root/auth?UserName=Admin&Session=534399&session_signature=0008277fd9e786aded76b248

new prepared URL with the same signature


best regards,
Maciej Izak

Offline

#2 2015-11-04 23:43:31

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,664
Website

Re: Session can be closed by already used signature

In which context?

Offline

#3 2015-11-05 07:22:20

hnb
Member
Registered: 2015-06-15
Posts: 290

Re: Session can be closed by already used signature

If you know last session_signature is possible to close session by using the same session_signature used before in other context (for example for viewing some data). IMO this behavior should be blocked.

Maybe is good to store somehow last used session_signature generated by TSQLRestServerAuthenticationDefault for blocking purpose?


best regards,
Maciej Izak

Offline

#4 2015-11-05 17:12:09

danielkuettner
Member
From: Germany
Registered: 2014-08-06
Posts: 357

Re: Session can be closed by already used signature

How do you know the last session_signature of an other user?

Offline

#5 2015-11-05 17:26:25

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,664
Website

Re: Session can be closed by already used signature

@hnb

Which authentication are you using?
Are you using the latest framework version, including ticket http://synopse.info/fossil/tktview?name=7723fa7ebd ?

AFAIK
http://localhost:8888/root/auth?UserName=Admin&Session=534399&session_signature=0008277fd9e786aded76b248
should be rejected in TSQLRestServerAuthentication*.RetrieveSession() so Ctxt.Session=0, and therefore TSQLRestServerAuthentication.AuthSessionRelease should not release the session.

Offline

#6 2015-11-05 19:35:37

hnb
Member
Registered: 2015-06-15
Posts: 290

Re: Session can be closed by already used signature

@danielkuettner by using websniffer?

@ab

1. tested with fresh rev. 2fbeef2825
2. used authentication is TSQLRestServerAuthenticationDefault
3. tested with modified RESTserver demo - Sample 28 with authentication:

...
aRestServer := TSQLRestServerDB.Create(aModel,':memory:',true); // authentication=true
...

4. for testing modified Sample 28 I have created small tool:

{$APPTYPE CONSOLE}

{$R *.res}

uses
  System.SysUtils,
  SynCrossPlatformJSON,
  SynCrossPlatformSpecific,
  SynCrossPlatformCrypto,
  SynCrossPlatformREST;

var
  Login, Passwd, nonce: string;
  aServerNonce, aClientNonce: string;
  PasswordHashHexa, aPassHash, IdAndKey, fSessionIDHexa8, aSessionID: string;
  fSessionPrivateKey: Cardinal;
  i: integer;
  c: char;
begin
  Login := 'Admin';
  Passwd := 'synopse';

  WriteLn('Server nonce:');
  ReadLn(aServerNonce);

  aClientNonce := SHA256Compute([Copy(NowToIso8601,1,16)]);
  PasswordHashHexa := SHA256Compute(['salt',Passwd]);
  aPassHash := Sha256Compute(['root',aServerNonce,aClientNonce,
    Login,PasswordHashHexa]);
  WriteLn('Client nonce = ', aClientNonce);
  WriteLn('Pass = ', aPassHash);
  WriteLn('SessionID+PrivateKey:');
  ReadLn(IdAndKey);

  i := 1;
  GetNextCSV(IdAndKey,i,aSessionID,'+');

  fSessionIDHexa8 := LowerCase(IntToHex(StrToInt(aSessionID),8));

  repeat
  fSessionPrivateKey := crc32ascii(crc32ascii(0,IdAndKey),PasswordHashHexa);
  nonce := LowerCase(IntToHex(trunc(Now*(24*60*60)),8));

  WriteLn(fSessionIDHexa8+nonce+LowerCase(IntToHex(
    crc32ascii(crc32ascii(fSessionPrivateKey,nonce),'root/Person'),8)));
    readln(c);
  until c = 'q';
end.

as first parameter for attached tool pass "Server nonce" - result of http://localhost:8888/root/Person/auth?UserName=Admin
you will receive "Pass" and "Client nonce" from tool
as second parameter for attached tool pass result of http://localhost:8888/root/Person/auth?UserName=Admin&PassWord={Pass}&ClientNonce={Client nonce}
you will receive session_signature for testing purpose. by pressing enter in tool you will get next session_signature.

Last edited by hnb (2015-11-05 19:48:16)


best regards,
Maciej Izak

Offline

#7 2015-11-05 20:01:42

danielkuettner
Member
From: Germany
Registered: 2014-08-06
Posts: 357

Re: Session can be closed by already used signature

@hnb
Why don't you use SSL and basic auth when you want a secure solution? If you sniff this you won't find a session_signature.
Perhaps you have find a "bug" under using http+session, but even if you "close" it, you won't have a secure solution.

If you can sniff a session_signature you can also sniff the whole communication. Sure, you can encrypt it, but you have the unencrypted initialization part (you can read the URI) and than you will come to SSL.

Offline

#8 2015-11-05 20:34:07

hnb
Member
Registered: 2015-06-15
Posts: 290

Re: Session can be closed by already used signature

@danielkuettner

This is only bug report. I want perfect mORMot framework as possible. I want to see mORMot as alternative for Java EE smile.


best regards,
Maciej Izak

Offline

#9 2015-11-05 20:48:12

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,664
Website

Re: Session can be closed by already used signature

@hnb
I do not understand what your sample shows: it is a way to create a new session when you know the user and password, right?

Offline

#10 2015-11-05 21:16:51

hnb
Member
Registered: 2015-06-15
Posts: 290

Re: Session can be closed by already used signature

@ab Yes, you are right. It was created for fun to see how is created session_signature "step-by-step", without using debugger to track code inside mORMot framework, just minimal code usage to create new session for modified "Sample 28". Unexpectedly useful to finding bugs in authorization scheme (like mentioned problem in this topic or like http://synopse.info/forum/viewtopic.php?id=2977 ).


best regards,
Maciej Izak

Offline

Board footer

Powered by FluxBB