sun access manager, session not cleaned issue. Identity theft and impersonisation.

A high-security risk, leading to identity theft and impersonation. This security issue is mostly caused by lack of knowledge of security aspects on part of application developers/ architects.

PROBLEM

One person signs into a sun access manager policy-enabled application from a web browser.
After completing his task, he signs out and goes home relieved of his/ her work. But this machine is in public access, say some kiosk or cyber cafe.
Another user comes in and signs into the same application which the previous user used.

Viola....he logs into an application as the first person instead.

CAUSE

Sun access manager is responsible for deleting cookies of the application, which stores session and may store some other credentials too. Now one can only delete the cookies that belong to it. So in case, Sun access manager agent resides in www.xyz.com domain (see the site URL in the address bar for respective sites), it cannot delete cookies from another application from www.abc.com


Sun access manager sits on top of other applications and just behaves like a filter, it intercepts all incoming requests to the underlying application and if not authenticated for particular URI it redirects the requests to sign in a page or whatsoever configured. Authentication/ authorization and logout function should be left to Sun Access Manager.


The security risk arises when SAM (Sun Access Manager) is used either without proper preparation or lack of knowledge.

Now let us take the following use case:

  • Suppose the underlying application's URL is  www.abc.com and access manager's URL is www.xyz.com. That means both applications are in a separate domain.
  • www.abc.com writes cookies with some session related information.
  • SAM writes it's own cookies with domain www.xyz.com
  • User logs out of www.xyz.com in a good sense.
  • Application developers assume (and rightly so), that all session data will be cleared by their friend SAM.
  • SAM also do its duty and clear all the cookies that it created. It can delete cookies from its domain, but as its hands are tied it cannot delete cookies of www.abc.com.
  • Cookie from www.abc.com had some session information and that session is still alive on the application.
  • A new user logs in with his/ her credentials, but something strange happens. The new user logs into the system as an old user who just logged out a few moments before.


RESOLUTION

Go and get your system admin and ask to change the domain of either access manager or application.

Other programmatic solutions too are possible but don't use them. The best practice is to use boilerplate code from SAM and beware of wrong practices that can expose your users to security risks and hidden impersonation.

Comments

Post a Comment

Popular posts from this blog

Caused by: java.sql.SQLTimeoutException: ORA-01013: user requested cancel of current operation

Many times we encounter this error and think that there might be some JPA issue or network issue. However, the error is pretty explicit in its nature, but still not clear to ring the bell very first time. As the error says there is a timeout, and since Oracle is saying, we shall accept it. Another clue is "user requested cancel of current operation". This means that the connection was closed by the application server not the database server, hence it can be safely concluded that application has configured timeouts on transactions at its end. However, if you feel that this transaction should have been concluded within the application server limits, your doubt might be true. This problem can arise in case there is a lock on the record being updated by JPA or lock on the table in which JPA is attempting to insert. The lock is most probably being held by some other application, and since application server configuration is on aggressive SLA, the transaction is waiting its
Read more

HashiCorp Vault Integration with Ansible Etower using approle

Image
HashiCorp Vault is  a secrets management tool specifically designed to control access to sensitive credentials in a low-trust environment . It can be used to store sensitive values and at the same time dynamically generate access for specific services/applications on lease.  Integrating the vault with Ansible Etower provides robust and secure automation. Following is the step-by-step guide for the integration. Enable key-value secret engine in Hashi Vault (also known as "kv" engine). Let's call the engine, the "kv" engine. Create a secret inside "kv". A secret can be a collection of key-value pairs or a JSON for nested structure.            Lets assume that secrets are stored as JSON  in the format   { "my_app":{ "service_account_name": "some_service", "service_account_password": "some_password" } } Create a secret policy defining what can be done with the above-defined secret. Create an
Read more

utility to extract date from text with java

Image
A date pattern recognition algorithm to not only identify date pattern but also fetches probable date in Java date format. This algorithm is very fast and lightweight. The processing time is linear and all dates are identified in a single pass. Algorithm resolves date using tree traverse mechanism. Tree data structures are custom created to build supported date, time and month patterns. Following Trees are used (Note: ^ sign denotes complete pattern) DATE PATTERN TREE Month Pattern Tree (Jan and January both are valid, identified using ^ sign) Time pattern (Identified as suffix to Date, $ sign indicates SPACE character) Tree structures are used in the following algorithm.  Date Part Identification algorithm flowchart Time part identification algorithm flowchart These flow charts are self-explanatory in most part. --> sign is used to denote next match in respective tree structures. The algorithm also acknowledges multipl
Read more