Sunday, September 18, 2011

Session Puzzling and Session Race Conditions

Is It Really That Complicated?

Session Puzzling – An Indirect Application Attack Vector – Now Simplified

A couple of months ago, I published a paper on an under-emphasized application level attack vector nicknamed "Session Puzzling" – an attack pattern that can abuse improper usage of session variables (a.k.a "Session Puzzles") in order to impersonate users, elevate privileges, bypass security restrictions and even execute "traditional" attack vectors against applications, while bypassing any existing security mechanisms by attacking the application using a trusted input source.

Even though the paper was published alongside a training kit that was meant to demonstrate the various attack vectors (a vulnerable application called "puzzlemall"), the vast majority of responses I got have made me realize that most of the 2000 security professionals that were exposed to this attack did not manage to understand it.

Some of the responses associated the paper to unrelated attacks, some didn't understand the impact or the mechanics, and some responses even claimed that the attacks is too complicated to perform (!?!).
Although I know that the attack is not simple, and that several session puzzling vectors require 10+ requests, I refuse to believe it's that complicated.

Over the last couple of years, I have seen many commercial applications that were vulnerable to this attack (Oracle E-Business Suite Included), so I'm giving it one more shot before I'll let the attack fall into the "too complicated to explain" category, and keep it all to myself.

The original whitepaper/presentation can be downloaded from the following addresses (contains background, additional attack vectors and mitigations):

The project homepage: 

The following short movies demonstrate a few simple session puzzling sequences:
Authentication Bypass via Session Puzzling (Abusing common session variables):
User Impersonation via Session Puzzling (Abusing common session variables):
Session Puzzling via Redirection Prevention (Abusing Premature Session Population):
Bypassing Restrictions in Multiphase Processes via Session Puzzling (Abusing Common Session Flags)
The following POC movie demonstrates the attack against Oracle E-Business Suite (exception scenario - not relying on input):
The training kit can be downloaded from the following address:

Temporal Session Race Conditions and Layer Targeted ADoS

Although the original attack relied on the existence of persistent session values, an extended attack was presented last week (15th of September), in a local OWASP chapter meeting.
The extended method (nicknamed "Temporal Session Race Conditions") enables detecting & exploiting session puzzles even if the session variables have a lifespan of milliseconds (session-level race conditions), by increasing the latency of certain lines of code through the use of layer targeted denial of service attacks.

The original OWASP presentation:

The following movies demonstrate a few simple TSRC attacks:
Exploiting Temporal Session Race Conditions via Connection Pool Consumption:
Exploiting Temporal Session Race Conditions via RegEx DoS:
An extended version of "puzzlemall" which includes TSRC vulnerabilities (premium login page, requires MySQL):
A simple tool that can assist in the detection of TSRC connection pool consumption scenarios:

The following individuals contributed to the Session Puzzling / TSRC research in various ways, and helped me turn a bunch of ideas into a consistent methodology:
Oren Ofer, Oren Hafif, Alex Ganelis, Liran Sheinbox and Zafrir Grossman.

Additional Resources
An attack similar to session puzzling is mentioned under the name "session poisoning", but the session puzzling/TSRC sequences differ from this attack mainly by the lack of direct input dependency (see the multiphase restriction bypass scenario and the e-business suite exploit for the exception scenario), and expand the attack tool-set in the aspect of methodology, predefined sequencesscope of modules, complementary methods and usage of denial of service for extending the lifespan of temporary session variables.


  1. Shay-Chen, you've done some excellent security research here. Thank you for taking the time to explain it so well (I know that's a *lot* of time) and for setting up a demo application.

    BTW, if this concept alone seems hard to understand for some, imagine combining it with session fixation or session donation, and setting session variables in another user's session :)

    Thanks again, really well done!

  2. 10x man,
    It feels great to know that the effort was not in vain.

    Still curious about additional uses for the fascinating attack you presented in your latest lecture at the Source conference at Barcelona ("advanced binary planting")...
    Will let you know if I find anything interesting.

  3. Not in vain at all, Shay-Chen. When most eyes are on XSS, SQLi and CSRF, it's things like this, HTTP parameter pollution and, say, Insecure object mapping ( that fail to get enough attention and only few care to really think about. Such flaws are my favorite kind though: not really trivial to find but with potentially spectacular impact.