Threat Modeling Session Hijacking

Session hijacking, also known as cookie hijacking, involves an attacker taking over a user's session by obtaining or manipulating their session token (cookie) to impersonate the user on a web application. While multifactor authentication (MFA) adds a significant layer of security, it's primarily effective at the point of initial login and might not always protect against session hijacking after authentication has occurred.

Session Cookies

Once the user has successfully authenticated (with or without MFA) and a session is established, the session token becomes the authentication for subsequent requests. As can be seen in the below diagram, this cookie can then be used in subsequent requests for as long as the cookie is valid. Cookies are usually classified as session cookies or persistent cookies. Session cookies only last as long as the current browsing session (thereby limiting the total risk of compromise). Persistent cookies last after the browsing session is closed and are used by websites to remember a user and their preferences on a website.?

Creating the same model inside of IriusRisk produces the following diagram:

This produced a total of 43 threats within IriusRisk over a range of different threat scenarios.

Session Hijacking Threat Model

Threat - The attacker acquires a session token (of an authenticated user) through techniques like XSS, malware, or token sniffing and uses that token to access unauthorized resources

Threat Types - Spoofing > Information Disclosure > Lateral Movement

Lack of Secure Connection (HTTPS)

Weakness: Communication is not secured with HTTPS, allowing data to be transmitted in plain text. CWE-319: Cleartext Transmission of Sensitive Information

Mitigation: Enforce HTTPS for all communications between clients and the server to ensure all data, including session cookies, is encrypted during transmission. Use HSTS (HTTP Strict Transport Security) to prevent SSL stripping attacks. (NIST SP 800-53 Ref - SC-8 Transmission Confidentiality and Integrity)

Vulnerabilities to Cross-Site Scripting (XSS)

Weakness: XSS vulnerabilities arise when a web application includes unvalidated or unescaped user input in its output. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Mitigation: Implement robust input validation, output encoding, and use Content Security Policy (CSP) headers to prevent the browser from executing unauthorized scripts. Regularly review and update these measures to cover new types of XSS attacks. (NIST SP 800-53 Ref - SI-10 Information Input Validation & SC-7 Boundary Protection)

Insecure Cookie Attributes

Weakness: Cookies not configured with secure attributes such as HttpOnly, Secure, and SameSite. CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute & CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

Mitigations:

• HttpOnly: Set cookies with the HttpOnly attribute to prevent access via JavaScript. (NIST SP 800-53 Ref - SC-23 Session Authenticity)
• Secure: Use the Secure attribute to ensure cookies are only sent over HTTPS connections. (NIST SP 800-53 Ref - SC-23 Session Authenticity)
• SameSite: Use the SameSite attribute to prevent the browser from sending cookies in cross-origin requests, mitigating CSRF attacks. (NIST SP 800-53 Ref - SC-23 Session Authenticity)

Insufficient Session Management

Weakness: Poor session management practices like predictable session tokens, long session durations, and lack of session validation. CWE-384: Session Fixation, CWE-331: Insufficient Entropy, CWE-613: Insufficient Session Expiration

Mitigations:

• Use strong, unpredictable session tokens with high entropy to prevent brute-force and guessing attacks. (NIST SP 800-53 AC-12: Session Control)
• Set short session timeouts and prompt for re-authentication for sensitive operations or after periods of inactivity. (NIST SP 800-53 Ref - AC-12 Session Termination)
• Implement regular session validation checks to detect anomalies that may indicate session hijacking. (NIST SP 800-53 Ref - AC-2 Account Management)

Malware on Client Devices

Weakness: Client devices compromised by malware can undermine the security of applications, including web browsers. CWE-506: Embedded Malicious Code

Mitigations:

• Install reputable anti-malware software and keep it updated. (NIST SP 800-53 Ref - SI-3 Malicious Code Protection)
• Educate users about safe browsing habits and the importance of regular system updates. (NIST SP 800-53 Ref - PL-8 Security and Privacy Awareness and Training)
• Implement endpoint security measures and monitor network activity for signs of malicious behavior. (NIST SP 800-53 Ref - SI-3 Malicious Code Protection)

Insufficient Network Security

Weakness: Networks, especially public or unsecured Wi-Fi networks, lack robust security measures. CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Mitigation:

• Use VPNs (Virtual Private Networks) to secure network traffic when accessing the web application from insecure locations. (NIST SP 800-53 Ref - AC-17 Remote Access & SC-7 Boundary Protection)
• Implement network segmentation and strong encryption on organizational networks. (NIST SP 800-53 Ref - SC-7 Boundary Protection)
• Educate users about the risks of using public Wi-Fi for accessing sensitive applications and guide them on using secure networks.

Conclusion

The continuous evolution of cyber threats necessitates vigilant security practices. While MFA provides a strong initial defense, comprehensive session management and proactive security measures are crucial to safeguard against the persistent threat of session hijacking. It is not just about securing a session token; it is about ensuring a holistic security posture that adapts to emerging threats and secures all facets of user interaction on the web.