Spot the Bug! : Spot the Bug

Saturday, July 23, 2005 12:37 PM rsamona

Spot the Bug - July 23, 2005

The first bug was just a warm-up and people were asking for a more difficult bug. What's wrong with this chunk of code, and better yet, how do you fix it?
Courtesy of Shanit Gupta, Consultant, Foundstone

private HttpCookie SessionIdentifier ()
{
   HttpCookie myCookie = new HttpCookie("SessionId");
   Random objRand = new Random (DateTime.Now.Millisecond);
   myCookie.Value(“SessionId”) = random(objRand.Next()) ;
   return myCookie;
}

Solution:

There was a good chat around this one. Here's one good way to implement it:

byte[] randomCharacters = new Byte[64];

//RNGCryptoServiceProvider is an implementation of a random number generator.

RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();

private HttpCookie SessionIdentifier (RNGCryptoServiceProvider cryptoRNG)
{
HttpCookie myCookie = new HttpCookie("SessionId")
crptoRNG.GetBytes(randomCharacters); // The array is now filled with cryptographically strong random bytes.
myCookie.Value(“SessionId”) = randomCharacters.toString(); return myCookie;
}

Description: Many developers think that a function/class such as “random” or likes is capable of generating random numbers that are not predictable. Some of them go on to believe that that time in seconds or even milliseconds can server as a good random number or at least a good seed for the random number. Further the deterministic nature of computers makes it extremely simple to calculate the seed of PRNG and the following pseudo random numbers provided a good sample of inputs are available. We recommend the use of cryptographically secure PRNGs which do not generate the same set of random numbers even when seeded with the same string. More information can be found here.

Filed under: Bug Squashed

Comments

# re: Spot the Bug - July 23, 2005

Saturday, July 23, 2005 4:19 PM by Kirk Marple

Millisecond will only range from 0-999, so there are only 1000 choices for SessionId.

DateTime.Now.Ticks would be a better choice for a random value.

# re: Spot the Bug - July 23, 2005

Saturday, July 23, 2005 4:31 PM by Ron

Big threading issue :)

# re: Spot the Bug - July 23, 2005

Saturday, July 23, 2005 4:32 PM by Steven

What's even worse is that, if two requests come in on the same millisecond, they will have the same session ID.

objRand should not be local to the SessionIdentifier function.

# re: Spot the Bug - July 23, 2005

Saturday, July 23, 2005 4:38 PM by mihailik

1. If 2 indentifiers are requested at same time on different threads, it will result in same session ids.

2. Of couse, Kirk are right (partially). Random class have parameterless constructor, that randomize by time and (possible) by processor-suplied randomization.

3. System.Random instance should be static, and it will solve problem (1). However, static instance require thread synchronization (locks), because Random class is not thread-safe.

4. Random class is inapropriate for highest level of security. There is right class in System.Security.Cryptography. However, cookie authorization is not pure way for high-secure sites.

# re: Spot the Bug - July 23, 2005

Saturday, July 23, 2005 4:44 PM by Nat

I would say
1. the random is not equally distributed. Make it easier to hack into a session that use lower value as a cookie session id
2. the range is too limited. the possible range is only from 0 to 999. If there are more than 1000 people visiting the website, there will be more than one person using the same cookie
3. I don't what function random (with small cap) does though :) convert number into string?
4. session id is not encrypted :P

# re: Spot the Bug - July 23, 2005

Saturday, July 23, 2005 4:57 PM by Nat

Oops my bad... didn't mean to send it. Here is the actual one.

1. There will be only 1000 possible value. Since after you construct Random object. It will give you the first value from the seed. So as the seed can be only from 0 to 999, the possible values are 1000 values. The Next method will return int which range from 0 to 2,147,483,647 and get generated from seed. So it can be precalculated.
2. As mihailik identified, 2 requests that request at the same time may end up with the same session id
3. The class called " RandomNumberGenerator" should be used instead. But the easiest way is to use
myCookie.Value(“SessionId”) = Guid.NewGuid().ToString() :)

# re: Spot the Bug - July 23, 2005

Sunday, July 24, 2005 6:56 AM by Mike Bright

First time here, not entirely sure on the Spot the Bug thing, but:

myCookie.Value

Is a collection and therefore can’t be accessed using parenthesis i.e.

myCookie.Value(“SessionId”)

And must in fact use square brackets when providing the key:

myCookie.Value[“SessionId”] = random(objRand.Next()) ;

But I may have missed the point of the exercise. hehe

# re: Spot the Bug - July 23, 2005

Sunday, July 24, 2005 6:59 AM by TAG

In addition to issues above:

a) There are typo in "myCookie.Value(“SessionId”)" line.
It must be Values or (preffered) simply "myCookie.Value = " statement. There is no needs to specify multi-value for SessionId.

As well all this code can be simplified up to:
private HttpCookie SessionIdentifier()
{
return new HttpCookie("SessionId", Guid.NewGuid().ToString());
}

b) Do you realy need new sessionId everytime ? Or it will be good to check for already started session ?

c) What's a reason to reinvent ASP.NET sessions ? Is this a system-level code ?

d) This cookie become a site-wide - i.e. by allowed path is "/". As well it will be allowed to trasfer on both HTTP and HTTPS - this can be a security-risk.

# re: Spot the Bug - July 23, 2005

Sunday, July 24, 2005 6:43 PM by Andreas Wiegenstein

In addition to the addition to issues above:

It's not a good idea to place a session ID in a cookie that is not HTTPONLY, since this will make XSS attacks that steal the session more easy. (Defense in Depth)

# re: Spot the Bug - July 23, 2005

Monday, July 25, 2005 7:36 AM by saint

1. Usage of Random function to get sessionID is incorrect since it is not random enough,.
2. As mentioned earlier Not using HTTPOnly cookie allows XSS attacks

# re: Spot the Bug - July 23, 2005

Monday, July 25, 2005 10:06 AM by karthikeyan

1. Cookie.value is a property and it should not be assigned like this.
instead it should be cookie.value = "";
2. Random(objRand.Next()) is a constructor which will return the reference to an object and cookie.value will expect a string, not reference.
3. If we want to have it unique using the same logic then the follwing code will do
private HttpCookie SessionIdentifier ()
{
HttpCookie myCookie = new HttpCookie("SessionId");
Random objRand = new Random (DateTime.Now.Millisecond);
myCookie.Value = objrand.Next().ToString();
return myCookie;
}

New Comments to this post are disabled

Spot the Bug!

Search

Tags

News

Archives

Spot the Bug - July 23, 2005

Comments

# re: Spot the Bug - July 23, 2005

# re: Spot the Bug - July 23, 2005

# re: Spot the Bug - July 23, 2005

# re: Spot the Bug - July 23, 2005

# re: Spot the Bug - July 23, 2005

# re: Spot the Bug - July 23, 2005

# re: Spot the Bug - July 23, 2005

# re: Spot the Bug - July 23, 2005

# re: Spot the Bug - July 23, 2005

# re: Spot the Bug - July 23, 2005

# re: Spot the Bug - July 23, 2005