An error occurred:

Check: SRG-APP-000224-WSR-000139

Web Server SRG: SRG-APP-000224-WSR-000139 (in versions v4 r2 through v2 r2)

Title

The web server must generate unique session identifiers with definable entropy. (Cat II impact)

Discussion

Generating a session identifier (ID) that is not easily guessed through brute force is essential to deter several types of session attacks. By knowing the session ID, an attacker can hijack a user session that has already been user authenticated by the hosted application. The attacker does not need to guess user identifiers and passwords or have a secure token since the user session has already been authenticated. Random and unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Random session identifiers help to reduce predictability of said identifiers. The session ID must be unpredictable (random enough) to prevent guessing attacks, where an attacker is able to guess or predict the ID of a valid session through statistical analysis techniques. For this purpose, a good PRNG (Pseudo Random Number Generator) must be used. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. At least half of a session ID must be created using a definable source of entropy (PRNG).

Check Content

Review the web server documentation and deployed configuration to verify that the web server is generating random session IDs with entropy equal to at least half the session ID length. If the web server is not configured to generate random session IDs with the proper amount of entropy, this is a finding.

Fix Text

Configure the web server to generate random session IDs with minimum entropy equal to half the session ID length.

Additional Identifiers

Rule ID: SV-206403r961119_rule

Vulnerability ID: V-206403

Group Title: SRG-APP-000224

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001188

Generate a unique session identifier for each session with organization-defined randomness requirements.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-23(3)

Unique Session Identifiers with Randomization