4

Not sure if what I'm saying makes sense... but is it possible for me to alter a $_SESSION variable from outside the target PHP script?

One of our scripts uses a $_SESSION variable and I'm not sure if that is vulnerable to manipulation from outside as a $_POST variable is...

AviD
  • 72,138
  • 22
  • 136
  • 218
Steve
  • 469
  • 1
  • 6
  • 6
  • Are you sure you didn't ask the same question? http://security.stackexchange.com/questions/2087/how-to-hijack-a-session – Incognito Feb 17 '11 at 21:59

3 Answers3

8

The answer to this depends on whether or not your application uses GET or POST data to populate SESSION data.

Say for example that the $_SESSION['username'] is populated when the user logins like this: 

$_SESSION['username'] = $_GET['login-username']

As the XSS owns your client he can also modify the content of login-username variable, and thus control the session variables.

However it is important to know that the $_SESSION global variable array can only be modified server side.

Mark Davidson
  • 9,367
  • 6
  • 43
  • 61
Chris Dale
  • 16,119
  • 10
  • 56
  • 97
  • @Mark Davidson - what is the interaction between $_SESSION and cookies? Can I alter the value of $_SESSION by altering a cookie variable? Currently my site only seems to be storing PHPSESSID on the user's machine. – Steve Feb 10 '11 at 12:09
  • @Mark Davidson - Can I alter "my session" by altering the cookie variable (PHPSESSID)? – Steve Feb 22 '11 at 11:41
  • @Steve, Yes you can alter your cookie and by doing this also take over someone's session (if you know their PHPSESSID). – Chris Dale Feb 22 '11 at 12:45
  • @Steve, You can also try to guess someones session ID, but given enough entropy to the ID it can be a very hard task. This http://www.securitytube.net/How-I-Met-Your-Girlfriend-at-Defcon-18-video.aspx gives a good rundown on the entropy on PHP's sessionID. – Chris Dale Feb 22 '11 at 21:55
1

The $_SESSION Variable is never sent to the Client. It is stored exclusively on the server. The user only gets an ID, which PHP uses to load up the corresponding $_SESSION variable.

So no, by exclusively using XSS, you cannot change the $_SESSION variable.

Clarification

If a line like $_SESSION['password'] = $var is nowhere to be found in your code, XSS cannot change the value of $_SESSION['password'].

Community
  • 1
Mike
  • 667
  • 4
  • 9
  • 1
    If XSS changes values on the client which is then used in the session variable you have successfully changed the $_SESSIOn by using XSS. For example $_SESSION['username'] = $_GET['login-username'] where XSS has changed the login-username field to attackers likeing? – Chris Dale Feb 09 '11 at 13:01
  • 1
    Your example is not a threat from XSS but rather just bad programming. The server would have changed the $_SESSION variable either way, so I don't understand your point. – Mike Feb 09 '11 at 13:05
  • XSS can change the params which is used in SESSION right? His answer depends on the logic of the php script and how it works. Your statement that XSS *cannot* change $_SESSION is wrong. – Chris Dale Feb 09 '11 at 13:12
  • 1
    In which case, it is the script that alters the session variable which it would have changed anyway. I'm sorry, but IMO, simply changing a parameter does not qualify as XSS but is rather to be considered bad programming. – Mike Feb 09 '11 at 13:24
  • 2
    Why do you not consider XSS as "bad programming"? Of course it's bad programming, and of course the effects of the XSS very much depend on internal implementation. Bottom line, XSS *can* affect the session variables, *in certain situations* and depending on implementation. – AviD Feb 10 '11 at 11:09
1

Mike has a good answer. I don't know why he was voted down (so I voted him back up). I just joined so I can't comment, but I would like to try to explain Mike's reasoning, because he is making a good point.

The original question was:

One of our scripts uses a $_SESSION variable and I'm not sure if that is vulnerable to manipulation from outside as a $_POST variable is...

I interpret this as asking, "is the user able to manipulate $_SESSION directly from the HTTP request, as he can do with $_COOKIE, $_POST, and $_GET?"

In other words, PHP will literally take user data from the request headers or body and stash into those three superglobals. But will it do the same thing for $_SESSION?

The answer is (in most cases) definitely no. The default session storage in PHP is "file", meaning that sessions are serialized and written to a file on the local filesystem. The user has no way to manipulate the contents of a session directly.

Now then, as others pointed out above, if you do something like this:

$_SESSION['foo'] = $_POST['bar'];

Then the user can now affect $_SESSION indirectly by affecting $_POST! Of course this is true, but I didn't see this as being the point of the question. The user can affect anything if you don't sanitize user inputs. The point is to know what inputs are not sanitized and know how to sanitize them before using them.

Karrax's criticism above was:

If XSS changes values on the client which is then used in the session variable you have successfully changed the $_SESSIOn by using XSS.

Of course this is true, but it's not the point of the question. By your logic, we can also say that, "malicious user input can launch a rocket to the moon." This is a true statement if somebody at NASA forgot to sanitize their user inputs in the rocket control application, but that's a problem with NASA's software, not an inherent risk in PHP.

Unfortunately, PHP doesn't make it obvious which superglobals are untainted and which are tainted. Understanding the distinction requires an intermediate level understanding of the HTTP protocol and how the PHP runtime process the HTTP request and response cycle.

Mark E. Haase
  • 1,902
  • 2
  • 15
  • 24