A Cucumber Scenario for Session Fixation Attacks
When working on a Spring project I was alerted via the logs that my login handling was susceptible to Session Fixation Attacks. It was nice of Spring to alert me of this, and it seems like the problem is due to the Apache httpd connection via mod_jk. But before diving into a solution I decided to write a simple acceptance test using Cucumber. This allows me to first prove the security hole is present, easily tell when I have fixed it and has the additional benefit of being able to add the check to a set of automated regression tests to ensure it never happens again.
The countermeasure built into Spring uses the Identity Confirmation technique. This basically involves invalidating a user’s session when they login and creating a new session with a different JSESSIONID. It turns out to be fairly easy to write a test for this in Cucumber. Firstly I wrote the plain text scenario:
Scenario: Avoiding Session Fixation Attacks through Identity Confirmation Given I have a session ID When I sign in Then I should have a different session ID
The next step is to write the step definitions. Cuke4Duke provides Cucumber support for JVM languages and makes it easy to write reusable step definitions. As I’m a fan of the expressiveness of Groovy I chose to write the step definitions using the GroovyDsl.
import static org.junit.Assert.*
import static org.junit.matchers.JUnitMatchers.*
import static org.hamcrest.CoreMatchers.*
this.metaClass.mixin(cuke4duke.GroovyDsl)
def sessionId
Given(~'I have a session ID') {
browser.get("$host/signin")
sessionId = getSessionId()
}
When(~'I sign in') {
def signinForm = browser.findElement(By.name('signin'))
signinForm.findElement(By.name('j_username')).sendKeys('testing@example.com')
signinForm.findElement(By.name('j_password')).sendKeys('123456')
signinForm.submit()
}
Then(~'I should have a different session ID') {
assertThat(getSessionId(), is(not(sessionId)));
}
def getSessionId() {
browser.manage().cookies.find() { it.name == 'JSESSIONID' }.value
}
The browser variable is injected via env.groovy as an instance of WebDriver which provides the methods to find elements and manage cookies.
def sessionId simply declares a variable allowing sharing of state between the steps so we can check the session ID has been changed.
No comments yet.
Leave a comment
Subscribe
Recent Posts
Tags
- "Sorry, no matches found for “tdd” near Auckland, New Zealand" http://t.co/Ahc736MX #auckland #whowantstostartonewithme 2 weeks ago
- Great series on the SOLID design principles for JavaScript http://t.co/ELoPuOH2 2 weeks ago
- Auckland devs, what meetups should I be attending? #java #groovy #ruby #javascript #bdd #tdd 2 weeks ago
- More updates...