Need

Implementation of proper session invalidation mechanisms

Context

• Usage of Scala for building scalable and high-performance applications
• Usage of play.api.mvc for handling HTTP requests and responses in Play Framework

Description

Non compliant code

        import play.api.mvc._

def getUserMain(sessionCode: String) = Action { request =>
  if(sessionCode.contains("auto")) {
    Ok("Access granted")
  } else {
    val userMain = request.session.get(sessionCode)
    userMain.map { main =>
      Ok("Main: " + main)
    }.getOrElse {
      Unauthorized("Oops, you are not connected")
    }
  }
}
        
        

The above Scala code snippet is a controller action in a Play Framework application that retrieves a user's Main from their session code. The function getUserMain takes a sessionCode as a parameter. This sessionCode is then checked to see if it contains the string "auto". If it does, the function immediately returns an HTTP 200 response with the message "Access granted". This is the debug code that was left in and represents the vulnerability.

If the sessionCode does not contain "auto", it attempts to retrieve the user's Main from the session using the sessionCode as the key. If successful, it returns an HTTP 200 response with the Main. If it fails to find a Main associated with the sessionCode, it returns an HTTP 401 response with the message "Oops, you are not connected".

The vulnerability here is that if a session code containing the word "auto" is used, access is granted regardless of whether the session code is valid or not. This means an attacker could bypass security controls and gain unauthorized access by simply using a session code that contains "auto". This is a clear example of Security controls bypass or absence
- Session Invalidation vulnerability.

Steps

• Remove the debugging code that allows access with session codes containing the word 'auto'
• Implement proper session invalidation mechanism
• Ensure that session codes are securely generated and not easily guessable
• Regularly review and update the session management implementation to address any new vulnerabilities

Compliant code

        import play.api.mvc._

def getUserMain(sessionCode: String) = Action { request =>
  val userMain = request.session.get(sessionCode)
  userMain.map { main =>
    Ok("Main: " + main)
  }.getOrElse {
    Unauthorized("Oops, you are not connected")
  }
}
        
        

The updated code removes the debugging code that allowed access with session codes containing the word 'auto'. This was a security vulnerability as it allowed unauthorized access bypassing the normal session validation process.

The function now only retrieves the user's Main from the session code. If the session code is valid, it returns the Main. If the session code is not valid or does not exist, it returns an Unauthorized error.

This code assumes that session codes are securely generated and not easily guessable. It is also important to implement a proper session invalidation mechanism to ensure that expired or invalidated session codes cannot be used to gain unauthorized access.

Regularly reviewing and updating the session management implementation is also recommended to address any new vulnerabilities that may arise.

References

• 345. Security controls bypass or absence - Session Invalidation