CWE-6: J2EE Misconfiguration: Insufficient Session-ID Length

Description

The J2EE application is configured to use an insufficient session ID length.

If an attacker can guess or steal a session ID, then they may be able to take over the user's session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID.

Potential Impact

Access Control

Gain Privileges or Assume Identity

Demonstrative Examples

The following XML example code is a deployment descriptor for a Java web application deployed on a Sun Java Application Server. This deployment descriptor includes a session configuration property for configuring the session ID length.

Bad

<sun-web-app>
                        ...<session-config>
                              <session-properties><property name="idLengthBytes" value="8"><description>The number of bytes in this web module's session ID.</description></property></session-properties>
                           </session-config>...
                     </sun-web-app>

This deployment descriptor has set the session ID length for this Java web application to 8 bytes (or 64 bits). The session ID length for Java web applications should be set to 16 bytes (128 bits) to prevent attackers from guessing and/or stealing a session ID and taking over a user's session.

Note for most application servers including the Sun Java Application Server the session ID length is by default set to 128 bits and should not be changed. And for many application servers the session ID length cannot be changed from this default setting. Check your application server documentation for the session ID length default setting and configuration options to ensure that the session ID length is set to 128 bits.

Mitigations & Prevention

Implementation

Session identifiers should be at least 128 bits long to prevent brute-force session guessing. A shorter session identifier leaves the application open to brute-force session guessing attacks.

Implementation

A lower bound on the number of valid session identifiers that are available to be guessed is the number of users that are active on a site at any given moment. However, any users that abandon their sessions without logging out will increase this number. (This is one of many good reasons to have a short inactive session timeout.) With a 64 bit session identifier, assume 32 bits of entropy. For a large web site, assume that the attacker can try 1,000 guesses per second and that there are 10,000 va

Taxonomy Mappings

7 Pernicious Kingdoms: — J2EE Misconfiguration: Insufficient Session-ID Length

Frequently Asked Questions

What is CWE-6?

CWE-6 (J2EE Misconfiguration: Insufficient Session-ID Length) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The J2EE application is configured to use an insufficient session ID length.

How can CWE-6 be exploited?

Attackers can exploit CWE-6 (J2EE Misconfiguration: Insufficient Session-ID Length) to gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-6?

Key mitigations include: Session identifiers should be at least 128 bits long to prevent brute-force session guessing. A shorter session identifier leaves the application open to brute-force session guessing attacks.

What is the severity of CWE-6?

CWE-6 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.