PuzzleMall - A vulnerable web application for practicing session puzzling

Developed by http://www.hacktics.com'>Hacktics ASC
http://www.hacktics.com'>http://diviner.googlecode.com/files/hacktics_logo.jpg' />
PuzzleMall is a vulnerable web application designed for training purposes.

It is prone to a variety of different session puzzle exposures,
which can be detected and exploited using different session puzzling sequences.

About Session Puzzles
Session puzzles are application-level vulnerabilities that were explained in a white paper released in May 17, 2011, by Hacktics ASC, Ernst&Young Security Excellence Center.
These unique attack vectors enable attacker to execute a new breed of logical attacks, as well as enhance the capabilities of "traditional" attacks by constructing attack payloads in a server-side memory storage which is seemingly trusted (the session), and abusing these payloads to execute attacks in locations that were previously unreachable or considered safe.
The white paper and presentation can be downloaded from the downloads section, in addition to the PuzzleMall application in "war" and source code distributions.

About Temporal Session Race Conditions (TSRC) and Layer Targeted ADoS
Although the original session puzzling attack vector relied on the existence of persistent session values, an extended attack was presented in September 15, 2011, in a local OWASP chapter meeting.
The extended attack (nicknamed "Temporal Session Race Conditions") enables detecting & exploiting session puzzles even if the session variables have a lifespan of milliseconds (session-level race conditions), by increasing the latency of certain lines of code through the use of layer targeted denial of service attacks.

Demo
The following short movies demonstrate a few simple session puzzling sequences:
http://www.youtube.com/watch?v=-DackF8HsIE'>Authentication Bypass via Session Puzzling (Abusing common session variables)
http://www.youtube.com/watch?v=ikIyInm0wAg'>User Impersonation via Session Puzzling (Abusing common session variables)
http://www.youtube.com/watch?v=iTcOooHbgog'>Session Puzzling via Redirection Prevention (Abusing Premature Session Population)
http://www.youtube.com/watch?v=HeP54b52IeQ'>Bypassing Restrictions in Multiphase Processes via Session Puzzling (Abusing Common Session Flags)

The following movies demonstrate a few simple TSRC attacks:
http://www.youtube.com/watch?v=woWECWwrsSk'>Exploiting Temporal Session Race Conditions via Connection Pool Consumption
http://www.youtube.com/watch?v=3k_eJ1bcCro'>Exploiting Temporal Session Race Conditions via RegEx DoS

Developers
PuzzleMall is developed and maintained by http://twitter.com/sectooladdict/'>Shay Chen.

Implementation
PuzzleMall is implemented in Java/JSP, and uses apache derby as a data repository
(and thus, requires no database installation).

Requirements
JDK 1.6.x+
Tomcat 6.x+ (should work on any JEE compliant application server / servlet container)

Potential Issue: Due to the usage of the default derby-db location, might require the tomcat user to have admin/root permissions under linux/win7. Will be fixed ASAP.

Installation (Derby Version - Session Puzzling)

(1) Download & install http://tomcat.apache.org/download-60.cgi'>apache tomcat 6.x

(2) Copy the application war file into the tomcat webapps directory

(Usually "C:\Program Files\Apache Software Foundation\Tomcat 6.0\webapps" - Windows 32/64 Installer)

(3) Restart the application server

(4) On WinXP, as long as you are using a high privileged user - you can skip this phase, on Win7, make sure you run the tomcat server with administrative privileges (right click on and execute),and on Ubuntu Linux, run the following commands:

sudo mkdir /var/lib/tomcat6/db
sudo chown tomcat6:tomcat6 /var/lib/tomcat6/db/

(5) Initiate the install script at: http://localhost:8080/puzzlemall/install/initialize.jsp'>http://localhost:8080/puzzlemall/install/initialize.jsp

(6) Access the application at: http://localhost:8080/puzzlemall/'>http://localhost:8080/puzzlemall/

Installation (MySQL Version - Temporal Session Race Conditions)

(1) Download & install http://tomcat.apache.org/download-60.cgi'>apache tomcat 6.x

(2) Download & install http://dev.mysql.com/downloads/mysql/'>MySQL Community Server 5.5.x - and make sure remote root access is enabled (at least for the installation)

(3) Copy the application war file into the tomcat webapps directory

(Usually "C:\Program Files\Apache Software Foundation\Tomcat 6.0\webapps" - Windows 32/64 Installer)

(4) Restart the application server

(5) On WinXP, as long as you are using a high privileged user - you can skip this phase, on Win7, make sure you run the tomcat server with administrative privileges (right click on and execute),and on Ubuntu Linux, run the following commands:

sudo mkdir /var/lib/tomcat6/db
sudo chown tomcat6:tomcat6 /var/lib/tomcat6/db/

(6) Initiate the install script at: http://localhost:8080/puzzlemall/install/initialize.jsp'>http://localhost:8080/puzzlemall/install/initialize.jsp

(7) Provide the database host, port and root credentials to the installation script.

(8) Access the application at: http://localhost:8080/puzzlemall/'>http://localhost:8080/puzzlemall/