{"_id":"55e4e6b03325e60d007fbeef","category":{"_id":"55dc769200a8811900c230ed","pages":["55dc769c6f16451700843e18","55dc79db55be9f21004ee25e","55dc79ef6f16451700843e23","55dc79fd7fa0290d00559143","55dc7ca06f16451700843e2c","55dc7cb200a8811900c2310a","55dc7cbc7fa0290d0055914b","55dc7cc46f16451700843e2e","55dc7cd46f16451700843e30","55dc7cdf6f16451700843e32","55dc7cea00a8811900c2310c","55dc7cf255be9f21004ee272","55dc7cf86f16451700843e34","55dc7cff00a8811900c2310e","55dc7d0500a8811900c23110","55dc7d0d55be9f21004ee274","55dc7d146f16451700843e36","55dc7d1955be9f21004ee276","55dc7d2200a8811900c23112","55dc7d2900a8811900c23114","55dc7d307fa0290d0055914e","55dc7d377fa0290d00559151","55dc82866f16451700843e47","55dc833a6f16451700843e4c","55dc83657fa0290d0055915e","55dc836f6f16451700843e4e","55dc837400a8811900c23126","55dc837b55be9f21004ee283","55dc83817fa0290d00559160","55dc838755be9f21004ee286","55dc844e6f16451700843e51","55dc84597fa0290d00559164","55dc845f55be9f21004ee28a","55dc846455be9f21004ee28c","55dc846a00a8811900c2312b","55dc846f00a8811900c2312e","55dc847500a8811900c23130","55e4e6b03325e60d007fbeef"],"project":"55db8f8f1a91690d007ad975","__v":38,"version":"55db8f901a91690d007ad978","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-08-25T14:07:14.957Z","from_sync":false,"order":3,"slug":"vulnerabilities","title":"Account Protection"},"__v":1,"githubsync":"","project":"55db8f8f1a91690d007ad975","user":"55db8f7cade8080d00c73818","version":{"_id":"55db8f901a91690d007ad978","project":"55db8f8f1a91690d007ad975","__v":17,"createdAt":"2015-08-24T21:41:36.034Z","releaseDate":"2015-08-24T21:41:36.034Z","categories":["55db8f901a91690d007ad979","55db9856b3d6540d00886426","55dc751b00a8811900c230e3","55dc766255be9f21004ee250","55dc769200a8811900c230ed","55e4c701177b6e0d003330fa","55f4915caf0bc71900a53130","55f491b2be9c2b2100f0635d","560b22739c7be70d00100bd8","57488c53e8c6a420000b729c","574cefd95953e20e00f40f9f","5798edfd7700d30e00ad250c","579ac88234b5fd0e00b9e140","57c81c6d690c200e0047b72e","57d9b8fbda17c30e003897f1","57d9b90e608ea00e00f358d8","57d9b91cda17c30e003897f4"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"parentDoc":null,"updates":[],"next":{"pages":[],"description":""},"createdAt":"2015-08-31T23:43:44.462Z","link_external":false,"link_url":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":2,"body":"A Session Farming attack is when an attacker creates many sessions in order to cryptographically deduce the secret token used to sign or encrypt session tokens. The attacker will perform these attacks by logging in many times as quickly as possible. If the attack is successful, and the attacker is able to determine the secret token, then the attacker may be able to forge sessions. A forged session allows an attacker to impersonate other users of a web app.\n\nSession farming simply means a new session is being repeatedly obtained by an attacker, in hopes of finding an anomaly in the session generating algorithm. Typically this requires hundreds of session tokens for analysis. An attacker may detect a pattern in the session token in hopes of generating his own, impersonating another user of the system.\n\nIMMUNIO protects apps by detecting when an unreasonable number of log in attempts have succeeded for an individual account.\n\nThe most common authentication frameworks are protected by the IMMUNIO agents automatically. If your app uses an authentication framework that is not supported automatically, an API may be used to inform the agent of log in attempts.\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"Mitigation\"\n}\n[/block]\nWhen a Session Farming attack has been identified, any further login attempts from the IP address will be presented with a captcha, specifically a [Google ReCaptcha](https://www.google.com/recaptcha/intro/index.html), for a period of time.\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"FAQ\"\n}\n[/block]\n## What authentication frameworks are supported automatically?\nThe Ruby agent supports [Devise](https://github.com/plataformatec/devise) and [Authlogic](https://github.com/binarylogic/authlogic) automatically.\n\n## Do I need to configure anything for the captcha service?\nNo, IMMUNIO handles presenting the captcha to your users transparently.\n\n## Will I be required to solve a captcha every time I log in?\nOnce a user has solved a captcha, further requests from the same browser session will pass through without any mitigation. For example, if a user logs in, solves a captcha, logs out, then attempts to log in again, the user will not see a captcha because he or she will have already solved one. However, if the user performs a Session Farming attack after solving a captcha, then their captcha bypass will be revoked, and they will need to solve another captcha.","excerpt":"","slug":"session-farming-1","type":"basic","title":"Session Farming"}
A Session Farming attack is when an attacker creates many sessions in order to cryptographically deduce the secret token used to sign or encrypt session tokens. The attacker will perform these attacks by logging in many times as quickly as possible. If the attack is successful, and the attacker is able to determine the secret token, then the attacker may be able to forge sessions. A forged session allows an attacker to impersonate other users of a web app. Session farming simply means a new session is being repeatedly obtained by an attacker, in hopes of finding an anomaly in the session generating algorithm. Typically this requires hundreds of session tokens for analysis. An attacker may detect a pattern in the session token in hopes of generating his own, impersonating another user of the system. IMMUNIO protects apps by detecting when an unreasonable number of log in attempts have succeeded for an individual account. The most common authentication frameworks are protected by the IMMUNIO agents automatically. If your app uses an authentication framework that is not supported automatically, an API may be used to inform the agent of log in attempts. [block:api-header] { "type": "basic", "title": "Mitigation" } [/block] When a Session Farming attack has been identified, any further login attempts from the IP address will be presented with a captcha, specifically a [Google ReCaptcha](https://www.google.com/recaptcha/intro/index.html), for a period of time. [block:api-header] { "type": "basic", "title": "FAQ" } [/block] ## What authentication frameworks are supported automatically? The Ruby agent supports [Devise](https://github.com/plataformatec/devise) and [Authlogic](https://github.com/binarylogic/authlogic) automatically. ## Do I need to configure anything for the captcha service? No, IMMUNIO handles presenting the captcha to your users transparently. ## Will I be required to solve a captcha every time I log in? Once a user has solved a captcha, further requests from the same browser session will pass through without any mitigation. For example, if a user logs in, solves a captcha, logs out, then attempts to log in again, the user will not see a captcha because he or she will have already solved one. However, if the user performs a Session Farming attack after solving a captcha, then their captcha bypass will be revoked, and they will need to solve another captcha.