Grafana Session Hijacking, CSRF vulnerability

Hi All,

We have come across two high and a low vulnerability in VAPT assessment. Please help us to close the issues.

Grafana Version: 6.7.4

Findings (Title): Session Hijacking
Description: It was observed that the application’s session token can be hijacked and used to gain elevated access to the application. An attacker can hijack a legitimate user’s session to perform malicious activities.
Recommendation / Solutions: It is recommended to implement server side mapping of user to accessibility and the user should be logged out if the same user is logged in more than once. The features applicable to different privilege levels should to accessible strictly to those level users only. Any other user should not be granted access to it.

Findings (Title): Cross Site Request Forgery (CSRF) Token Not Implemented
Description: It was observed that the web application is vulnerable to CSRF attack. This occurs as the application does not implement a unique CSRF token for each of the form submitted to the application. An attacker can force any end user to execute unwanted actions such as unauthorised user creation on the web application while they still have a valid session.
Recommendation / Solutions: It is recommended to implement the following few methods of preventing CSRF attacks:
• Enforce re-authentication of the user when another session is established
• Implement CSRF token on session cookie"

Findings (Title): Concurrent Login
Description: The web application is configured to allow multiple simultaneous logons from the same user account via the same or a different browser. When a web application allows simultaneous session logons, this allows a remote authenticated users to establish undetected concurrent logins. An attacker may use one of the sessions to make changes to the data or values available in the web application. If the web application does not have sufficient logging capabilities, it will be difficult to pinpoint the origin of an attack as multiple sessions are initiated using the same user credentials. This may cause accountability and non-repudiation issues.
Recommendation / Solutions: If the web application does not want to allow simultaneous session logons, it must take effective actions after each new authentication event, implicitly terminating the previously available session, or asking the user (through the old, new or both sessions) about the session that must remain active.

Thanks for your help!

1 Like

Session Hijacking:
This issue can be addressed through auth proxy in Grafana. Nginx or Apache http server will act as authentication layer so Grafana session doesn’t get stored in session cache.

CSRF token:
“cookie_samesite = strict” enable this option in defaults.ini file

Concurrent session:
No option for restricting concurrent session