In late 2022, a vulnerability was found in Drogon, a popular C++ HTTP application framework. This flaw, tracked as CVE-2022-3959 and also listed under VDB-213464, affects Drogon versions up to 1.8.1. The bug is related to weak randomness in session management, which could let remote attackers guess session IDs. In this article, we’ll break down what happened, show relevant code snippets, and explain how you can protect your applications.
What’s the Problem?
Drogon lets developers handle user sessions conveniently, using a "Session Hash Handler." In versions up to 1.8.1, the session IDs (or session hashes) generated by this handler suffer from a small random value space. In simple words, there aren't enough unique session IDs possible, making it easier for hackers to guess and take over legitimate sessions.
Why Does This Matter?
Session IDs act like secret keys for websites. If an attacker can guess a session ID, they can impersonate a user and possibly steal information or perform actions as that user. Ideally, session IDs should be unpredictable and unique for every user and every session.
Exploit Details
If session IDs come from a small pool of possible values, an attacker can automate guessing attempts. Modern tools and cloud computing make it practical to scan large numbers of possible session IDs quickly.
Identify the vulnerable session handler (by inspecting cookies and responses).
2. Predict/Brute-force session IDs using scripts.
Example: How an Attacker Could Exploit Weak Session IDs
Assume session IDs are based on a non-cryptographically secure random number generator, sometimes called rand(). Here’s a conceptual example (not the actual Drogon code):
// Example of insecure session ID generation
std::string generateSessionId() {
// NOT secure, just for demonstration!
int randomValue = rand() % 100000; // Only 100,000 possibilities!
return std::to_string(randomValue);
}
An attacker could easily enumerate all 100,000 possibilities
# Python code to simulate brute-forcing weak session IDs
import requests
for session_id in range(100000):
cookies = {"sessionid": str(session_id)}
r = requests.get("https://target.site/profile";, cookies=cookies)
if "Welcome, User" in r.text:
print(f"Valid session ID found: {session_id}")
break
Patch and Resolution
The Drogon maintainers addressed this issue in version 1.8.2 by increasing the session hash’s random value space, likely using a stronger random number generator or longer session IDs. The relevant patch is commit cd48da99f66aaada17bcd28b07741cac8697647.
Key fix:
Instead of using weak randomness like rand(), the patch introduced a more cryptographically secure approach, possibly using std::random_device or similar:
// Secure example using C++
#include <random>
std::string generateSecureSessionId() {
std::random_device rd;
std::mt19937 gen(rd());
std::uniform_int_distribution<> dist(, 999999999);
return std::to_string(dist(gen));
}
Upgrade immediately to Drogon 1.8.2 or newer.
Never rely on default session handlers for production unless you have reviewed their security.
- Check that your session IDs are at least 128 bits of randomness and are generated with a cryptographically secure random number generator.
References
- CVE-2022-3959 on cve.org
- VDB-213464 Detail
- Original Drogon Patch Commit
- Drogon Releases
Summary
CVE-2022-3959 highlights the importance of using strong, unpredictable randomness for session IDs. If you’re running Drogon up to v1.8.1, upgrade immediately to 1.8.2+ to protect your users from session hijacking risks. Always check for security advisories from your framework maintainers—and never trust simple random numbers for security purposes!
Timeline
Published on: 11/11/2022 16:15:00 UTC
Last modified on: 11/16/2022 16:06:00 UTC