Skip to main content

Session Hijacking

What is Session Hijacking?

Session Hijacking

Session hijacking is the act of taking control of a user session after successfully obtaining or generating an authentication session ID. Session hijacking involves an attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's Web application session while that session is still in progress.

Detailed Description

HTTP is stateless, so application designers had to develop a way to track the state between multiple connections from the same user, instead of requesting the user to authenticate upon each click in a Web application. A session is a series of interactions between two communication end points that occurs during the span of a single connection. When a user logs into an application a session is created on the server in order to maintain the state for other requests originating from the same user.
Applications use sessions to store parameters which are relevant to the user. The session is kept "alive" on the server as long as the user is logged on to the system. The session is destroyed when the user logs-out from the system or after a predefined period of inactivity. When the session is destroyed, the user's data should also be deleted from the allocated memory space.
A session ID is an identification string (usually a long, random, alpha-numeric string) that is transmitted between the client and the server. Session IDs are commonly stored in cookies, URLs and hidden fields of Web pages. A URL containing the session ID might look something like:
http://www.123somesite.com/view/7AD30725122120803
In an HTML page, a session ID may be stored as a hidden field:

Sometimes, cookies are set to expire (be deleted) upon closing the browser. These are termed "session cookies" or "non-persistent" cookies. Cookies that last beyond a user's session (i.e., "Remember Me" option) are termed "persistent" cookies. Persistent cookies are usually stored on the user's hard drive. Their location is determined according to the particular operating system and browser (e.g., C:\Documents and Settings\username\Cookies for Internet Explorer on Windows 2000).
There are several problems with session IDs. Many of the popular websites use algorithms based on easily predictable variables, such as time or IP address, in order to generate the Session IDs, causing their session IDs to be predictable. If encryption is not used (typically SSL), Session IDs are transmitted in the clear and are susceptible to eavesdropping.
Session hijacking involves an attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's session while that session is still in progress. In most applications, after successfully hijacking a session, the attacker gains complete access to all of the user's data, and is permitted to perform operations instead of the user whose session was hijacked.
There are three primary techniques for hijacking sessions:
1. Brute Force - the attacker tries multiple IDs until successful.
2. Calculate - in many cases, IDs are generated in a non-random manner and can be calculated.
3. Steal - using different types of techniques, the attacker can acquire the Session ID.
In Brute Force attacks, the attacker can try many IDs. For example, take a look at the following list of URLs, in which an attacker is trying to guess the session ID:
http://www.somesite.com/view/VW30422101518909 http://www.somesite.com/view/VW30422101520803 http://www.somesite.com/view/VW30422101522507
Session IDs can be stolen using a variety of techniques: sniffing network traffic, using trojans on client PCs, using the HTTP referrer header where the ID is stored in the query string parameters, and using Cross-Site Scripting attacks.
In a "referrer" attack, the attacker entices a user to click on a link to another site (a hostile link, say www.hostile.com):
GET /index.html HTTP/1.0 Host: www.hostile.com Referrer: www.mywebmail.com/viewmsg.asp?msgid=438933&SID=2343X32VA92
The browser sends the referrer URL containing the session ID to the attacker's site - www.hostile.com, and the attacker now has the session ID of the user.
Session IDs can also be stolen using script injections, such as Cross-Site Scripting. The user executes a malicious script that redirects the private user's information to the attacker.





Labels:

Comments

Post a Comment

Popular posts from this blog

Defacing Sites via HTML Injections (XSS)

Defacing Sites via HTML Injections Defacing Sites via HTML Injections What Is HTML Injection: "HTML Injection" is called as the Virtual Defacement Technique and also known as the "XSS" Cross Site Scripting. It is a very common vulnerability found when searched for most of the domains. This kind of a Vulnerability allows an "Attacker" to Inject some code into the applications affected in order to bypass access to the "Website" or to Infect any particular Page in that "Website". HTML injections = Cross Site Scripting, It is a Security Vulnerability in most of the sites, that allows an Attacker to Inject HTML Code into the Web Pages that are viewed by other users. XSS Attacks are essentially code injection attacks into the various interpreters in the browser. These attacks can be carried out using HTML, JavaScript, VBScript, ActiveX, Flash and other clinet side Languages. Well crafted Malicious Code can even hep the ...
Post a Comment
Read more

Linux Systems Performance/Observability (BPF (bpfcc-tools), BCC Tools

  Linux System Performance/Observability Tools Linux Systems Performance/Observability (BPF (bpfcc-tools), BCC Tools Assuming you have Linux Server in place and have the required BPF aka BCC related packages installed on the system(s) for the required Linux distribution. BPF(eBPF) aka BCC Tools (bpfcc-tools) : BPF, which originally stood for Berkley Packet Filter is the dynamic tracing tools for Linux Systems.  BPF initially used for the speeding up for the tcpdump expressions and since then it has been know as the extended Berkley packet Filter (eBPF).  Its new uses are Tracing Tools where it provides programmability for the BPF Compiler Collection (BCC) and bpftrace front ends .   Example: execsnoop, biosnoop etc is a BCC Tool. When facing production performance crisis these such list of tools comes handy to trace and fix the issue. However, it requires certain KERNEL level config options to be enabled such as CONFIG_FTRACE, CONFIG_BPF. Profiling tools typically re...
Post a Comment
Read more

EKS Cluster and Create CSI Driver to store credentials in AWS Secrets Manager via SecretProviderClass

EKS Cluster | CSI Driver | SecretProviderClass | AWS Secrets Manager Setup EKS Cluster and Manage Credentials at runtime using CSI driver using SecretProviderClass and Secrets Manager Assuming you have Configured/Installed AWS CLI, EKSCTL, KUBECTL, HELM. CSI Basic Information: CSI (Container Storage Interface) widely used as a Storage Technology. Created by Google | Mesosphere | Docker.  It has two two Plugins one runs on the Master Node (Centralized Controller Plugin) and another one on Worker Nodes (Decentralized headless Node Plugin).  CSI communication protocol is gRPC.   The communication between Container Orchestration to Controller Plugin (Master) and to Node Plugin (Worker Node) happens using gRPC .  CSI Drivers : vendor specific compiled into Kubernetes/openshift binaries. To use a CSI driver, a StorageClass needs to be assigned first.  The CSI driver is then set as the Provisioner for the Storage Class. CSI drivers provide three main service...
Post a Comment
Read more