Session Hijacking refers to utilization of valid computer session where an attacker takes over a session between two computers. The attacker takes over a valid session id which is used to get over a system and snoop its data. In TCP session hijacking, an attacker takes over a TCP session between two computers.
Why this is successful?
- No account lockout for invalid session ids.
- Insecure handling
- Small session ids
- Clear text transmission
- Indefinite session expiration time
Techniques of Session Hijacking
- Brute force: Attacker attempts with different ids until he succeed.
- Stealing: Attacker use different techniques to steal session ids.
- Calculating: Using non-randomly generated ids, attacker tries to calculate session id.
Session ids can be stolen using different techniques such as:
- Using HTTP referrer header: Attacker tries to lure a user to click a link to a fake web site
- Sniffing network traffic
- Using cross site scripting (Explain in a later post)
- Sending Trojans over client PCs.
Types of Session Hijacking
Active: Attacker finds an active session and takes over
Passive: Hijacks a session but sits back and watches and records all the traffic.
Countermeasures
- Use Secure shell to connect using a secure communication channel.
- Pass the authentication cookies over HTTPS connection
- Implement the logout functionality to terminate a session by the user.
- Generate the session ID after a successful login
- Use string or long random numbers for session key
- Pass the encrypted data between user and the server
- User education
To be followed by the web developers:
- Expire the session as soon as user logs out
- Reduce the life span of a session or a cookie
- Create session ids with strings or lengthy random numbers to avoid guessing
- Encrypt session ids between user and server.
- Regenerate session id after a successful login
No comments:
Post a Comment