Session Hijacking


Published on

Myself and Asanka Fernandopulle conducted corporate level workshop on Application Security. This workshop covered areas such as application security treats, secure cording practices, application penetration testing and web application exploitations. Workshop mainly consisted with practical sessions and demonstrations. You can find all the presentations here.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Session Hijacking

  1. 1. SESSION Hijacking HOW VULNERABLE IS MY WEB APPLICATION FROM A DEVELOPER’S ANGLE…Dilan Warnakulasooriya Asanka FernandopulleInformation Security Engineer Senior Software Engineer99X Technology 99X Technology
  2. 2. Overview Many Details about the session including  Session.Id lifecycle  Session.Abandon  The session cookie Attacking the session FixesJanuary 1, 2013 99X Technology(c) 2
  3. 3. ASP.NET Session Background Session.Id is established when? If ASP.Net receives any session Id, it will USE IT. Does Session.Abandon remove this cookie?  NO – Why? ○ This session could be shared across sites. Why? Session.IsNewSession is true when  When has no record of the current session  First new reques to a web server generally means IsNewSession=true  If a session Id is provided by client, IsNewSession = true first request, false for subsequent requests. Session cookies are HttpOnly  Which means JavaScript cannot read the session cookies but it can still SET the cookieJanuary 1, 2013 99X Technology(c) 3
  4. 4. ASP.NET SessionBackground DEMOJanuary 1, 2013 99X Technology(c) 4
  5. 5. The client wants a NEW Session Id of 12345678? No Problem Cookie sent to server SessionId = 12345678January 1, 2013 99X Technology(c) 5
  6. 6. How can sessions be attacked? Session Ids can be attacked  Network traffic can be sniffed  Man in the middle attack(easy to test via proxy configuration) Session Fixation DemoJanuary 1, 2013 99X Technology(c) 6
  7. 7. Preventing session attacks Force SSL for the entire site Ensure authentication and session timeouts are in sync!  Session could timeout before forms auth timeout, thus allowing takeover of session Remove the session cookie and kill the session upon logout AND page load  Session.Abandon(); //Expires the session  Response.Cookies[“ASP.NET_SessionId”].Expires = DateTime.Now.AddYears(- 30); Avoid cookieless sessions (where Id is on the url) EXTRA EXTRA secure… (Kind of Advanced Topic )  Create your own Session Id Provider to generate and validate ids.  Note these are called for EVERY request (images,etc…) in Integrated Pipeline Mode  Store Session Id in Auth cookieJanuary 1, 2013 99X Technology(c) 7
  8. 8. Session timeouts/Forms Auth timeouts Scenario  Session timeout 20 minutes, forms auth timeout 20 minutes  Also session can expire when app pool reset. Forms auth token still valid Minutes Session timeout Forms Auth Token Expires 12:02 12:22 Still 12:20 12:04 12:24 Still 12:20 12:06 12:26 Still 12:20 12:15 12:35 12:35 12:30 App pool shuts NO SESSION 12:35 down, reset, etcJanuary 1, 2013 99X Technology(c) 8