This presentation is taken from Kamal, Parves. State of the Art Survey on Session Hijacking. Global Journal of Computer Science and Technology, [S.l.], Mar. 2016. ISSN 0975-4172.
The presenters were Seyyed Ali Ayati and Mohammad AminTaheri.
4. What Is Session?
▸ A session is a sequence of
network request-response
transactions.
▸ Provides identity information for
stateless services like HTTP.
4
14. Hybrid Session Hijacking
▸ The attacker uses both passive and active mode to complete the attack.
▸ This type of session hijacking relies on spoofing.
14
17. Spoofing Types
▸ Spoofing can be categorized to two types:
▹ Blind Spoofing Attack
▹ Non-Blind Spoofing Attack
17
18. Blind Spoofing Attack
▸ Problems:
▹ It’s very hard to guess the TCP sequence number
▹ The attacker might need to wait a long time to get success with this
type of attack.
18
21. Obtaining Session IDs
▸ The session IDs can be found in place like:
▹ In the HTTP GET request that is made when clicking on the
embedded link on the web page.
▹ When any HTTP POST command is issued typically with a form that
posts data from client to the server. The session ID is hidden inside
the form in the hidden field.
▹ Also the cookies are used to hold session IDs.
21
22. Obtaining Session IDs
Misdirected Trust
This way attacker can steal the
session ID as the data is sent
back from server to the host.
This sort of attack relies
heavily on the vulnerability of
the web application.
Sniffing
Unencrypted traffic often has
session ID inside and attacker
can easily get the session ID.
Brute Forcing
Guessing the session ID’s or
by attempting different
session ID until it gets the
right one.
22
24. Tools
Some of the most common tools used for session
hijacking are:
▸ NetHunter
▸ T-Sight
▸ Juggernaut
▸ TTY Watcher
▸ Hamster
▸ Ferret
▸ Wireshark
▸ Ethereal
▸ Burp Suite
24
28. Countermeasures
▸ Network Layer:
▹ Use of SSL at all time
▹ Use SSH for Remote
Connection
▹ HTTPS Connection Only
▸ Application Layer:
▹ Strong Session ID
▹ Encrypt The Session IDs
▹ Forced Log Out
▹ Time-Out
▹ Captcha Prevention Technique
28
29. Conclusion
▸ In this presentaion, we got familiar with:
▹ Session
▹ Session Hijacking
▹ Spoofing
▹ How to simulate
▹ How to prevent
29
30. References
▸ Kamal, Parves. State of the Art Survey on Session Hijacking. Global Journal of
Computer Science and Technology, [S.l.], Mar. 2016. ISSN 0975-4172.
30
31. Credits
Special thanks to all the people who helped us to prepare this
presentation:
▸ Dr. Zeinab Movahedi
▸ Helia Baradaran
31
یک session نمونه ای از کنش های متقابل یک یوزر با یک وب اپلیکیشن است اما تاکید بر این موضوع در اینجا نمیتواند کمک زیادی در فهم قضیه نماید. در حال حاضر برای یک web session بهتر است از این باب وارد شویم: " session ساختاری از داده است که وب اپلیکیشن از آن برای نگهداری موقتی اطلاعات استفاده میکند. این اطلاعات موقتی فقط در زمانی که یوزر با وب اپلیکیشن در ارتباط است کارایی دارد و خصوصیات یوزر را بیان میکنند.
Various security threats lurk around the internet. Especially in this age of the Internet, everything is connected to the Internet. Online E-commerce heavily relies on online transactions for example banks provide users an easy way of managing their accounts online. As the sensitive information passes around the internet the confidentiality, integrity, and availability of such information become increasingly
hard to protect.
One needs to develop a capable defensive mechanism to keep all the threats that pose threats to the CIA (Confidentiality, Integrity, and availability) of the information. Security threats like man-in-the-middle attack, sniffing, Denial-of-service attack, ARP spoofing, session hijacking are some of the most common attacks performed daily by numerous attackers around the world on the Internet.
A recent study performed by Stake™ has shown that 31% of E-commerce applications are vulnerable to session hijacking.
zsdf
In active session hijacking the attacker tries take over active session between the user and the server by either putting off the valid user from the connection and start making connection to the server masquerading as
the valid user. The way an attacker puts off the valid user is by putting the active user out of the connection via the denial of service attack. Before making the valid user out of the valid active session he/she captures data that is sent back and forth between the user and the server by putting himself in between the connection between the connections and sniffing the data by packet capturing tool like Wireshark.
In passive session hijacking, the attacker captures all the packets between the user and the server and it sends out a valid packet to the user masquerading as the server and same way sending a packet to the server
masquerading as a user. It’s also referred to as a session replay attack where the attacker replays packets captured from the user and sends them to the server. The disadvantage of such an attack is that the attack is valid until there is a valid session still in continuation. If for some reason the server resets the connection or the user logs off from the server the session will be terminated.
In hybrid session hijacking the attacker uses both passive and active mode to complete the attack.
The attacker monitors the traffic pattern between the user and the server and waits for the right session to take over.
Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source.
TCP three-way handshake
In blind spoofing attack the attacker attacks the target machine without tempering with the connection. It simply captures all the packets between the client and the server and it tries to guess the TCP packet sequence number so that it can authenticate with the server.
In non-blind spoofing attack the attacker can actually monitor the traffic between the user and the target server. This way it’s easy for the attacker to guess the next packet in case it wants to guess the TCP sequence number of the next packet.
HTML injection or CSS (Cross Site Scripting) attack to misdirect valid traffic to the attacker.