Recommended
More Related Content
What's hot
What's hot (20)
Similar to A survey on Session Hijacking
Similar to A survey on Session Hijacking (20)
Recently uploaded
Recently uploaded (20)
A survey on Session Hijacking
- 2. Mohammad Amin Taheri Email: taheri_m96@comp.iust.ac.ir 2 Seyyed Ali Ayati Email: ayati_a@comp.iust.ac.ir
- 3. Agenda ▸ What Is Session? ▸ Introduction ▸ Session Hijacking Types ▸ Spoofing Types ▸ Obtaining Session IDs ▸ Tools ▸ Simulation ▸ Countermeasures 3
- 4. What Is Session? ▸ A session is a sequence of network request-response transactions. ▸ Provides identity information for stateless services like HTTP. 4
- 6. Agenda ▸ What Is Session? ▸ Introduction ▸ Session Hijacking Types ▸ Spoofing Types ▸ Obtaining Session IDs ▸ Tools ▸ Simulation ▸ Countermeasures 6
- 8. 8
- 9. Introduction 9 E-commerce applications that are vulnerable to session hijacking! 31%
- 10. Agenda ▸ What Is Session? ▸ Introduction ▸ Session Hijacking Types ▸ Spoofing Types ▸ Obtaining Session IDs ▸ Tools ▸ Simulation ▸ Countermeasures 10
- 11. Session Hijacking Types Passive Session Hijacking02 Active Session Hijacking01 Hybrid Session Hijacking03 11
- 14. Hybrid Session Hijacking ▸ The attacker uses both passive and active mode to complete the attack. ▸ This type of session hijacking relies on spoofing. 14
- 15. Agenda ▸ What Is Session? ▸ Introduction ▸ Session Hijacking Types ▸ Spoofing Types ▸ Obtaining Session IDs ▸ Tools ▸ Simulation ▸ Countermeasures 15
- 16. 16
- 17. Spoofing Types ▸ Spoofing can be categorized to two types: ▹ Blind Spoofing Attack ▹ Non-Blind Spoofing Attack 17
- 18. Blind Spoofing Attack ▸ Problems: ▹ It’s very hard to guess the TCP sequence number ▹ The attacker might need to wait a long time to get success with this type of attack. 18
- 19. Non-Blind Spoofing Attack ▸ Problems: ▹ It’s hard to implement in today’s network. 19
- 20. Agenda ▸ What Is Session? ▸ Introduction ▸ Session Hijacking Types ▸ Spoofing Types ▸ Obtaining Session IDs ▸ Tools ▸ Simulation ▸ Countermeasures 20
- 21. Obtaining Session IDs ▸ The session IDs can be found in place like: ▹ In the HTTP GET request that is made when clicking on the embedded link on the web page. ▹ When any HTTP POST command is issued typically with a form that posts data from client to the server. The session ID is hidden inside the form in the hidden field. ▹ Also the cookies are used to hold session IDs. 21
- 22. Obtaining Session IDs Misdirected Trust This way attacker can steal the session ID as the data is sent back from server to the host. This sort of attack relies heavily on the vulnerability of the web application. Sniffing Unencrypted traffic often has session ID inside and attacker can easily get the session ID. Brute Forcing Guessing the session ID’s or by attempting different session ID until it gets the right one. 22
- 23. Agenda ▸ What Is Session? ▸ Introduction ▸ Session Hijacking Types ▸ Spoofing Types ▸ Obtaining Session IDs ▸ Tools ▸ Simulation ▸ Countermeasures 23
- 24. Tools Some of the most common tools used for session hijacking are: ▸ NetHunter ▸ T-Sight ▸ Juggernaut ▸ TTY Watcher ▸ Hamster ▸ Ferret ▸ Wireshark ▸ Ethereal ▸ Burp Suite 24
- 25. Agenda ▸ What Is Session? ▸ Introduction ▸ Session Hijacking Types ▸ Spoofing Types ▸ Obtaining Session IDs ▸ Tools ▸ Simulation ▸ Countermeasures 25
- 26. Simulation 26
- 27. Agenda ▸ What Is Session? ▸ Introduction ▸ Session Hijacking Types ▸ Spoofing Types ▸ Obtaining Session IDs ▸ Tools ▸ Simulation ▸ Countermeasures 27
- 28. Countermeasures ▸ Network Layer: ▹ Use of SSL at all time ▹ Use SSH for Remote Connection ▹ HTTPS Connection Only ▸ Application Layer: ▹ Strong Session ID ▹ Encrypt The Session IDs ▹ Forced Log Out ▹ Time-Out ▹ Captcha Prevention Technique 28
- 29. Conclusion ▸ In this presentaion, we got familiar with: ▹ Session ▹ Session Hijacking ▹ Spoofing ▹ How to simulate ▹ How to prevent 29
- 30. References ▸ Kamal, Parves. State of the Art Survey on Session Hijacking. Global Journal of Computer Science and Technology, [S.l.], Mar. 2016. ISSN 0975-4172. 30
- 31. Credits Special thanks to all the people who helped us to prepare this presentation: ▸ Dr. Zeinab Movahedi ▸ Helia Baradaran 31
- 32. 32 THANKS! Any questions? You can find us at: ▸ ayati_a@comp.iust.ac.ir ▸ taheri_m96@comp.iust.ac.ir
Editor's Notes
- یک session نمونه ای از کنش های متقابل یک یوزر با یک وب اپلیکیشن است اما تاکید بر این موضوع در اینجا نمیتواند کمک زیادی در فهم قضیه نماید. در حال حاضر برای یک web session بهتر است از این باب وارد شویم: " session ساختاری از داده است که وب اپلیکیشن از آن برای نگهداری موقتی اطلاعات استفاده میکند. این اطلاعات موقتی فقط در زمانی که یوزر با وب اپلیکیشن در ارتباط است کارایی دارد و خصوصیات یوزر را بیان میکنند.
- Various security threats lurk around the internet. Especially in this age of the Internet, everything is connected to the Internet. Online E-commerce heavily relies on online transactions for example banks provide users an easy way of managing their accounts online. As the sensitive information passes around the internet the confidentiality, integrity, and availability of such information become increasingly hard to protect.
- One needs to develop a capable defensive mechanism to keep all the threats that pose threats to the CIA (Confidentiality, Integrity, and availability) of the information. Security threats like man-in-the-middle attack, sniffing, Denial-of-service attack, ARP spoofing, session hijacking are some of the most common attacks performed daily by numerous attackers around the world on the Internet.
- A recent study performed by Stake™ has shown that 31% of E-commerce applications are vulnerable to session hijacking.
- zsdf
- In active session hijacking the attacker tries take over active session between the user and the server by either putting off the valid user from the connection and start making connection to the server masquerading as the valid user. The way an attacker puts off the valid user is by putting the active user out of the connection via the denial of service attack. Before making the valid user out of the valid active session he/she captures data that is sent back and forth between the user and the server by putting himself in between the connection between the connections and sniffing the data by packet capturing tool like Wireshark.
- In passive session hijacking, the attacker captures all the packets between the user and the server and it sends out a valid packet to the user masquerading as the server and same way sending a packet to the server masquerading as a user. It’s also referred to as a session replay attack where the attacker replays packets captured from the user and sends them to the server. The disadvantage of such an attack is that the attack is valid until there is a valid session still in continuation. If for some reason the server resets the connection or the user logs off from the server the session will be terminated.
- In hybrid session hijacking the attacker uses both passive and active mode to complete the attack. The attacker monitors the traffic pattern between the user and the server and waits for the right session to take over.
- Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source. TCP three-way handshake
- In blind spoofing attack the attacker attacks the target machine without tempering with the connection. It simply captures all the packets between the client and the server and it tries to guess the TCP packet sequence number so that it can authenticate with the server.
- In non-blind spoofing attack the attacker can actually monitor the traffic between the user and the target server. This way it’s easy for the attacker to guess the next packet in case it wants to guess the TCP sequence number of the next packet.
- HTML injection or CSS (Cross Site Scripting) attack to misdirect valid traffic to the attacker.