Pushpinder Singh Joshi, profile picture
Uploaded byPushpinder Singh Joshi
PPTX, PDF2,752 views

Session hijacking

The document discusses the importance of Transport Layer Security (TLS) in protecting web communications from attacks such as session hijacking, where an attacker can impersonate a user by stealing their session ID. It emphasizes that TLS should be enforced across the entire site to ensure security, as reverting to HTTP after authentication exposes vulnerabilities. The conclusion stresses that while a stolen session ID doesn't reveal user credentials, it still allows attackers to access accounts, highlighting the need for constant HTTPS usage.

Embed presentation

Downloaded 111 times
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Pushpinder Joshi – http://www.Pushpindersinghjoshi.wix.com/pushpi-it-soluti
Introduction Transport Layer Security (TLS), and its predecessor Secure Sockets Layer (SSL) as many will know it, are cryptographic protocols used to offer communication security over the Internet. Hypertext Transfer Protocol Secure (HTTPS) is not actually a protocol in and of itself. It is actually the use of Hypertext Transfer Protocol (HTTP) on top of TLS which affords the standard HTTP communications protocol the protection of TLS. Session Hijacking (a.k.a. Session Sidejacking) is a form of Man In The Middle (MITM) attack in which a malicious attacker has access to the transport layer and can eavesdrop on communications. When communications are not protected they can steal the unique session ID and impersonate the victim on the target site. This grants the attacker access to your account and data.
• To verify the website you are connecting to is the genuine website. • To ensure the privacy of your data during transit. • To ensure the integrity of your data during transit. Why do we use TLS?
Example When first visiting the site you are using HTTP. The sensitive login form is loaded over HTTPS.
Example The login form is loaded over HTTPS to ensure the integrity of the form in transit. This prevents a man in the middle from altering the form. The login form then submits the user credentials over HTTPS to ensure the same man in the middles can’t read the credentials in transit. The TLS certificate also allows us to be confident that the website we are viewing is actually the website it claims to be. The fact that TLS has been utilised is an acknowledgement that a man in the middle could access or modify data during transit.
Example The problem arises when the site reverts back to loading content over HTTP once the user has authenticated. The assumption is that now the sensitive user credentials have been exchanged we no longer need to protect the traffic during transit.
Why does this matter? • Once you have logged in on the secure login page, your session ID lets the server remember you have logged in without having to keep sending your username and password to prove your identity. • Once the website reverts back to HTTP your session ID still has to be sent but is no longer afforded the protection offered by TLS. • HTTP and HTTPS are stateless protocols. This means each time you request some new content from the site (a page, image or any form of media) the server does not know who you are, it does not remember you. • To combat this, when you first visit a site you are issued a unique session ID. With each request you send to the site, your session ID is sent with it. This is how the site identifies you.
Summary TLS (HTTPS) was used to protect your username and password during the logon process to prevent a man in the middle viewing the content of your traffic and stealing your credentials. The session ID is not being afforded the same level of protection but an attacker could use it to impersonate you on the target website. All they need to do is substitute their own session ID with your session ID and the server will believe the attacker is you. Once your session ID has been obtained this is a trivial task. The attacker is then logged in to your account and can do anything that you could do.
Conclusion • Whilst obtaining your session ID does not generally reveal your username or password the attacker can still access your account as if they were logged in as you. • This attack is possible because TLS is not used across the entire site. • We accept an attacker could access our traffic, which is why we need TLS in the first instance. • Sites regularly fail to protect the session ID which can be considered an equivalent to your user credentials on the target website. • Forcing all traffic to the site over HTTPS would completely mitigate a session hijacking attack.
Thanks You can find more info covering this and other forms of attack on my blog: http://www.pushpindersinghjoshi.wix.com/pushpin-it-solution Please feel free to share this information generously but do provide attribution back to my site.

More Related Content

PPTX
Man in the middle
byAhmadThaqifAimanAhma
 
PPTX
Session Hijacking
byn|u - The Open Security Community
 
PPTX
Session Hijacking ppt
byHarsh Kevadia
 
PPT
Module 6 Session Hijacking
byleminhvuong
 
PDF
Session hijacking by rahul tyagi
byamansyal
 
PDF
Module 10 (session hijacking)
byWail Hassan
 
PPTX
Man in The Middle Attack
byDeepak Upadhyay
 
PPTX
Man in the middle attack (mitm)
byHemal Joshi
 
Man in the middle
byAhmadThaqifAimanAhma
 
Session Hijacking
byn|u - The Open Security Community
 
Session Hijacking ppt
byHarsh Kevadia
 
Module 6 Session Hijacking
byleminhvuong
 
Session hijacking by rahul tyagi
byamansyal
 
Module 10 (session hijacking)
byWail Hassan
 
Man in The Middle Attack
byDeepak Upadhyay
 
Man in the middle attack (mitm)
byHemal Joshi
 

What's hot

PPTX
Man in-the-middle attack(http)
byTogis UAB Ltd
 
PPTX
Man in-the-middle attack(http)
byTogis UAB Ltd
 
PPT
Unauthorized access, Men in the Middle (MITM)
byBalvinder Singh
 
PPT
Web spoofing
bykondalarao7
 
PPTX
Web spoofing hacking
byjignesh khunt
 
PPT
Net Sec
bybackdoor
 
PDF
Avoiding Man in the Middle Attack Based on ARP Spoofing in the LAN
byEditor IJCATR
 
PPTX
Threshold cryptography
byMohibullah Saail
 
PPTX
Information and network security 37 hash functions and message authentication
byVaibhav Khanna
 
PDF
Enhancement in network security with security
byeSAT Publishing House
 
PDF
Enhancement in network security with security protocols
byeSAT Journals
 
PDF
Network security & cryptography full notes
bygangadhar9989166446
 
PPT
SSL MITM Attack Over Wireless
bySecurityTube.Net
 
PDF
Mattias eriksson
byHai Nguyen
 
PPTX
Bao cao vpn
bytuaninfo88
 
PPTX
Using OTP prevent Phishing attacks
byriteshsarode1995
 
Man in-the-middle attack(http)
byTogis UAB Ltd
 
Man in-the-middle attack(http)
byTogis UAB Ltd
 
Unauthorized access, Men in the Middle (MITM)
byBalvinder Singh
 
Web spoofing
bykondalarao7
 
Web spoofing hacking
byjignesh khunt
 
Net Sec
bybackdoor
 
Avoiding Man in the Middle Attack Based on ARP Spoofing in the LAN
byEditor IJCATR
 
Threshold cryptography
byMohibullah Saail
 
Information and network security 37 hash functions and message authentication
byVaibhav Khanna
 
Enhancement in network security with security
byeSAT Publishing House
 
Enhancement in network security with security protocols
byeSAT Journals
 
Network security & cryptography full notes
bygangadhar9989166446
 
SSL MITM Attack Over Wireless
bySecurityTube.Net
 
Mattias eriksson
byHai Nguyen
 
Bao cao vpn
bytuaninfo88
 
Using OTP prevent Phishing attacks
byriteshsarode1995
 

Similar to Session hijacking

PPTX
Web security
bytruong nguyen
 
PPTX
HTTPS
byJustin Denton
 
PDF
Ssl attacks
byn|u - The Open Security Community
 
PDF
OWASP London 16 Jan-2017 - Identities Exposed by David Johansson
byDavid Johansson
 
PPTX
Understanding-Web-Communication-HTTP-vs-HTTPS.pptx
bydevilkiller2311
 
PPT
CTO-CybersecurityForum-2010-RonWilliams
bysegughana
 
PPTX
Transport Layer Security.pptx network se
byrehmankhansa9
 
PPTX
Client sidesec 2013 - non js
byTal Be'ery
 
PPTX
Study and Analysis of some Known attacks on Transport Layer Security
byNazmul Hossain Rakib
 
PPTX
HTTPS @Scale
byArvind Mani
 
PPTX
Secure Socket Layer
byInstitut Teknologi Sepuluh Nopember Surabaya
 
PPTX
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
byMonodip Singha Roy
 
PPTX
SECURE SOCKET LAYER ( WEB SECURITY )
byMonodip Singha Roy
 
PDF
Network Security_Module_2.pdf
byDr. Shivashankar
 
PDF
Network Security_Module_2_Dr Shivashankar
byDr. Shivashankar
 
PPTX
Web Security and SSL - Secure Socket Layer
byAkhil Nadh PC
 
PDF
Network Security Unit 4.pdf for BCA BBA.
bySerpent6
 
PPT
Phpnw security-20111009
byPaul Lemon
 
PPTX
Keynote - Closing the TLS Authentication Gap
bySecurityTube.Net
 
PPTX
Web Security
byDipika Bambhaniya
 
Web security
bytruong nguyen
 
HTTPS
byJustin Denton
 
Ssl attacks
byn|u - The Open Security Community
 
OWASP London 16 Jan-2017 - Identities Exposed by David Johansson
byDavid Johansson
 
Understanding-Web-Communication-HTTP-vs-HTTPS.pptx
bydevilkiller2311
 
CTO-CybersecurityForum-2010-RonWilliams
bysegughana
 
Transport Layer Security.pptx network se
byrehmankhansa9
 
Client sidesec 2013 - non js
byTal Be'ery
 
Study and Analysis of some Known attacks on Transport Layer Security
byNazmul Hossain Rakib
 
HTTPS @Scale
byArvind Mani
 
Secure Socket Layer
byInstitut Teknologi Sepuluh Nopember Surabaya
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
byMonodip Singha Roy
 
SECURE SOCKET LAYER ( WEB SECURITY )
byMonodip Singha Roy
 
Network Security_Module_2.pdf
byDr. Shivashankar
 
Network Security_Module_2_Dr Shivashankar
byDr. Shivashankar
 
Web Security and SSL - Secure Socket Layer
byAkhil Nadh PC
 
Network Security Unit 4.pdf for BCA BBA.
bySerpent6
 
Phpnw security-20111009
byPaul Lemon
 
Keynote - Closing the TLS Authentication Gap
bySecurityTube.Net
 
Web Security
byDipika Bambhaniya
 

Session hijacking

  • 1.
    Session Hijacking Why websecurity depends on communications security and how TLS everywhere is the only solution. Pushpinder Joshi – http://www.Pushpindersinghjoshi.wix.com/pushpi-it-soluti
  • 2.
    Introduction Transport Layer Security(TLS), and its predecessor Secure Sockets Layer (SSL) as many will know it, are cryptographic protocols used to offer communication security over the Internet. Hypertext Transfer Protocol Secure (HTTPS) is not actually a protocol in and of itself. It is actually the use of Hypertext Transfer Protocol (HTTP) on top of TLS which affords the standard HTTP communications protocol the protection of TLS. Session Hijacking (a.k.a. Session Sidejacking) is a form of Man In The Middle (MITM) attack in which a malicious attacker has access to the transport layer and can eavesdrop on communications. When communications are not protected they can steal the unique session ID and impersonate the victim on the target site. This grants the attacker access to your account and data.
  • 3.
    • To verifythe website you are connecting to is the genuine website. • To ensure the privacy of your data during transit. • To ensure the integrity of your data during transit. Why do we use TLS?
  • 4.
    Example When first visitingthe site you are using HTTP. The sensitive login form is loaded over HTTPS.
  • 5.
    Example The login formis loaded over HTTPS to ensure the integrity of the form in transit. This prevents a man in the middle from altering the form. The login form then submits the user credentials over HTTPS to ensure the same man in the middles can’t read the credentials in transit. The TLS certificate also allows us to be confident that the website we are viewing is actually the website it claims to be. The fact that TLS has been utilised is an acknowledgement that a man in the middle could access or modify data during transit.
  • 6.
    Example The problem ariseswhen the site reverts back to loading content over HTTP once the user has authenticated. The assumption is that now the sensitive user credentials have been exchanged we no longer need to protect the traffic during transit.
  • 7.
    Why does this matter? •Once you have logged in on the secure login page, your session ID lets the server remember you have logged in without having to keep sending your username and password to prove your identity. • Once the website reverts back to HTTP your session ID still has to be sent but is no longer afforded the protection offered by TLS. • HTTP and HTTPS are stateless protocols. This means each time you request some new content from the site (a page, image or any form of media) the server does not know who you are, it does not remember you. • To combat this, when you first visit a site you are issued a unique session ID. With each request you send to the site, your session ID is sent with it. This is how the site identifies you.
  • 8.
    Summary TLS (HTTPS) wasused to protect your username and password during the logon process to prevent a man in the middle viewing the content of your traffic and stealing your credentials. The session ID is not being afforded the same level of protection but an attacker could use it to impersonate you on the target website. All they need to do is substitute their own session ID with your session ID and the server will believe the attacker is you. Once your session ID has been obtained this is a trivial task. The attacker is then logged in to your account and can do anything that you could do.
  • 9.
    Conclusion • Whilst obtainingyour session ID does not generally reveal your username or password the attacker can still access your account as if they were logged in as you. • This attack is possible because TLS is not used across the entire site. • We accept an attacker could access our traffic, which is why we need TLS in the first instance. • Sites regularly fail to protect the session ID which can be considered an equivalent to your user credentials on the target website. • Forcing all traffic to the site over HTTPS would completely mitigate a session hijacking attack.
  • 10.
    Thanks You can findmore info covering this and other forms of attack on my blog: http://www.pushpindersinghjoshi.wix.com/pushpin-it-solution Please feel free to share this information generously but do provide attribution back to my site.