Session Hijacking

Session Hijacking Concepts

• Refers to an attack were an attacker takes over a valid TCP communication session between two computers
• Can be used to perform identity theft and fraud
• Steals a valid session ID and uses it for themselves
• Why Successful
  • No lockout for invalid session ids
  • Weak generation algorithm
  • Insecure handling of IDs
  • Indefinite session
  • Most computers are vulnerable
  • Most countermeasures do not work unless you use encryption
• Process
  • Sniff
  • Monitor
  • Session Desync
  • Session ID prediction
  • Command injection
• Types of session hijacking
  • Active - attack is when an attacker takes over an active session
  • Passive - attack is when an attack hijacks a session but just watches the information sent
• Network level hijacking - is the interception of the packets

• Application level hijacking - is gaining control of a user’s http session by getting a session ID

• Spoofing vs Hijacking
  • Spoofing
    • Attacker pretends to be another user or machine
    • Attacker does not take over an existing session uses stolen creds to start new session
  • Hijacking
    • Taking over an existing session
    • Relies on a legitimate user to start the session and authenticate

Application level session Hijacking

• Token Compromised by
  • Session sniffing
  • Man in the middle attack
  • Cross site scripting
  • Session replay attack
  • CRIME attack
  • Predictable session token
  • Man in the browser attack
  • Cross site request forgery attack
  • Session fixation attack
  • Forbidden attack
• Compromising session ID using sniffing
  • Capture valid session token or ID using sniffer
  • Uses session ID to gain unauthorized access
• Compromising session ID by predicting session token
  • Predict session ID generated by weak algorithm and impersonate a web site user
  • Attack studies the session variables to determine common patterns
  • Can be done manually or by using crypto analytic tools
  • Involves collecting a high number of simultaneous session IDs in order to keep the variables constant
  • Most web servers use custom algorithms or predefined patterns to generate session IDs
  • Attacker is then able to figure out the algorithm to guess the session IDs
• Compromising sessions using Man in the middle
  • Get into the middle of the communication between the user and the server
  • Involves splitting the TCP connection into two connections
    • Client to attacker
    • Attacker to server
  • Attackers can then add fraudulent data into the intercepted communications
  • In the case of http the connection between the client and the server becomes the connection between the client and the attacker
• Compromising IDs using man in the browser
  • Man in the browser attacks use trojans to intercept the connection between the browser and its security libraries
  • Steps to perform a man in the browser attack
    1. Trojan infects the computer software
    2. Trojan saves malicious code to the browser config
    3. Browser is restarted and the malicious code loads as an extension
    4. Extension file registers a handler for every site visited
    5. When a page is loading the extension checks it to a list of target sites
    6. User logs into the site
    7. Registers a button event handler
    8. Extension uses the DOM interface to extract all the info entered into fields on a site
    9. The browser sends the form and modified values to the server
    10. The server can not tell the values were modified
    11. Server performs the transaction and a receipt is generated
    12. The browser then displays the receipt with the original info from the user
    13. The user thinks the original transaction was received
• Compromising ID using client-side attacks
  • XSS enables attackers to inject malicious client-side scripts into webpages
  • Malicious JavaScript can be embedded into a webpage and capture session IDs
  • Trojans change the proxy server to send all sessions to the attacker
• Cross site request forgery attack (CSRF) attack exploits a victim’s active session with a trusted site in order to perform malicious activities
  • Attacker makes site with malicious link or image on website
  • Users gets legitimate session with legitimate website
  • User clicks malicious link and gets the users session ID to gain access to the legitimate website

• Session replay – Attack listens to the conversation between the user and the server and captures the session token the attacker then replays the request to the server with the captured token and gains access to the server

• Session Fixation
  • Allows an attacker to hijack a valid user session
  • Attacker gets a users to authenticate with a know session ID and then Hijacks the session with the known session ID
  • The attack has to provide a legitimate session ID and then get the user to use it
  • Techniques
    • Session token in URL argument
    • Session Token in a hidden form field
    • Session ID in a cookie
• Session hijacking using proxy servers
  • Proxy servers act as an intermediary for the session and due all the interaction for the session for the users
  • Therefor the proxy server has control over the session

Network Level Session Hijacking

• Network level hijacking relies on hijacking the transport and internet protocols used by the web application in the application layer
• Type of attacks
  • Blind hijacking
  • UDP hijacking
  • TCP/IP hijacking
  • RST hijacking
  • Man in the middle packet sniffers
  • IP spoofing of source routed packets
• TCP/IP hijacking - uses spoofed packets to take over the connection between the victim and target
  • Attacker must be on the same network at the victim
• IP Spoofing source routed packets
  • Used to gain access to a computer with the help of a trusted host
  • The attacker spoofs the hosts ip address so that the server managing the session with the host accepts the packet
  • When the session is established the attacker injects forged packets before the host responds to the server
  • The original packets are lost since the attacker has already used the sequence numbers of those packets
  • The packets from the attacker are source routed through the hist with the destination ip specified by the attacker
• RST Hijacking
  • Involves injecting an authentic looking reset packet using spoofed addresses
  • The attacker can reset the session if he uses an accurate acknowledgment number
  • The victim believes the source actually reset the connection
• Blind Hijacking
  • The attacker can send data or commands but since source routing is disabled the attacker has no access to the response
• UDP Hijacking
  • Sends forged replies to the victim before the server does
• MiTM attack using ICMP and Arp Spoofing
  • Packet sniffer used as an interface between the client and the server
  • ARP spoofing involves fooling the host by changing the arp table with fake arp request
  • ICMP spoofing involves sending fake error messages
• Session Hijacking tools
  • Burp Suite
• Countermeasures
  • Uses SSH
  • Implement logout functionality
  • Generate session IDs after user login and only accept session IDs generated by server
  • Encrypt all data
  • Uses strings or long random numbers for session ids
  • Uses different username and password for different accounts
  • Implement a timeout
  • Don’t transport session ids in query string
  • Ensure protective software is working
  • Strong authentication like Kerberos

Table Of Contents