Session hijacking
Encyclopedia
In computer science
, session hijacking is the exploitation of a valid computer session
—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie
used to authenticate a user to a remote server. It has particular relevance to web developer
s, as the HTTP cookie
s used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer (see HTTP cookie theft).
A popular method is using source-routed
IP packets. This allows a hacker at point A on the network to participate in a conversation between B and C by encouraging the IP packets to pass through its machine.
If source-routing is turned off, the hacker can use "blind" hijacking, whereby it guesses the responses of the two machines. Thus, the hacker can send a command, but can never see the response. However, a common command would be to set a password allowing access from somewhere else on the net.
A hacker can also be "inline" between B and C using a sniffing program to watch the conversation. This is known as a "man-in-the-middle attack
".
A common component of such an attack is to execute a denial-of-service (DoS) attack against one end-point to stop it from responding. This attack can be either against the machine to force it to crash, or against the network connection to force heavy packet loss.
HTTP protocol versions 0.8 and 0.9 lacked cookies and other features necessary for session hijacking. Version 0.9beta of Mosaic Netscape, released on October 13, 1994, supported cookies.
Early versions of HTTP 1.0 did have some security weaknesses relating to session hijacking, but they were difficult to exploit due to the vagaries of most early HTTP 1.0 servers and browsers. As HTTP 1.0 has been designated as a fallback for HTTP 1.1 since the early 2000s -- and as HTTP 1.0 servers are all essentially HTTP 1.1 servers the session hijacking problem has evolved into a nearly permanent security risk.
The introduction of supercookies and other features with the modernized HTTP 1.1 has allowed for the hijacking problem to become an ongoing security problem. Webserver and browser state machine standardization has contributed to this ongoing security problem.
Session hijacking has been an ongoing problem for web browser developers and security experts for at least 5 years http://www.theinquirer.net/inquirer/news/1811527/fear-baa-firesheep http://catless.ncl.ac.uk/Risks/26.19.html#subj7.
has exploited and made it easy for public wifi users to be attacked by session hijackers. Websites like Facebook
, Twitter
, and any that the user adds to their preferences allow the firesheep user to easily access private information from cookies and threaten the public wifi users personal property.
Computer science
Computer science or computing science is the study of the theoretical foundations of information and computation and of practical techniques for their implementation and application in computer systems...
, session hijacking is the exploitation of a valid computer session
Session (computer science)
In computer science, in particular networking, a session is a semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user . A session is set up or established at a certain point...
—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie
Magic cookie
A magic cookie or just cookie for short, is a token or short packet of data passed between communicating programs, where the data is typically not meaningful to the recipient program. The contents are opaque and not usually interpreted until the recipient passes the cookie data back to the sender...
used to authenticate a user to a remote server. It has particular relevance to web developer
Web developer
A web developer is a software developer or software engineer who specializes in, or is specifically engaged in, the development of World Wide Web applications, or distributed network applications that are run over HTTP from a web server to a web browser....
s, as the HTTP cookie
HTTP cookie
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site...
s used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer (see HTTP cookie theft).
A popular method is using source-routed
Source routing
In computer networking, source routing allows a sender of a packet to partially or completely specify the route the packet takes through the network...
IP packets. This allows a hacker at point A on the network to participate in a conversation between B and C by encouraging the IP packets to pass through its machine.
If source-routing is turned off, the hacker can use "blind" hijacking, whereby it guesses the responses of the two machines. Thus, the hacker can send a command, but can never see the response. However, a common command would be to set a password allowing access from somewhere else on the net.
A hacker can also be "inline" between B and C using a sniffing program to watch the conversation. This is known as a "man-in-the-middle attack
Man-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
".
A common component of such an attack is to execute a denial-of-service (DoS) attack against one end-point to stop it from responding. This attack can be either against the machine to force it to crash, or against the network connection to force heavy packet loss.
History
Session hijacking was not possible with early versions of HTTP.HTTP protocol versions 0.8 and 0.9 lacked cookies and other features necessary for session hijacking. Version 0.9beta of Mosaic Netscape, released on October 13, 1994, supported cookies.
Early versions of HTTP 1.0 did have some security weaknesses relating to session hijacking, but they were difficult to exploit due to the vagaries of most early HTTP 1.0 servers and browsers. As HTTP 1.0 has been designated as a fallback for HTTP 1.1 since the early 2000s -- and as HTTP 1.0 servers are all essentially HTTP 1.1 servers the session hijacking problem has evolved into a nearly permanent security risk.
The introduction of supercookies and other features with the modernized HTTP 1.1 has allowed for the hijacking problem to become an ongoing security problem. Webserver and browser state machine standardization has contributed to this ongoing security problem.
Session hijacking has been an ongoing problem for web browser developers and security experts for at least 5 years http://www.theinquirer.net/inquirer/news/1811527/fear-baa-firesheep http://catless.ncl.ac.uk/Risks/26.19.html#subj7.
Methods
There are four main methods used to perpetrate a session hijack. These are:- Session fixationSession fixationIn computer network security, session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate another person's session identifier...
, where the attacker sets a user's session id to one known to him, for example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in. - Session sidejacking, where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookieHTTP cookieA cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site...
. Many web sites use SSL encryption for loginLogging (computer security)In computer security, a login or logon is the process by which individual access to a computer system is controlled by identifying and authentifying the user referring to credentials presented by the user.A user can log in to a system to obtain access and can then log out or log off In computer...
pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the serverWeb serverWeb server can refer to either the hardware or the software that helps to deliver content that can be accessed through the Internet....
or web pages viewed by the client. Since this data includes the session cookieHTTP cookieA cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site...
, it allows him to impersonate the victim, even if the password itself is not compromised. Unsecured Wi-FiWi-FiWi-Fi or Wifi, is a mechanism for wirelessly connecting electronic devices. A device enabled with Wi-Fi, such as a personal computer, video game console, smartphone, or digital audio player, can connect to the Internet via a wireless network access point. An access point has a range of about 20...
hotspotsHotspot (Wi-Fi)A hotspot is a site that offers Internet access over a wireless local area network through the use of a router connected to a link to an Internet service provider...
are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access pointWireless access pointIn computer networking, a wireless access point is a device that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards...
. - Alternatively, an attacker with physical access can simply attempt to steal the session keySession keyA session key is a single-use symmetric key used for encrypting all messages in one communication session. A closely related term is traffic encryption key or TEK, which refers to any key used to encrypt messages, as opposed to other uses, like encrypting other keys .Session keys can introduce...
by, for example, obtaining the file or memory contents of the appropriate part of either the user's computer or the server. - Cross-site scriptingCross-site scriptingCross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same...
, where the attacker tricks the user's computer into running code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations.
Prevention
Methods to prevent session hijacking include:- An open source solution is ArpONArpONArpON is a computer software project to improve network security.-Motivation:The Address Resolution Protocol has security issues. These include the Man In The Middle attack through ARP Spoofing, ARP Cache Poisoning or ARP Poison Routing attacks...
"ARP handler inspection". It is a portable handler daemon that make ARP protocol secure in order to avoid the Man In The Middle (MITM) attack through ARP Spoofing, ARP Cache Poisoning, ARP Poison Routing (APR) attacks. It blocks also the derived attacks by it, which Sniffing, Hijacking, Injection, Filtering & co attacks for more complex derived attacks, as: DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks. - EncryptionEncryptionIn cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
of the data traffic passed between the parties; in particular the session key, though ideally all traffic for the entire session by using SSL/TLSTransport Layer SecurityTransport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
. This technique is widely relied-upon by web-based banks and other e-commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack. - Use of a long random number or string as the session keySession keyA session key is a single-use symmetric key used for encrypting all messages in one communication session. A closely related term is traffic encryption key or TEK, which refers to any key used to encrypt messages, as opposed to other uses, like encrypting other keys .Session keys can introduce...
. This reduces the risk that an attacker could simply guess a valid session key through trial and error or brute force attacks. - Regenerating the session id after a successful login. This prevents session fixationSession fixationIn computer network security, session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate another person's session identifier...
because the attacker does not know the session id of the user after he has logged in. - Some services make secondary checks against the identity of the user. For example, a web server could check with each request made that the IP address of the user matched the one last used during that session. This does not prevent attacks by somebody who shares the same IP address, however, and could be frustrating for users whose IP address is liable to change during a browsing session.
- Alternatively, some services will change the value of the cookie with each and every request. This dramatically reduces the window in which an attacker can operate and makes it easy to identify whether an attack has taken place, but can cause other technical problems (for example, preventing the back button from working properly, on the web).
- Users may also wish to log out of websites whenever they are finished using them. However this will not protect against attacks such as FiresheepFiresheepFiresheep is an extension developed by Eric Butler for the Firefox web browser. The extension uses a packet sniffer to intercept unencrypted cookies from certain websites as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities...
.
Firesheep
Recently a firefox extension called FiresheepFiresheep
Firesheep is an extension developed by Eric Butler for the Firefox web browser. The extension uses a packet sniffer to intercept unencrypted cookies from certain websites as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities...
has exploited and made it easy for public wifi users to be attacked by session hijackers. Websites like Facebook
Facebook
Facebook is a social networking service and website launched in February 2004, operated and privately owned by Facebook, Inc. , Facebook has more than 800 million active users. Users must register before using the site, after which they may create a personal profile, add other users as...
Twitter
Twitter is an online social networking and microblogging service that enables its users to send and read text-based posts of up to 140 characters, informally known as "tweets".Twitter was created in March 2006 by Jack Dorsey and launched that July...
, and any that the user adds to their preferences allow the firesheep user to easily access private information from cookies and threaten the public wifi users personal property.
See also
- ArpONArpONArpON is a computer software project to improve network security.-Motivation:The Address Resolution Protocol has security issues. These include the Man In The Middle attack through ARP Spoofing, ARP Cache Poisoning or ARP Poison Routing attacks...
- HTTP cookieHTTP cookieA cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site...
- Cross-site request forgeryCross-site request forgeryCross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts...
- TCP sequence prediction attackTCP Sequence Prediction AttackA TCP sequence prediction attack is an attempt to predict the sequence number used to identify the packets in a TCP connection, which can be used to counterfeit packets.The attacker hopes to correctly guess the sequence number to be used by the sending host...