Session hijacking

Session hijacking

The term session hijacking refers to the exploitation of a valid computer session - sometimes also called a "session key" - to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer (see HTTP cookie theft).

Analysis

Many web sites allow users to create and manage their own accounts, logging in using a username and password (which may or may not be encrypted during transit) or other authentication method. In order that the user does not have to re-enter their username and password on every page to maintain their session, many web sites use session cookies: a token of information issued by the server and returned by the user's web browser to confirm its identity.

If an attacker is able to steal this cookie, they can make requests themselves as if they were the genuine user, gaining access to privileged information or changing data. If this cookie is a persistent cookie, then the impersonation can continue for a considerable period of time. Of course, session hijacking is not limited to the web; any protocol in which state is maintained using a key passed between two parties is vulnerable, especially if it's not encrypted.

Use of a SecurID card, or other token based secondary authentication is useless as protection against hijacking, as the attacker can simply wait until after the user authenticates, then hijack the session. [Dave Dittrich, [http://staff.washington.edu/dittrich/talks/qsm-sec/script.html "Anatomy of a Hijack"] , University of Washington.]

Methods

There are four main methods used to perpetrate a session hijack. These are:

* Session fixation, where the attacker sets a user's session id to one known to him, for example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in.
* Session sidejacking, where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many web sites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client. Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised. [cite web|url=http://news.bbc.co.uk/2/hi/technology/6929258.stm|publisher=BBC News|date=August 3, 2007|title=Warning of webmail wi-fi hijack] Unsecured Wi-Fi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access point.
* Alternatively, an attacker with physical access can simply attempt to steal the session key by, for example, obtaining the file or memory contents of the appropriate part of either the user's computer or the server.
* Cross-site scripting, where the attacker tricks the user's computer into running code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations.

Prevention

Methods to prevent session hijacking include:

* Use of a long random number or string as the session key. This reduces the risk that an attacker could simply guess a valid session key through trial and error or brute force attacks.
* Regenerating the session id after a successful login. This prevents session fixation because the attacker does not know the session id of the user after he has logged in.
* Encryption of the data passed between the parties; in particular the session key. This technique is widely relied-upon by web-based banks and other e-commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack.
* Some services make secondary checks against the identity of the user. For example, a web server could check with each request made that the IP address of the user matched the one last used during that session. This does not prevent attacks by somebody who shares the same IP address, however, and could be frustrating for users whose IP address is liable to change during a browsing session.
* Alternatively, some services will change the value of the cookie with each and every request. This dramatically reduces the window in which an attacker can operate and makes it easy to identify whether an attack has taken place, but can cause other technical problems (for example, preventing the back button from working properly, on the web).

ee also

*HTTP Cookie
*Cross-site request forgery

References


Wikimedia Foundation. 2010.

Игры ⚽ Нужно сделать НИР?

Look at other dictionaries:

  • Session-Hijacking — (auf deutsch etwa: „Entführung einer Kommunikationssitzung“) ist ein Angriff auf eine verbindungsbehaftete Datenkommunikation zwischen zwei Computern. Während die Teilnehmer einer verbindungslosen Kommunikation Nachrichten ohne definierten Bezug… …   Deutsch Wikipedia

  • Session Hijacking — (auf deutsch etwa: „Entführung einer Kommunikationssitzung“) ist ein Angriff auf eine verbindungsbehaftete Datenkommunikation zwischen zwei Computern. Während die Teilnehmer einer verbindungslosen Kommunikation Nachrichten ohne definierten Bezug… …   Deutsch Wikipedia

  • Session Fixation — (auf deutsch etwa: „Festlegung einer Kommunikationssitzung“) ist ein Angriff auf eine verbindungsbehaftete Datenkommunikation zwischen zwei Computern. Inhaltsverzeichnis 1 Modus Operandi 2 Techniken des Unterschiebens 2.1 URL Manipulationen …   Deutsch Wikipedia

  • Hijacking — means to take over by force .Hijacking may refer to:In property: * Aircraft hijacking or skyjacking * Carjacking * Credit card hijackingIn internet technology: * DNS hijacking * Domain hijacking * IP hijacking * Page hijacking * Reverse domain… …   Wikipedia

  • Hijacking — (engl. für Entführung, Diebstahl, gewaltsame Übernahme) bezeichnet im Sprachgebrauch des Internets im Allgemeinen den Versuch einer Übernahme einer Internetdomäne bzw. der Inhalte einer Domäne oder eines Benutzerkontos (z. B. Mail, Ebay, Amazon,… …   Deutsch Wikipedia

  • Hijacking — significa secuestro en inglés y en el ámbito informático hace referencia a toda técnica ilegal que lleve consigo el adueñarse o robar algo (generalmente información) por parte de un atacante. Es por tanto un concepto muy abierto y que puede… …   Wikipedia Español

  • Hijacking — Le hijacking est un mot de la langue anglaise apparu au XXe siècle pour désigner une action de détournement (détournement d avion). Le terme s est ensuite étendu au domaine informatique et s applique à toute une série de prises de possession… …   Wikipédia en Français

  • Session ID — Eine Session ID (engl.: session identifier, dt.: Sitzungs ID) wird bei Anwendungen auf zustandslosen Protokollen als Identifikationsmerkmal verwendet, um mehrere zusammengehörige Anfragen eines Benutzers zu erkennen und einer Sitzung zuzuordnen.… …   Deutsch Wikipedia

  • Session-ID — Eine Session ID (engl.: session identifier, dt.: Sitzungs ID) wird bei Anwendungen auf zustandslosen Protokollen als Identifikationsmerkmal verwendet, um mehrere zusammengehörige Anfragen eines Benutzers zu erkennen und einer Sitzung zuzuordnen.… …   Deutsch Wikipedia

  • hijacking —    An attack on a computer system in which an established TCP/IP session is redirected in mid session to an unauthorized host system.    See also spoofing …   Dictionary of networking

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”