Session Hijacking
Last updated
Last updated
⚡︎ This chapter has practical labs
The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. [+]
HTTP communication uses many different TCP connections, the web server needs a method to recognize every user’s connections.
The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication.
A session token is normally composed of a string of variable width and it could be used in different ways
like in the URL, in the header of the HTTP requisition as a cookie, in other parts of the header of the HTTP request, or yet in the body of the HTTP requisition.
The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.
Session Hijacking using XSS
The session ID information for a certain application is normally composed by a string of fixed width. Randomness is very important to avoid its prediction.
Example: Session ID value is “user01”, which corresponds to the username. By trying new values for it, like “user02”, it could be possible to get inside the application without prior authentication.
Sniffing can be used to hijack a session when there is non-encrypted communication between the web server and the user, and the session ID is being sent in plain text.
Wireshark and Kismet can be used to capture sensitive data packets such as the session ID from the network.
A server can be vulnerable to a cross-site scripting exploit, which enables an attacker to execute malicious code from the user’s side, gathering session information. An attacker can target a victim’s browser and send a scripted JavaScript link, which upon opening by the user, runs the malicious code in the browser hijacking sessions.
Forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing;
CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
CSRF Scenario:
Visit your bank's site, log in.
Then visit the attacker's site (e.g. sponsored ad from an untrusted organization).
Attacker's page includes form with same fields as the bank's "Transfer Funds" form.
Form fields are pre-filled to transfer money from your account to attacker's account.
Attacker's page includes Javascript that submits form to your bank.
When form gets submitted, browser includes your cookies for the bank site, including the session token.
Bank transfers money to attacker's account.
The form can be in an iframe that is invisible, so you never know the attack occurred.
Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application.
Session fixation Scenario:
The attacker accesses the web application login page and receives a session ID generated by the web application.
The attacker uses an additional technique such as CRLF Injection, man-in-the-middle attack, social engineering, etc., and gets the victim to use the provided session identifier.
The victim accesses the web application login page and logs in to the application. After authenticating, the web application treats anyone who uses this session ID as if they were this user.
The attacker uses the session ID to access the web application, take over the user session, and impersonate the victim.
The Man-in-the-Browser attack is the same approach as Man-in-the-middle attack, but in this case a Trojan Horse is used to intercept and manipulate calls between the main application’s executable.
MITM attack is a general term for when a perpetrator positions himself in a conversation between a user and an application—either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway.
Compression Ratio Info-leak Made Easy (CRIME):
Is a security exploit against secret web cookies over connections using the HTTPS and SPDY protocols that also use data compression. When used to recover the content of secret authentication cookies, it allows an attacker to perform session hijacking.
BREACH:
Is a security exploit against HTTPS when using HTTP compression (SSL/TLS compression). BREACH is built based on the CRIME security exploit.
⚠️ SPDY protocol manipulates HTTP traffic, with particular goals of reducing web page load latency and improving web security.
Forbideen Attack Vulnerability in TLS that incorrectly reuse the same cryptographic nonce when data is encrypted. TLS specifications are clear that these arbitrary pieces of data should be used only once. When the same one is used more than once, it provides an opportunity to carry out the forbidden attack.
TCP Hijacking: TCP/IP Hijacking is when an authorized user gains access to a genuine network connection of another user. It is done in order to bypass the password authentication which is normally the start of a session.
e.g: TELNET Hijacking using Ettercap, Shijack, making a blind hijacking.
Ettercap - MiTM tool and packet sniffer on steroids
Hunt - sniff, hijack and reset connections
T-Sight - easily hijack sessions and monitor network connections
Zaproxy
Burp Suite
Paros
Shijack - TCP/IP hijack tools
Juggernaut
Hamster
Ferret
Session IDS
Using unpredictable (randomized) Session IDs
Never use URL's with Sessions IDs
Don't Re-use Session IDs
Use HTTP-Only on Cookies preventing XSS (Cross-Site Scripting)
Don't use HTTP protocol without encryption --> Use TLS/SSL [HTTPS]
Limiting incoming connections
Minimizing remote access
Regenerating the session key after authentication
Time - absolute / inactive (e.g: 1h of inactivity the user will automatically log off)
Use MFA
Use IPSec to encrypt
Transport Mode - payload and ESP trailer are encrypted; IP header is not
Tunnel mode - everything is encrypted; cannot be used with NAT
Architecture Protocols
Authentication Header - guarantees the integrity and authentication of IP packet sender
Encapsulating Security Payload (ESP) - provides origin authenticity and integrity as well as confidentiality
Internet Key Exchange (IKE) - produces the keys for the encryption process
Oakley - uses Diffie-Hellman to create master and session keys
Internet Security Association Key Management Protocol (ISAKMP) - software that facilitates encrypted communication between two endpoints