11. Session Hijacking
Prevent Session Hijacking for Web Users
1. do not click on links that are received through mails or IMs 2. use firewalls to prevent the malicious content from entering the network 3. use firewall and browser settings to restrict cookies 4. make sure that the website is certified by the certifying authorities 5. make sure you clear history, offline content, and cookies from your browser after confidential and sensitive transaction 6. prefer https, a secure transmission, rather than http when transmitting sensitive and confidential data 7. logout from the browser by dicking on logout button instead of closing the browser
Session Hijacking Pen Testing
1. locate a session 2. sniff session traffic between two machines 3. crack session ID encryption 4. send phishing email for session fixation 5. make a normal connection with one machine 6. collect several session IDs 7. predict a new session ID 8. replay new session ID 9. brute force session IDs 10. document all the findings
Protecting against Session Hijacking
1. use SSH to create a secure communication channel 2. implement the log out functionality for user to end the session 3. generate the session ID after successful login and accept session IDs generated by server only 4. ensure data in transit is encrypted and implement defense-in-depth mechanism 5. use string or ling random number as a session key 6. use different user name and passwords for different accounts 7. implement timeout to destroy the session when expired 8. do not transport session ID in query string 9. ensure client-side and server side protection software are in active state and up to data 10. use strong authentication or peer-to peer VPN 11. configure the appropriate internal and external spoof rules on gateways 12. use IDS products or ARPwatch for monitoring ARP cache poisoning 13. use HTTP public key pinning to allow users authenticate web servers 14. enable browsers to verify website authenticity using network notary servers
UDP Hijacking
A network-level session hijacking where the attacker sends forged server reply to a victim's UDP request before the intended server replies to it The attacker uses man in the middle attack to intercept server's response tot he client and sends its own forged reply
IPSec
A protocol suite developed by the IETF for securing IP communications by authenticating and encrypting each IP packet of a communication session It deployed widely to implement virtual private networks and for remote user access through dial-up connection to private networks
Session Hijacking Using Forbidden Attack
A type of man in the middle attack used to hijack HTTPS sessions It exploits reusing of cryptographic nonce during the TLS handshake After hijacking the HTTPS session, the attacker inject malicious code and forged content that prompts the victim to disclose sensitive info like bank account numbers, passwords, social security numbers
HTTP Strict Transport Security HSTS
A web security policy that protects HTTPS websties against MITM attacks It allows web server to enforce web browsers to interact with it using secure HTTPS protocol
IPSec Tunnel Mode
AH authentication header, the IPSec encrypts both the payload and header. There is more security in tunnel mode. It is used to create VPNs over the internet for network-to network communication, host-to-network communication and host-to-host communication.
Types of Session Hijacking
Active - an attacker finds an active session and takes over Passive - an attacker hijacks a session but sits back and watches and records all the traffic in that session
Application Level Hijacking
Application level hijacking is about gaining control over the HTTP's user session by obtaining the session IDs. The attacker gets control of an existing session and can create new unauthorized sessions by using stolen data.
Compromising Session IDs using Session Fixation
Attack that allows an attacker to hijack a valid user session The attacker tries to lure a user to authenticate himself with a known session ID and then hijacks the user validated session by the knowledge of the used session ID.
Compromising Session IDs by predicting session token
Attacker can predict session IDs generated by weak algorithms and impersonate a web site user Attackers perform analysis of variable sections of session IDs to determine a pattern The analysis is performed manually or by using various crypt analytic tools Attacker collects a high number of simultaneous session IDs in order to gather samples in the same time and keep the variable constant
Session Hijacking using Proxy Server
Attacker lures the victim to click on bogus link which looks legitimate but redirects the user to the attackers server Attacker forwards the request to the legitimate server on behalf of the victim and serves as a proxy for the entire transaction Attacker then captures the session info during the interaction of the legitimate server and the user
Compromising Session IDs using man in the middle attack
Attacker use different techniques and split the TCP connection into two connections After successful interception of TCP connection and attacker can read, modify, and insert fraudulent data into the intercepted communication
Compromising Session IDs using Sniffing
Attacker uses a sniffer to capture a valid session token or session ID Attacker then uses the valid token session to gain unauthorized access to the web server
IPSec Architecture
Authentication Header Encapsulating Security Payload IPSec Domain of Interpretation DOI ISAKMP Internet Security Association and Key Management Protocol Policy
IPSec Authentication
Authentication Header provides data authentication of the sender Encapsulation security Payload provides both data authentication and encryption of the sender.
Session Hijacking Tools
Burp Suite - allows the attacker to inspect and modify traffic between the browser and the target application OWASP ZAP BetterCAP netool toolkit
Session Hijacking Using CRIME attack
CRIME compression Ratio Info Lea Made Easy is a client which exploits the vulnerabilities present in data compression feature of protocols such as SSL/TLS, SPDY and HTTPS Attacekr hijack the session by decrypting secret session cookies
Compromising Session IDs Cross-site request Forgery
CSRF attack exploits a victim's active session with a trusted site in order to perform malicious activities.
Network Level Hijacking
Can be defined as the interception of the packets during the transmission between the client and the server in a TCP and UDP session
Compromising Session IDs using Client-site Attacks
Cross site scripting - enables attackers to inject malicious client side scripts into the web viewed by other users
Session Hijacking Prevention Tools
CxSAST - unique source code analysis solution that provides tools for identifying, tracking, and repairing technical and logical flaws in the source code Fiddler -used for security testing of web applications such as decrypting HTTPS traffic, and manipulating requests using a man in the middle decryption technique.
Session Hijacking Tools for Mobile
DoridSheep - http://droidsheep.org DroidSniff - https://github.com FaceNiff - http://facebiff.ponury.net
IPSec Transport Mode
ESP Encapsulating Security Payload, IPSec encrypts only the payload of the IP packet, leaving the header untouched. It authenticates two connected computers and provides the option of encrypting data transfer.
IPSec components
IPsec Driver Internet Key Exchange IKE Internet Security Association Key Management Protocol Oakley IPSec Policy Agent
RST Hijacking
Involves injecting an authentic looking reset RST packet using spoofed source address and predicting the acknowledgement number The hacker can reset the victim's connection if it uses an accurate acknowledgement number RTS can be carried out using packet crafting tool - Colasoft packet builder and TCP/IP analysis tool tcpdump
Session Hijacking Detection Tools
LogRhythm Wireshark
Compromising Session IDs using man in the Browser attack
Man in the browser attack uses a Trojan Horse to intercept the calls between the browser and its security mechanisms or libraries. It works with an already installed Trojan horse and acts between the browser and its security mechanisms. It main objective is to cause financial deceptions by manipulating transactions of Internet Banking systems
Session Hijacking Detection Methods
Manual Method Normal Telnet Session Forcing an ARP Entry Automatic Method
Benefits of IPSec
Network level peer authentication Data origin authentication Data Integrity Data Confidentiality Replay protection
Session Hijacking
Refers to an attack where an attacker takes over a valid TCP communication session between two computers Attackers can sniff all the traffic from the established TCP sessions and perform identity theft, information theft, fraud The attacker steals a valid session ID and uses it to authenticate himself with the server
Network Level Session Hijacking
Relies on hijacking transport and internet protocols used by web applications in the application layer The attacker gathers some critical info which is used to attack the application level sessions
Session Fixation Phases
Session set-up phase - attacker obtains legitimate session ID by establishing a connection with the target web server. Fixation phase - the attacker introduces the session ID to the victim's browser. Entrance phase - the attacker waits for the victim to log in into the target web server using the trap session ID and then enter the victim;s session.
A session Token can be compromised:
Session sniffing Man in the middle attack Cross site scripting attack Session replay attack CRIME attack Predictable session token Man in the middle attack Cross-site request forgery attack Session fixation attack Forbidden attack
Session Hijacking Process
Sniff - place yourself between the victim and the target Monitor - monitor flow of packets and predict the sequence number Session Desynchronization - break the connection to the victim's machine Session ID prediction - take over the session Command injection - start injecting packets to the target server
Blind Hijacking
The attacker can inject the malicious data or commands into the intercepted communications in the TCP session even of the source-routing is disabled The attacker can send the data or commands but has no access to see the response
Compromising Session IDs using Session Replay Attack
The attacker listens to the conversation between the user and the server and captures the authentication token of the user. Once the authentication token captured, the attacker replays the request to the server with the captured authentication token and gains unauthorized access to the server.
MiTM attack using forged ICMP and ARP spoofing
The packet sniffer is used as an interface between the client and the server ICMP - it is extension of IP to send error messages where the attacker can send messages to fool the client and the server ARP Spoofing - is used to map the network layer addresses (IP address) to link layer addresses (MAC address)
HTTP Public Key Pinning HPKP
Trust first Use TOFU technique used in an HTTP header HPKP allows a web client to associate a specific public key certificate with a particular server to minimize the risk of MITM attacks
TCP/IP Hijacking
Uses spoofed packets to take over a connection between a victim and a target machine. The victim's connection hangs, and the attacker is then able to communicate with he host's machine as if the attacker is the victim To launch TCP/IP hijacking attack, the attacker must be on the same network as the victim The target and the victim machines cab be located anywhere
Session Hijacking Successful
Weak session-ID generation algorithm or small session IDs Indefinite session-timeout Most countermeasures do not work without encryption Insecure handling of session IDs Computers using TCP/IP are vulnerable No account lockout for invalid session IDs
Token Binding
When user logs on to a web application, it generates a cookie with a session identifier, called token Token binding protects client server communication against session hijacking attacks
