No announcement yet.

Session Hijacking

  • Time
  • Show
Clear All
new posts

  • Session Hijacking

    Session hijacking is an interception in the line of communication that allows an attacker to either assume the role of the authenticated user or to stay connected as an intermediary, as a MITM attack. One way for an attacker to accomplish this is ARP poisoning another could be to guess or calculate a session cookie from an authenticated user of a web application.
    Session hijacking is synonymous with stealing a session, in which an attacker intercepts and takes over a legitimately established session between a user and a server or service. This can apply to access of any authenticated resource, such as a web server, telnet session or other TCP based connection. Once a successful session hijack has taken place, the attacker can either assume the role of the authenticated user or monitor the traffic and wait for an opportunity to injector collect specific data to accomplish some goal.
    A session is an agreed-upon period of time under which the connection state between the client and the server that is verified and authenticated. This means that both the server and the client know who each other are and based on this knowledge, they trust each other and allow data to flow between them. The result of a hijacked session can be things such as data theft, commands might be executed or transactions may be committed on behalf of the authenticated user. In hijacking, the attacker takes over an existing active session. In this process, the attacker waits for an authorized party to establish a connection to a resource or service or waits for the user to complete authorization and then takes over the session.

    The construct of a session ID vary greatly depending on whether the session was created by an application or a network. In many cases it is some form of alphanumeric sequence that uniquely identifies a specific connection. Capturing, guessing, or calculating a session ID allows the attacker to take over a connection or session. Session IDs are some times referred to as session tokens.

    Some factors contribute to a successful attack
    • No account lockout for invalid session IDs
    • Insecure handling
    • Weak session ID generation algorithm
    • Indefinite session expiration time
    • Cleartext transmissions
    • Small/short session IDs

    Session hijacking is typically broken down into one of the following techniques...

    Brute-forcing a session ID
    This is done by guessing a session ID; usually the attacker already has some knowledge of the range of IDs available. The attacker may be aided by the use of HTTP referrers, sniffing, cross-site scripting, or malware.

    Stealing a session ID
    An attacker may attempt to steal a session ID by sniffing or by other means.

    Calculating a session ID
    An attacker will attempt to calculate a valid session ID simply by analyzing an existing session ID and then figure out the sequence or other mechanism for creating the session ID.

    The process of session hijacking follow these steps...

    Step 1 - Sniffing
    The attacker must be able to somehow sniff the traffic on the network between the user and the server where the session the attacker wishes to take over, exists.

    Step 2 - Monitoring
    At this point the goal is to observe the flow of traffic between the two points with the intent of predicting the sequence numbers of the packets.

    Step 3 - Session Desynchronization
    This step involves breaking the session between the user and the server.

    Step 4 - Session ID Prediction
    The attacker predicts the session ID itself to take over the particular session.

    Step 5 - Command Injection
    At this stage the attacker will start injecting commands into the session targeting the remaining servers and other valuable resources.

    Session hijacking can take place at two entirely different layers of the Open Systems Interconnection (OSI) model. A session hijack can take place at the Network layer or at the Application layer; an attack can target the TCP/UDP protocols or protocols at the Application layer such as HTTP or FTP.
    Certified Security Geek