Note - Hijacking
Many web-based applications use session management and the sessions are stores on servers, is functioned with respective users by "session Id's". This is an attractive target for attackers by "Hijacking Users' ID's".
There are three techniques employed by server to protect session ID's from these three attacks,
1.Interception
2.Prediction
3.Brute force attack
and also another attack called "session fixation" is done and it is about the attacker fix user ID before user logs in.
Three widely used methods for maintain sessions in web-environment
1.URL arguenments
2.Hidden form fields
3.Cookies
"Cookies" is the most convenient and also least insure of the three.
The most appealing method for attackers is making session IDs.In many cases, attacker manages to obtain a valid session ID to enter a session directly without user's suspicion. In browsers the session ID's are stored. then the attacker manages to gain access to the user's session by obtaining his session ID,is called "Session Hijacking".
Attack Process
Three step process in session fixation
1.session setup : setup a "Trap session" on the target server and obtainthat session's ID , or selects a usually arbitary session ID to be used in the attack.
2.Session fixation : the attacker needs to introduce her session Id to the user's browser.
3.Session entrance : attacker has to wait untill the user logs in to the target sever using previous session Id and enter the user's session.
Session setup
1."Permissive" : accept arbitary session ID's , and create a new session with proposed session Id if there is existed ID yet. For permissive systems, the attacker has to create a random session ID and remeber and use it for the attack.A permissive system requires no trap maintaince.
2."Strict" : only accept known session IDs which have generated. In here exactly will have to make up a trap session with the target server, exact the session Id, remember it and use it for the atack.
Session fixation
The attacker tries to transport trap session ID to the user's browser.
-Session ID in an URL argunment
http://online.worldbank.dom/login.jsp?session=1234
-Session ID in a hidden form field
The attacker tricks user to log in through a malicious login form to the target server
-Session ID in a cookie
The attacker needs to install a trap session Id cookie on the user's browser. Even though this method provide a great attack, the attacker's web server can not set a cookie for the target server.
attacker can choose amoung these three available methods to set a cookie on the browser
-Using a client-side script set a cookie on the browser
Cross-site scripting
persistent cookies
Domain cookies
-Using HTML <META> tag with "Set-Cookie" attribute
Meta tag injection
-Using Set-Cookie HTTP response header
Session adoption
Breaking into any host in the target server's domain
Attacking the user's DNS server
Network based attack
Counter measures
Preventing logins to a choosed session
Preventing the attacker from obtaining a valid session ID
Restricting the session ID usage
content was taken from http://www.acrossecurity.com/papers/session_fixation.pdf
There are three techniques employed by server to protect session ID's from these three attacks,
1.Interception
2.Prediction
3.Brute force attack
and also another attack called "session fixation" is done and it is about the attacker fix user ID before user logs in.
Three widely used methods for maintain sessions in web-environment
1.URL arguenments
2.Hidden form fields
3.Cookies
"Cookies" is the most convenient and also least insure of the three.
The most appealing method for attackers is making session IDs.In many cases, attacker manages to obtain a valid session ID to enter a session directly without user's suspicion. In browsers the session ID's are stored. then the attacker manages to gain access to the user's session by obtaining his session ID,is called "Session Hijacking".
Attack Process
Three step process in session fixation
1.session setup : setup a "Trap session" on the target server and obtainthat session's ID , or selects a usually arbitary session ID to be used in the attack.
2.Session fixation : the attacker needs to introduce her session Id to the user's browser.
3.Session entrance : attacker has to wait untill the user logs in to the target sever using previous session Id and enter the user's session.
Session setup
1."Permissive" : accept arbitary session ID's , and create a new session with proposed session Id if there is existed ID yet. For permissive systems, the attacker has to create a random session ID and remeber and use it for the attack.A permissive system requires no trap maintaince.
2."Strict" : only accept known session IDs which have generated. In here exactly will have to make up a trap session with the target server, exact the session Id, remember it and use it for the atack.
Session fixation
The attacker tries to transport trap session ID to the user's browser.
-Session ID in an URL argunment
http://online.worldbank.dom/login.jsp?session=1234
-Session ID in a hidden form field
The attacker tricks user to log in through a malicious login form to the target server
-Session ID in a cookie
The attacker needs to install a trap session Id cookie on the user's browser. Even though this method provide a great attack, the attacker's web server can not set a cookie for the target server.
attacker can choose amoung these three available methods to set a cookie on the browser
-Using a client-side script set a cookie on the browser
Cross-site scripting
persistent cookies
Domain cookies
-Using HTML <META> tag with "Set-Cookie" attribute
Meta tag injection
-Using Set-Cookie HTTP response header
Session adoption
Breaking into any host in the target server's domain
Attacking the user's DNS server
Network based attack
Counter measures
Preventing logins to a choosed session
Preventing the attacker from obtaining a valid session ID
Restricting the session ID usage
content was taken from http://www.acrossecurity.com/papers/session_fixation.pdf
Comments
Post a Comment