Session hijacking explained

In computer science, session hijacking, sometimes also known as cookie hijacking, is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many websites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer (see HTTP cookie theft). After successfully stealing appropriate session cookies an adversary might use the Pass the Cookie technique to perform session hijacking. Cookie hijacking is commonly used against client authentication on the internet. Modern web browsers use cookie protection mechanisms to protect the web from being attacked.[1]

A popular method is using source-routed IP packets. This allows an attacker at point B on the network to participate in a conversation between A and C by encouraging the IP packets to pass through B's machine.

If source-routing is turned off, the attacker can use "blind" hijacking, whereby it guesses the responses of the two machines. Thus, the attacker can send a command, but can never see the response. However, a common command would be to set a password allowing access from elsewhere on the net.

An attacker can also be "inline" between A and C using a sniffing program to watch the conversation. This is known as a "man-in-the-middle attack".

History of HTTP

HTTP protocol versions 0.8 and 0.9 lacked cookies and other features necessary for session hijacking. Version 0.9beta of Mosaic Netscape, released on October 13, 1994, supported cookies.

Early versions of HTTP 1.0 did have some security weaknesses relating to session hijacking, but they were difficult to exploit due to the vagaries of most early HTTP 1.0 servers and browsers. As HTTP 1.0 has been designated as a fallback for HTTP 1.1 since the early 2000s—and as HTTP 1.0 servers are all essentially HTTP 1.1 servers the session hijacking problem has evolved into a nearly permanent security risk.[2]

The introduction of supercookies and other features with the modernized HTTP 1.1 has allowed for the hijacking problem to become an ongoing security problem. Webserver and browser state machine standardization has contributed to this ongoing security problem.

Methods

There are four main methods used to perpetrate a session hijack. These are:

After successfully acquiring appropriate session cookies an adversary might leverage the Pass the Cookie technique to perform session hijacking.

Exploits

Firesheep

Firesheep, a Firefox extension introduced in October 2010, demonstrated session hijacking vulnerabilities in unsecured networks. It captured unencrypted cookies from popular websites, allowing users to take over active sessions of others on the same network. The tool worked by displaying potential targets in a sidebar, enabling session access without password theft. The websites supported included Facebook, Twitter, Flickr, Amazon, Windows Live and Google, with the ability to use scripts to add other websites.[5] Only months later, Facebook and Twitter responded by offering (and later requiring) HTTP Secure throughout.[6] [7]

DroidSheep

DroidSheep is a simple Android tool for web session hijacking (sidejacking). It listens for HTTP packets sent via a wireless (802.11) network connection and extracts the session id from these packets in order to reuse them. DroidSheep can capture sessions using the libpcap library and supports: open (unencrypted) networks, WEP encrypted networks, and WPA/WPA2 encrypted networks (PSK only). This software uses libpcap and arpspoof.[8] [9] The apk was made available on Google Play but it has been taken down by Google.

CookieCadger

CookieCadger is a graphical Java app that automates sidejacking and replay of HTTP requests, to help identify information leakage from applications that use unencrypted GET requests. It is a cross-platform open-source utility based on the Wireshark suite which can monitor wired Ethernet, insecure Wi-Fi, or load a packet capture file for offline analysis. Cookie Cadger has been used to highlight the weaknesses of youth team sharing sites such as Shutterfly (used by AYSO soccer league) and TeamSnap.[10]

Prevention

Methods to prevent session hijacking include:

See also

Notes and References

  1. Bugliesi . Michele . Calzavara . Stefano . Focardi . Riccardo . Khan . Wilayat . 2015-09-16 . CookiExt: Patching the browser against session hijacking attacks . Journal of Computer Security . 23 . 4 . 509–537 . 10.3233/jcs-150529 . 1875-8924 . free . 10278/3663357.
  2. Web site: Session Hijacking & HTTP Communication . 19 October 2020 . https://web.archive.org/web/20201031013639/https://cwatch.comodo.com/blog/website-security/what-is-session-hijacking/ . 2020-10-31 . live.
  3. Web site: Warning of webmail wi-fi hijack. BBC News. August 3, 2007.
  4. Web site: Malware use Browser Hijacking to steal cookie. 19 October 2020 .
  5. News: Firefox extension steals Facebook, Twitter, etc. sessions . The H . 25 October 2010 . https://web.archive.org/web/20240306061808/http://www.h-online.com/open/news/item/Firefox-extension-steals-Facebook-Twitter-etc-sessions-1124596.html . 2024-03-06 . dead .
  6. News: Facebook now SSL-encrypted throughout . The H . 27 January 2011 .
  7. News: Twitter adds 'Always use HTTPS' option . The H . 16 March 2011 .
  8. Web site: DroidSheep .
  9. Web site: DroidSheep Blog . 2012-08-07 . 2016-11-20 . https://web.archive.org/web/20161120163351/http://droidsheep.de/ . dead .
  10. Web site: How Shutterfly and Other Social Sites Leave Your Kids Vulnerable to Hackers . Mother Jones . 2013-05-03 . https://web.archive.org/web/20240519210800/https://www.motherjones.com/politics/2013/05/shutterfly-teamsnap-eteamz-ssl-hackers-kids-data/ . 2024-05-19 . live.
  11. Web site: Schneier on Security: Firesheep. 29 May 2011. 27 October 2010.
  12. Book: Burgers, Willem . https://www.springer.com/computer/security+and+cryptology/book/978-3-642-41487-9 . Roel Verdult . Marko van Eekelen . Secure IT Systems . Prevent Session Hijacking by Binding the Session to the Cryptographic Network Credentials . Lecture Notes in Computer Science . 2013. 8208 . 33–50 . 10.1007/978-3-642-41488-6_3 . 978-3-642-41487-9 .
  13. See Web site: NetBadge: How To Log Out.
  14. See also Web site: Be Card Smart Online - Always log out.