Strategies of Session Hacking

2041 words (8 pages) Essay in Information Technology

23/09/19 Information Technology Reference this

Disclaimer: This work has been submitted by a student. This is not an example of the work produced by our Essay Writing Service. You can view samples of our professional work here.

Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UK Essays.

 SESSION HIJACKING

ABSTRACT: In computing vulnerability refers to a kind of weakness which can be exploited by an attacker, to carry out unauthorized activities in a system. To exploit a vulnerability the attacker usually has at least an applicable tool or some sort of technique which can connect to a systems weakness. Here, I have chosen session hijacking as the topic.

KEYWORDS :Vulnerabilty, session , hijacking, network, cookie.

INTRODUCTION (Explanation of the topic and how it maps to the taxonomy)

According to Wikipedia “In computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system” is the definition of session hijacking. The primary goal of any session hijacking is to secretly steal connection from one out of the two parties and hence pretending to be the device.

The underlying technology that controls how computers and websites communicate with each other is called the TCP/IP protocol which is short form for Transmission Control Protocol / Internet Protocol. Session hijacking is possible because of the limitations in TCP/IP which is not easily fixable due its widespread nature. Therefore security layers are added on top of it to limit and nullify the threat.

In most cases utility and performance are emphasised on transmission protocols. They do not have any type of strict control to justify the source of any transmission or if a packet is the real part of a data conversation. It can lead to faking of packets that might redirect or interrupt the flow of a transmission. Some protocols for example UDP can be easily spoofed because of a lack of a sort of complete sequencing. Where as some other protocols like TCP are relatively more difficult due to its higher extensive flow control and its better integrity checking. However, with most of such protocols, integrity relates more to any accidental loss of data because to errors/packet loss rather than a deliberate attempt to attack the protocol. Thus such protocols can fall victim to a more sophisticated attack. TCP session hijacking is an example one such sophisticated attack. Here the attacker has to guess factors like initial and TCP sequence numbers and manipulate the data flow by injecting fake packets, interrupting and then faking the flow of any kind of higher level data. Such a kind of attack is one-way, control can be gained but the information doesn’t go back to the attacker till he makes use of the control channel to open an additional set of covert channels of attack.

IMPACT OF SESSION HIJACKING

Fig 1. Working of session hijacking

 Attacker sniffs the traffic between the server and the victim. The traffic is monitored by the attacker waiting for some kind of connection to be established between the server and the victim. Usually the attacker looks for particular type of application in which victim is making an authenticated remote access connection to the server. Once the victim gets authenticated in the application the attacker makes a move to hijack the session.

In this way when an attacker makes a move to hijack the session from a victim he gets connected to the application as though he is a victim. Attacker wait till he see the data that signals that the attack should start. Then the attacker sends a reset packet to victim pretending that he is server by making the source IP address same as the servers IP address and by setting destination IP address same as victim. Then the attacker sends data to server using the sequence number it saw in sniffed traffic. Data packet from attacker to server will seem like it was send by victim and server will respond to victim with its data. Attacker will continue to sniff the traffic to get the data that was meant for victim. Victim will still receive the traffic from server but because the connection has been closed it wont respond.

Below are the methods by session hijacking is carried out

  • Session fixation is where an attacker sets a users session id to an id that’s known to him. For example, by sending an email to the user that has a particular session id. And then the attacker waits until the user logs in.
  • Session sidejacking is where an attacker makes use of packet sniffing to understand the network traffic between any two parties and to try and steal the session cookie. For this reason many web sites use SSL encryption for its login pages to protect attackers from seeing password but they don’t make use of any encryption for the remaining site once its authenticated. This gives a chance to the attackers who can read network traffic to obstruct all the data that has been submitted to the server or the web pages that are viewed by any client. Since this data also includes the session cookie, it allows the attacker to pretend to be the victim (even though if the password isnt obtained).Unsecure Wi-Fi hotspots are especially vulnerable because anyone who is sharing a network can know the web traffic between the access point and other nodes.
  • Cross site scripting is where an attacker tries to trick the user’s computer into running a code that is treated as trustworthy (since it appears to belong to the server) and therefore allowing an attacker to get a copy of the cookie or do other operations.
  • Malware and other unwanted programs can make use of the browser hijacking to steal a browsers cookie file with the user being unaware and do various things like for example installing an android app. A attacker with a physical access can try to steal the session key by suppose getting the memory contents of an appropriate part of the server or users computer.

Some examples of common exploits that have been made are Firesheep, Whatsapp sniffer, Droidsheep, Cookiecadger.

  • Firesheep:In October of 2010 Firesheep, a mozillafirefox extension was released. It made it easy for attackers to attack unencrypted public Wi-Fi users. Facebook, Instagram, Twitter and other websites the user adds will allow Firesheep attacker to get private information from the cookies .Months after that Facebook and Twitter responded by giving HTTP secure.
  • WhatsApp sniffer: In May 2012 this app was made available on Google Play. It was able to display messages that was from other users connected with the same network as the attacker. That time WhatsApp had used an XMPP infrastructure with encryption and not plain-text communication
  • DroidSheep: It is a very simple Android tool used for session hijacking. It looks for a HTTPpackets sent through a wireless (802.11) network connection. It obtains the session id from packets to use it again. It uses arpspoof and libpcap. The apk was available on Google Play but it is taken now.
  • CookieCadger: Its a graphical Java app which automates side jacking and replay of HTTP requests. It helps to find out leaked information from applications that make use of unencrypted GET requests. Its an open-source cross-platform utility that is based on the Wireshark suite and it can monitor insecure Wi-Fi, wired Ethernet. Cookie Cadger is used to highlight the disadvantages of team sharing sites such as TeamSnap.

MITIGATION

  • Encryption of data traffic that is passed between any of the parties by making use of TLS or SSL, particularly the session key. This method is widely used by we banking and ecommerce sites. It totally prevents sniffing-style attack. But still it can be problematic to do other type of session hijack.

The TLS protocol is designed to validate server and in some cases client and when authentication is done the client and server make an encryption key that can be used to encrypt the traffic. This process is managed by the TLS/SSL layer and is transparent to the application that makes use of this layer. (The application needs to support the certificate management though). The encryption protocols and the authentication method decide format and protocol exchange.

Fig 2. TLS protocol

The protocol above have four steps. The first step the agreement is made between the client and server to do the encryption and authentication methods. The second step is where server shows its credentials and sometimes asks the client also for its credentials. The third step is optional in which the client shows its credentials. In the fourth step the server and client exchange the session encryption key that is used for encrypting all data between them.

TLS/SSL is generally secure but there has been some attack against the protocol(mostly man in the middle attacks). In order for the ‘man in the middle attack’ to work the attacker has to present himself as a valid server. It can get difficult if the client and the valid server had communication or if the client has any previous knowledge about the authenticity of the server. If the client has no prior knowledge about the server, the attacker can as a valid server and then try to make a valid connection with the server. TLS/SSL will mitigate authentication and sniffing attacks. [ Scientist from the ‘Radboud University Nijmegen’ in 2013 proposed a mitigation technique by correlating both application session with the TLS/ SSL credential ]

  • Using a long random string or number or as session key is a useful mitigation method. It reduces the risk of an attacker making a wild guess of a session key by either brute force attacks or trial and error.
  • Another way is regenerating session ID after we make a successful login. This prevents any session fixation since attacker can’t know session id of user after he has already logged in.
  • Some services also do secondary checking of the user identity. For example a web server can check with every request ,if IP address of user is matching the last one that was used in that same session. It doesn’t prevent attacks by someone who share the same IP but can be irritating for the users whose IP can change during a browsing session.
  • Some services also change the value of cookie with every request. This greatly decreases the time in which a attacker can work and thus makes it easy to spot an attack .
  • Users can also log out of websites whenever they are done using them. ( This approach does not work for Firesheep though)

CONCLUSION

Session hijacking is an old method of attack that will might be around for more time to come. It is an understated threat that is overshadowed by even bigger ones like DDoS attacks, ransomware or banking trojans. But its ease of usage along with the big potential for a profit makes it a heavily used and potent tool among malicious hackers.

REFERENCES

[1] Class notes and our textbook for basic concept

[2] https://en.wikipedia.org/wiki/Session_hijacking

[3] https://www.sans.org/reading-room/whitepapers/protocols/applying-osi-layer-network-model-information-security-1309

[4] https://heimdalsecurity.com/blog/session-hijacking/

[5] A proposed system for preventing session hijacking with modified one-time cookies, IEEE paper

[6] Hijacking spoofing attack and defense strategy based on Internet TCP sessions, IEEE paper.

[7] https://www.researchgate.net/publication/277307339_Session_Hijacking_Threat_Analysis_and_Countermeasures
 

Cite This Work

To export a reference to this article please select a referencing stye below:

Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.

Related Services

View all

DMCA / Removal Request

If you are the original writer of this essay and no longer wish to have the essay published on the UK Essays website then please: