FhgdhfdgdghrgrftdgjffSessionHijacking.ppt
singingalka
4 views
10 slides
Jul 09, 2024
Slide 1 of 10
1
2
3
4
5
6
7
8
9
10
About This Presentation
Gg
Slide Content
Project Presentation
Ram Santhanam
Application Level Attacks -Session
Hijacking & Defences
Ram Santhanam
Application Level Attacks -Session
Hijacking & Defences
What is a session?
Definition from FOLDOC
A lasting connection between a user (or user agent i.e. browser) and a server
usually involving the exchange of many requests
Typically maintained by the server
Includes a data store or a table to store user state and other user specific
information
Includes an index to the table (aka session key or session-id)
Created on first request or after an authentication process
Session-id exchanged between browser and server on every request.
Different ways to exchange session-ids
URL Rewriting
Hidden Form fields
Cookies (most common)
Hijacking
Stealing of this session-id and using it to impersonate and access data
Passive attack difficult to detect
Definition from FOLDOC
A lasting connection between a user (or user agent i.e. browser) and a server
usually involving the exchange of many requests
Typically maintained by the server
Includes a data store or a table to store user state and other user specific
information
Includes an index to the table (aka session key or session-id)
Created on first request or after an authentication process
Session-id exchanged between browser and server on every request.
Different ways to exchange session-ids
URL Rewriting
Hidden Form fields
Cookies (most common)
Hijacking
Stealing of this session-id and using it to impersonate and access data
Passive attack difficult to detect
Typical SessionClient
(Browser)
Server
Session
Data
1: Request Connection 2: Create Session
3: Session Id
4: Subsequent Requests
(Session id passed)
5: Validate Session
6: Retrieve Session Data
7: Successful response
(Browser)
Server
Session
Data
1: Request Connection 2: Create Session
3: Session Id
4: Subsequent Requests
(Session id passed)
5: Validate Session
6: Retrieve Session Data
7: Successful response
Attack Methods
Guessing Session Id
shorter length, predictable
Session Fixing
predictable, session created before authenticated
Security Vulnerabilities in Hops
trusting private networks, vulnerabilites in web servers, etc
Session Sniffing (typical on non SSL sessions)
same subnet as client or server
Man in the Middle Attack (SSL)
ARP Poisoning, DNS Spoofing
Cross Site Scripting (XSS)
User trusting source, application vulnerability
Guessing Session Id
shorter length, predictable
Session Fixing
predictable, session created before authenticated
Security Vulnerabilities in Hops
trusting private networks, vulnerabilites in web servers, etc
Session Sniffing (typical on non SSL sessions)
same subnet as client or server
Man in the Middle Attack (SSL)
ARP Poisoning, DNS Spoofing
Cross Site Scripting (XSS)
User trusting source, application vulnerability
Session SniffingClient
(Browser)
Server
Session
Data
1: Request Connection 2: Create Session
3: Session Id
4: Subsequent Requests
(Session id passed)
5: Validate Session
6: Retrieve Session Data
7: Successful response
Hacker
sniff
Request
(session-id)
Successful
Response
(Browser)
Server
Session
Data
1: Request Connection 2: Create Session
3: Session Id
4: Subsequent Requests
(Session id passed)
5: Validate Session
6: Retrieve Session Data
7: Successful response
Hacker
sniff
Request
(session-id)
Successful
Response
Man in the Middle AttackClient
(Browser) Server
1: Request HTTPS
Connection
3: Provide Server
Certificate
With public key
5: Subsequent Requests
4: Provide HTTP Response
Hacker
Machine 1
Pass Session Id
2: Request HTTPS
Connection
Hacker
Machine 2
Request
(session-id)
Successful
Response
6: Forward Request
Wait for Session to be created
(Browser) Server
1: Request HTTPS
Connection
3: Provide Server
Certificate
With public key
5: Subsequent Requests
4: Provide HTTP Response
Hacker
Machine 1
Pass Session Id
2: Request HTTPS
Connection
Hacker
Machine 2
Request
(session-id)
Successful
Response
6: Forward Request
Wait for Session to be created
Cross Site Scripting (XSS)
Hacker inserts a rogue script to a trusted
site.
Common in social / community sites.
Hacker inserts a rogue script to a trusted
site.
Common in social / community sites.
Defence Methods
Educating the users
Paying attention to https vs. non-https
Properly signing out
Not clicking on links but copying and pasting them.
Using high entropy in session id generation (see Tomcat e.g.)
Higher the entropy more difficult to predict
Timing out sessions
reduce window of vulnerability
Using SSL for all communications
difficult to sniff
Forcing Re-authentication or step-up authentication
limit damage if session is hijacked
Re-generating session-ids
reduce window of vulnerability
Using Context data for validating session-ids.
make it difficult to use a hijacked id
Input validation
prevent XSS and other vulnerabilities
Educating the users
Paying attention to https vs. non-https
Properly signing out
Not clicking on links but copying and pasting them.
Using high entropy in session id generation (see Tomcat e.g.)
Higher the entropy more difficult to predict
Timing out sessions
reduce window of vulnerability
Using SSL for all communications
difficult to sniff
Forcing Re-authentication or step-up authentication
limit damage if session is hijacked
Re-generating session-ids
reduce window of vulnerability
Using Context data for validating session-ids.
make it difficult to use a hijacked id
Input validation
prevent XSS and other vulnerabilities
Tomcat Session Id generation
The session id is generated through by a random number.
For random number generation, Java's SecureRandom class is
used. This class provides a cryptographically strong random
number generator using DSA/RSA/MD5 or SHA-1
The seed (64 bit) for generating the random number is
constructed by bitwise xoring the system time with an entropy
string
The entropy string comes from a hash value constructed from
the device drivers running on the server.
Using the SecureRandom class a 16 (128 bit) byte random
number is generated.
A one way hash of the random number is performed.
A 32 byte (256 bit) hexadecimal number is created from by
taking 4 bits at a time from the 16 bytes.
This 32 byte (256 bit) is used as the jsessionid
The session id is generated through by a random number.
For random number generation, Java's SecureRandom class is
used. This class provides a cryptographically strong random
number generator using DSA/RSA/MD5 or SHA-1
The seed (64 bit) for generating the random number is
constructed by bitwise xoring the system time with an entropy
string
The entropy string comes from a hash value constructed from
the device drivers running on the server.
Using the SecureRandom class a 16 (128 bit) byte random
number is generated.
A one way hash of the random number is performed.
A 32 byte (256 bit) hexadecimal number is created from by
taking 4 bits at a time from the 16 bytes.
This 32 byte (256 bit) is used as the jsessionid
Questions?
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 4
- Slides 10
- Age 520 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
37 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
40 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
37 views
14
Fertility awareness methods for women in the society
Isaiah47
34 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
32 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
35 views