Session Hijacking: Understanding and Preventing Online Attacks
jadavvineet73
459 views
42 slides
Jun 18, 2024
Slide 1 of 42
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
About This Presentation
Explore the critical aspects of session hijacking in this informative presentation. Learn how attackers exploit session vulnerabilities to gain unauthorized access to user accounts and the effective strategies to prevent such breaches. This presentation covers the mechanisms of session hijacking, it...
Slide Content
SESSION HIJACKING BY: ADITI PRAVEEN
Introduction What is Session Hijacking? Session hijacking is a type of attack that involves stealing the user’s session ID. The hacker then logs into that session and performs or obtains anything that the user is performing. This allows someone to access a server without requiring additional authorization, thus creating a possible threat to an individual’s and an organization’s information. In this respect, the legitimate user’s session is disrupted, and they are likely not to note that their session has been hijacked until they are compelled to do so.
Mechanisms/Methods The following mechanisms/methods are ways in which session hijacking can be carried out: i ) Acquisition: Sniffing public Wi-Fi networks that are not encrypted. XSS attacks deceive people into visiting harmful websites. Guessing poor-quality session ID predictions. ii) Takeover : The attacker poses as the genuine user on their browser by using a stolen ID. iii) Exploitation : The attacker has the ability to take down information, alter it, or launch other assaults.
Types of Session Hijacking The two main types are: Active Session Hijacking : The attacker deliberately interrupts the legitimate user's session to gain control. Techniques like session side jacking and session spoofing may be used. Passive Session Hijacking : is the act of surreptitiously obtaining the session ID without interfering with the authorized user's session. The attacker can then use the stolen ID to assume the user's identity. This includes techniques such as Session Prediction, XSS (Cross-site Scripting), and Sniffing.
Abstract The Jazz Self-Care platform enables Jazz customers to manage their accounts online. Account balance checks, bill viewing and payment, service subscriptions, order tracking, and support requests are among the activities. Users may customize their experience by logging in or making an account. The goal of the research is to determine whether the website in question is susceptible and whether its session IDs and cookies have been made public. Although there are other ways to accomplish this, I have concentrated on utilising Burp Suite to conduct my study. Some of the recommendations are using secure connections, strong passwords and multi-factor authentication, keeping an eye on account activity, configuring browser security settings, updating software often, and being cautious while using public Wi-Fi. The study examines strategies used to hijack sessions, giving the knowledge needed to defend their platforms from these kinds of attacks. Knowing these techniques will help us put strong security measures in place to protect user information and enhance the user experience as a whole.
Objective The objective of this study is to identify the vulnerabilities in a website called Jazz Self-Care and is examined through Burp Suite, a well-known application for web application penetration testing. The main focus is determining how attackers can exploit this vulnerability to steal user’s session IDs and gain unlawful access to accounts. Target and Scope : It specifically targets sensitive aspects of the Jazz Self-Care website, such as account management, login, and other areas. Suggestions : The study's specific goal is to establish areas of weakness and potential countermeasures that lower the likelihood of session hijacking. Some ways that can be recommended are setting browser security preferences, using secure connections, setting a good password or using multi-factor passwords, monitoring account activities regularly, constantly updating the software, and using WPA/WPA2-protected Wi-Fi carefully.
Methodology Website Analysis : Examining the website's features to see how sessions are initiated, maintained, and terminated. Burp Suite Techniques: To demonstrate and examine efforts at session hijacking, Burp Suite's features, such as proxy interception, session manipulation, and intruder tools, was utilized.
Analysis and Findings About the website: The Jazz Self-Care portal is from Jazz, one of Pakistan’s telecommunication companies. It is primarily aimed at providing Jazz customers with the opportunity to access their accounts and services through the Internet. Mobilink is a well-known jazz band that includes subtlety and voice, data, and digital solutions in the telecommunication sphere in Pakistan. The self-care portal is one of the measures they use to improve the customer experience through account management.
The technologies used in the website were found using the Wappalyzer extension: Technologies used in the website:
Technologies used in the website: Ecommerce - Magento 2- is an open-source ecommerce platform written in PHP. JavaScript frameworks- Require JS 2.3.6 – is a JavaScript library and file loader which manages the dependencies between JavaScript files and in modular programming. Programming languages- PHP- is a general-purpose scripting language used for web development. Databases - MySQL- is an open-source relational database management system.
Java Script Libraries jQuery Migrate- is a JavaScript library that allows you to preserve the compatibility of your jQuery code developed for versions of jQuery older than 1.9. jQuery UI- is a collection of GUI widgets, animated visual effects, and themes implemented with jQuery, Cascading Style Sheets, and HTML. Underscore.js- s a JavaScript library which provides utility functions for common programming tasks. It is comparable to features provided by Prototype.js and the Ruby language. jQuery - is a JavaScript library which is a free, open-source software designed to simplify HTML DOM tree traversal and manipulation, as well as event handling, CSS animation, and Ajax.
UI Frameworks Bootstrap - is a free and open-source CSS framework directed at responsive, mobile-first front-end web development. It contains CSS and JavaScript-based design templates for typography, forms, buttons, navigation, and other interface components.
Proof of Concept (POC) 1. This is the website that has been chosen to perform session hijacking.
2. In this website, I have created 2 accounts using 2 different email ids.
3. Using the Account-1’s email id and password, I am logging into the website.
4. This is the homepage after logging in, the contact information shows the username “ab cd” along with the email id used [email protected] . Note: When all this is being done, Burp Suite must be open in the background.
5. After entering the details, I went back to Burp Suite and made sure the intercept button is off and not running in the background.
6. Went back to the browser and enabled the Foxy Proxy connection. * Foxy Proxy : is an open-source, advanced proxy management tool that completely replaces Chrome's limited proxying capabilities.
7. Right after switching Foxy Proxy on , intercept is switched on in Burp Suite.
8. After doing both of those steps in the same order, I can then click on anything in the website. I’ve chosen to click on “ My orders ”.
9. This is the result of clicking on the website after switching on intercept from Burp Suite and Foxy Proxy.
10. Go back to BurpSuite and search for the PHPSESSID. The highlighted mark shows the Session ID for this particular session. * PHPSESSID: is a cookie that is native to PHP and allows the website to store all serialised data.
11. The PHPSESSID for Account 1 is noted down.
12. After noting down the PHPSESSID , the intercept is switched off and so is foxy proxy. I now need another browser to log into Account-2 and so I am using Burp Suite’s Browser .
13. Copy paste the URL for the website.
15. Account-2 is logged into this browser.
16. After logging in, the contact information shows the username “ xy yz ” along with the email id used [email protected]
17. Switching on the intercept.
18. This gives all the cookie information from it’s browser. We are looking for the PHPSESSID of this session .
19. Cross-checked to see if I had the right PHPSESSID and am not repeating anything.
20. This is the PHPSESSID for the second session on Burp Suite’s browser.
21. I have pasted the PHPSESSID of Session 1/Account 1 in place of where the PHPSESSID of Session 2/Account 2 was present.
23. Cross-checked again to see if I was right. Kept forwarding the update.
24. After numerous “ forward”s I now see the PHPSESSID of Session 1/Account 1 by default in place of the PHPSESSID of Session 2/ Account 2
25. I went back to browser which has Session 2 and clicked on the refresh button. There I found the username on top to be “ xy yz ” which is Account- 2’s username . But in the contact information, found “ ab cd ” which is Account-1’s username and Account -1’s email id along with it. Thus, completing the Session Hijacking .
Recommendations For Users: Be cautious on public Wi-Fi : Always leave public Wi-Fi for more general activities such as reading e-mails or general browsing but not for any task that involves personal information like online banking. Use strong passwords and Multi-Factor Authentication (MFA): Never use basic or easily guessable account information to secure your online profiles and where available, always activate two-factor authentication. It doubles the protection barrier. Beware of phishing attacks : Some of these may entice the targeted Internet user to click on links with wrong addresses or open supposed email attachments containing Trojan programs whose purpose is to steal the session ID Log out of accounts : Thus, it is recommended never to forget to sign out of your accounts when you are done with them, particularly in public domains that are frequently accessed by other people. Keep software updated : It is also important to ensure that your operating system, or any other software you use, for instance, web browser, is updated to latest version as this will contain known security issues that could be exploited by attackers.
For Developers and Organizations: HTTPS Everywhere : Among different security measures, HTTPS must be put in practice on all web-pages. While HTTP transmits information in plaintext easily accessible to attackers, HTTPS ensures that information exchanges between the user’s browser and web server are encrypted, and hence, makes it difficult for attackers to steal session IDs. Secure cookies : To minimize access of cookies by an attacker, use secure cookies with HTTP Only attribute that would make the cookies inaccessible to scripts such as Java Script. This also reduces Cross-Site Scripting (XSS) attacks that are likely to have a potential of stealing session IDs.
Strong session management : Protected session management of user’s accounts should be put into practice. It involves the factors such us avoiding the use of sequential numbers for session IDs, setting the right idle time-out for sessions, and destroying sessions after log out. Regular security testing : Check and test the web applications for developing security holes that can be used by attackers for session hijacking.
Conclusion According to research, the Jazz Self Care platform (https://selfcare-cms-prod. jazz. com. pk/customer/account/) may be vulnerable to session hijacking attacks. The tool Burp Suite is used to identify these flaws and steal user sessions, endangering the security of client information. Robust security protocols must be in place to safeguard Jazz's users. Best practices for session management, the encryption of private information, and routine penetration testing with programs like Burp Suite to find and fix flaws before hackers can take advantage of them are a few examples. By putting security first, Jazz can preserve a trustworthy client experience and safeguard their personal data.
References https://www.imperva.com/learn/application-security/session-hijacking/#:~:text=It's%20a%20form%20of%20attack,the%20user%20and%20the%20website . https://www.kaspersky.com/resource-center/definitions/what-is-session-hijacking https://venafi.com/blog/what-session-hijacking/ https://portswigger.net/support/using-burp-to-hack-cookies-and-manipulate-sessions https://www.researchgate.net/profile/Anuj-Baitha-2/publication/325117343_Session_Hijacking_and_Prevention_Technique/links/5c1a0e8c458515a4c7e9028f/Session-Hijacking-and-Prevention-Technique.pdf https://scholar.google.co.in/scholar?q=session+hijacking+research+papers&hl=en&as_sdt=0&as_vis=1&oi=scholart https://www.youtube.com/results?search_query=session+hjacking+using+burpsuite
Thank You!!
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 459
- Slides 42
- Age 530 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
44 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views