Understanding Session Hijacking: Protecting Your Online Sessions
jadavvineet73
197 views
37 slides
Jun 18, 2024
Slide 1 of 37
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
About This Presentation
Learn about session hijacking, a serious cybersecurity threat where attackers steal or manipulate a user's session token to gain unauthorized access to web applications. This comprehensive guide covers the methods used by attackers, the risks involved, and practical steps you can take to secure ...
Slide Content
CAPSTONE PRESENTATION SESSION HIJACKING HARINI SIVAKUMAR
Agenda Session Hijacking Abstract Research Data collection Exploitation Impact Prevention and Mitigation Conclusion Reference
Session Hijacking Cookie Hijacking /Session Fixation / Session Theft Session Hijacking is a form of Cyber-attack where an attacker takes control of a user’s session on a computer system or network service. Essentially the attacker aims to impersonate the victim by stealing their session identifier or cookie, allowing them to gain unauthorized access to the targeted system or service . These attacks are one of the commonly experienced cyber threats in today’s network. Most of the websites and networks are vulnerable from this kind of attack.
Session Hijacking ( conti ..) Session hijacking is a threat to online security, allowing attackers to intercept and manipulate user sessions. Attackers can use various techniques such as session sniffing or cookie theft to exploit vulnerabilities in web applications. This is usually done to attack the social network website, online shopping website and banking websites in order to gain the access over the valid session.
Types of Session Hijacking Active Session Hijacking Active session hijacking is a technic in which an attacker attacks already active session between user and server. Attacker attacks an active session and put himself in place of a valid user. Passive Session Hijacking Passive Session Hijacking is a technic where an attacker put himself between valid user and server and eavesdropping and capturing session data .
Types of Session Hijacking ( conti ..) Hybrid Session Hijacking Hybrid Session Hijacking is the combination of the Active Session Hijacking and Passive Session Hijacking. In this attackers user both types of session hijacking technique to achieve his/her goal.
Session Hijacking Levels Network Level Network level can be defined as the interception of the packets during the transmission between client and the server in a TCP and UDP session Application Level Application level is about gaining control on HTTP user session by obtaining the session ID’s
Methods of Network Hijacking TCP/IP Hijacking IP Spoofing: Source Routed Packets RST Hijacking Blind Hijacking Man in the Middle: Packet Sniffer UDP Hijacking
Methods of Application Hijacking Obtaining Session ID’s Sniffing Brute Force Misdirected Trust
Session Hijacking Tools Packet Sniffers: Wireshark Tcpdump Proxy Servers: Burp Suite OWASP ZAP Session Fixation tools: Fiddler Network Spoofing tools: Ettercap Cain and Abel
ABSTRACT homeshopping.pk is a E-commerce website with a wide range of products , from electronics to fashion. It offers convenience of shopping from the comfort of your home with many deals and discounts . The idea behind this marketplace is to provide maximum visibility, drive reliance & offer excellence service to customer. This task involves compromising session ID/ cookie ID in a web application with proxy server and exploitation the session. It involves interception on code using Burp Suite tool.
Objective The objective of this report is to identify the weakness in homeshopping website and exploit those vulnerability. Homeshopping website offers Secure payment, home step delivery, easy return and attractive offers and discount. User can shop all their needs like electronics gadget to fashion clothing, accessories etc.
Research on HomeShopping HomeShopping.pk is Pakistan's largest managed marketplace, home to over 3000 local and international brands. Founded in July 2008 in Karachi, Home Shopping aims to provide the best online shopping experience to its customers - starting from the great selection, low price, ease of use, fast delivery, and ending with the best customer service. Home Shopping ships all across Pakistan and has thousands of small businesses actively selling on the platform. The company is run by energetic team of over 75 + people and is self funded. HomeShopping.pk has received many global accolades including being nominated in World Retail Awards 2013.
Data collection Technologies used by this website: Analytics : Analytics is a platform that collects data from your websites and apps to create reports that provide insights into your business . Google Analytics, Facebook Pixel, Cloudflare Browser insight. JavaScript frameworks: AMP is designed to help webpages load faster . AMP Tag managers: Google Tag Manager is a tag management system (TMS) that allows you to quickly and easily update measurement codes and related code fragments collectively known as tags on your website or mobile app . Google Tag Manager
Data collection Font Scripts: Font Awesome is a font and icon toolkit based on CSS. Font Awesome Payment Processors: Checkout.com is an international payment platform that processes different payment methods across a variety of currencies . Checkout.com Live Chat: For easy communication between business and customers. WhatsApp Business Chat, Facebook Chat Plugin
Data collection Miscellaneous: M iscellaneous sources is like unrelated sources of information, data , or items that are grouped together for convenience or reference . RSS, Open Graph, HTTP/3 JavaScript graphics: D3.js is a JavaScript library for producing dynamic, interactive data visualizations in web browsers . D3 CDN A content delivery network (CDN) is a group of geographically distributed servers that speed up the delivery of web content by bringing it closer to where users are . Cdnjs , cloudflare
Data collection UI frameworks: Bootstrap is a free and open-source CSS framework directed at responsive, mobile-first front-end web development. It contains CSS and JavaScript-based design templates for typography, forms, buttons, navigation, and other interface components . Bootstrap JavaScript libraries: A JavaScript library is a library of pre-written JavaScript code that allows for easier development of JavaScript-based applications, especially for AJAX and other web-centric technologies.  They can be included in a website by embedding it directly in the HTML via a script tag. Modernizr , jQuery UI, Dropzone , core- js , jQuery
Data collection RUM: Cloudflare Browser Insights is a tool that measures the performance of websites from the perspective of users . Cloudflare Browser Insight Authentication: Facebook Login is a way for people to create accounts and log into your app across multiple platforms . Facebook Login
Methodology
Ideology and approach Application level method is used to gaining control on HTTP user session by obtaining cookie. Session ID is intercepted and captured using Burp Suite. Gaining access over another user session by using the ID captured from authorized user.
Analysis and Findings Attackers can exploit weak session management or use packet sniffing to intercept session data. It is crucial to be aware of the various techniques used by attackers to hijack sessions. Several common vulnerabilities, such as insecure communication, poor session token generation, and lack of encryption, can lead to session hijacking.
Exploitation- Practical Demonstration Website: https://homeshopping.pk /
Practical Demonstration Register an Account
Practical Demonstration Login with password and go to my Profile under My Account
Practical Demonstration Turn on Proxy, Refresh the page and turn on intercept in Burp Suite
Practical Demonstration Intercept the code and copy the code.
Practical Demonstration Turn off the Intercept and open Burp Suite browser and to go website - https://homeshopping.pk / Login to different account
Practical Demonstration Go to My profile under My Account option .
Practical Demonstration Turn on intercept refresh the page and paste the copied cookie, then forward.
Practical Demonstration User details will be automatically changed to another valid user.
Detection Methods
Impacts of Session Hijacking Session hijacking can have serious consequences, such as: Unauthorized access to sensitive data Impersonation of legitimate users Financial loss Damage to the organization's reputation
Prevention and Mitigation To prevent session hijacking, organizations can implement the following measures: Use of HTTPS: Employing SSL/TLS encryption helps protect against MITM attacks. Secure session management: Implementing secure session handling mechanisms and regularly rotating session tokens. Input validation: Validating and sanitizing user input to mitigate the risk of XSS attacks. Multi-factor authentication: Adding an extra layer of authentication can enhance security. Employee education: Educating the employee about security will reduce the risk. Anti-virus Software: Keeping anti-virus software up-to date can add more security.
Conclusion Session hijacking poses a significant threat to the security of online systems and user data. By understanding the various types of session hijacking and implementing robust security measures, organizations can mitigate the risks associated with this type of attack . S taying updated about the latest threats and implementing security measures, the impact of session hijacking can be minimized.
Reference https:// owasp.org/www-community/attacks/Session_hijacking_attack https:// learn.g2.com/session-hijacking https://www.researchgate.net/publication/325117343_Session_Hijacking_and_Prevention_Technique chrome-extension:// efaidnbmnnnibpcajpcglclefindmkaj /https://www.nitttrchd.ac.in/imee/Labmanuals/Session%20Hijacking%20Manual.pdf Chrome-extension :// efaidnbmnnnibpcajpcglclefindmkaj /https://elhacker.info/manuales/Hacking%20y%20Seguridad%20informatica/CEH-v10/CEH%20v10%20Module%2011%20-%20Session%20Hijacking.pdf https://www.youtube.com/watch?v=SMi9qHMz4Lo
Thank You!!
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 197
- Slides 37
- Age 530 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
44 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views