Thursday, January 7, 2016

Session Hijacking and Session Fixation..

Session Fixation and Session Hijacking from past experiences.



 CSRF - Cross-Site Request Forgery.

        1) Issuing a cookie using a client-side script

Attack 1:- Cross-site scripting


Attack 2:- Persistent cookies (A long-term Session Fixation attack):- This can be achieved by issuing a persistent cookie (e.g., expiring in 10 years), which will keep the session fixed even after the user restarts the computer.


Attack 3:- Domain cookies
this attribute instructs the browser to not only send the cookie back to the issuing server but also to any other server in the specified domain.


Prevention:-
1)     Preventing logins to a chosen session: -
we propose forceful prevention of logging into a chosen session. Web applications must ignore any session ID provided by the user’s browser at login and must always generate a new session to which the user will log in if successfully authenticated.
2)     Preventing the attacker from obtaining a valid session ID:-
If possible, a web application on a strict system should only issue session IDs of newly generated sessions to users after they have successfully authenticated (as opposed to issuing them along with the login form). This means that an attacker who isn’t a legitimate user of the system will not be able to get a valid session ID and will therefore be unable to perform a session fixation attack.

           Additional Notes: - 

           The Session Fixation attack is normally a three step process:

                                          i.    Session set-up:- The attacker sets up a "trap-session" for the target web site and obtains that session's ID. Or, the attacker may select an arbitrary session ID used in the attack. In some cases, the established trap session value must be maintained (kept alive) with repeated web site contact.

                                        ii.    Session fixation: - The attacker introduces the trap session value into the user's browser and fixes the user's session ID.

                                       iii.    Session entrance: - The attacker waits until the user logs into the target web site. When the user does so, the fixed session ID value will be used and the attacker may take over.


Steps: Attacker – who in this case is also a legitimate user of the system – logs in to the server (1) and is issued a session ID 1234 (2). She then sends a hyperlink http://online.worldbank.dom/login.jsp?sessionid=1234 to the user, trying to lure him into clicking on it (3). The user (how convenient for our example) clicks on the link, which opens the server’s login page in his browser (4). Note that upon receipt of the request for login.jsp? sessionid=1234, the web application has established that a session already exists for this user and a new one need not be created. Finally, the user provides his credentials to the login script (5) and the server grants him access to his bank account. However, at this point, knowing the session ID, the attacker can also access the user’s account via account.jsp?sessionid=1234
(6). Since the session has already been fixed before the user logged in, we say that the user logged into the attacker’s session.

 2)  Issuing a cookie using the tag with Set-Cookie attribute :-Most cross-site scripting vulnerabilities         can also be used for injecting tags
                  
                  Attack 4:- Meta tag injection


Prevention: - Restricting the session ID using:-
                                      i.        Binding the session ID to the browser’s network address.

                                     ii.        Binding the session ID to the user’s SSL client certificate

                                    iii.        Session destruction, either due to logging out or timeout, must take place on the server (deleting session), not just on the browser (deleting the session cookie).

                                    iv.        The user must have an option to log out – thereby destroying not just his current session, but also any previous sessions that may still exist (in order to prevent the attacker from using an old session the user forgot to log out from).

                                     v.        Absolute session timeouts prevent attackers from both maintaining a trap session as well as maintaining an already entered user’s session for a long period of time.

Additional Notes:-
For More details: - http://www.acrossecurity.com/papers/session_fixation.pdf


        3) Issuing a cookie using the URL by default some of the J2EE & PHP containers accept cookies as URL parameters. So urls below.

Attack 5 :-
http://example/;JSESSIONID=1234 (J2EE)
http://example/?PHPSESSIONID=1234 (PHP)


           4) Through login form look like pages coming from main server:
This containing a chosen session ID, the attacker managing to trick the user into logging in through a malicious
login form could just as well direct the user’s credentials to her own web server, which is generally a greater threat than that of fixing his session. Session


Session Hijacking

1) Session Sniffing

First the attacker uses a sniffer to capture a valid token session called “Session ID”, then he uses the valid token session to gain unauthorized access to the Web Server.

2) Man-in-the-middle attack

Attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server

            3) MITM Attack tools

There are several tools to realize a MITM attack. These tools are particularly efficient in LAN network environments, because they implement extra functionalities, like the arp spoof capabilities that permit the interception of communication between hosts.
• PacketCreator
• Ettercap
• Dsniff
• Cain e Abel

4) Man-in-the-browser attack

·         Browser Helper Objects – dynamically-loaded libraries loaded by Internet Explorer upon start-up.

·         Extensions – the equivalent to Browser Helper Objects for Firefox Browser.

·         API-Hooking – this is the technique used by Man-in-the-Browser to perform its Man-in-the-Middle between the executable application (EXE) and its libraries (DLL).

·         JavaScript – By using a malicious Ajax worm

SCRIPT alert (document. Cookie) ; SCRIPT