Session Hijacking
Session Hijacking (English for about " hijacking of a communication session " ) is an attack on a connection- type data communication between two computers. While the participants in a connectionless communication exchange messages without defined relative to each other at a connection- type communication first (session session, engl. ) Is a logical connection is established. Authenticates a communication partner over the other within the session, makes this a trust the ambition of this attacker is to exploit the " kidnapping " of this meeting, the trust in order to gain the same privileges as the legally authenticated users.
Because communication over computer networks is divided into layers, it can attack on each layer, which provides a connection -type communication, can be performed.
Session hijacking is similar to spoofing attack, but are available to the attacker at the time already all the necessary information.
- 2.1 Web - specific measures
Methods
A session hijacking is first preceded by a passive sniffing of data communication. The attacker collects the necessary information for the attack. If these are exchanged via unencrypted protocols such as HTTP, Telnet, FTP, POP3, etc., the attacker only either direct access to the physical layer ( network cable, wireless range) gain or communication needs this by a man-in -the -middle attack redirect ( Janus attack) about yourself. Find the data encrypted in place, the attacker must first break this encryption.
Abduction of TCP sessions
A lawful user establishes a TCP connection on means of three-way handshake. The attacker attempts to take over the dialogue after authentication by manipulating the response packets and sends it faster than the original contacted server or client. For this, the attacker must know the sequence number, which is transmitted in unencrypted connections in plain text. Come its packets with the correct sequence numbers and forged sender now before the real packets, the server contacted will evaluate these and ignore the real packages.
Abduction of web sessions
Basically, the HTTP is a connectionless / stateless protocol because each HTTP request from the Web server accepted as a new connection, and is executed immediately afterwards closed again. However, since many Web applications rely assign their users even over the duration of such a request addition, they implement your own session management. To this end, at the beginning of each session generates a unique session ID that sent the user's browser for all subsequent requests to identify themselves so that at the server. The session ID will be built on a GET or POST argument or - as most - transmitted via a cookie. The attacker can read along or guess this session ID, he can pretend to send them along through the session ID in own inquiries as the authenticated user and take over the meeting thus. Web applications that do not require to change the password, the old password, favor, moreover, that the legitimate user is locked out of his own access ( Account Lockout ).
Countermeasures
There are basically two ways to prevent session hijacking: First, by already prevents the sniffing of the necessary information through encrypted transmissions or second, by the trust is not based on the weak security of a shared secret, one that is for example, a challenge-response authentication begins. So is for example HTTPS requires a authentication of the server to the client using a digital certificate and then encrypts the payload of the connection. As with any use of cryptography also applies here: it is not enough that the cryptography in theory is safe; the actual implementation, it needs to be.
Many hijacking techniques produce anomalies in network traffic, which (IDS ) can be detected by intrusion detection systems. However, the detection of such an attack can be only the first link in a chain of countermeasures.
Web - specific measures
It should be ensured that the correct Web application is not susceptible to cross-site scripting, as this is probably one of the main methods by attackers to read the document.cookie object via JavaScript and thus hijack the session.
Programs
- Ettercap
- Juggernaut
- Hunt
- SMBRelay
- Firesheep ( Firefox extension )