Chapter 12: Session Hijacking Flashcards
Session Hijacking
intercepting a legitimate connection and taking over
attacker can assume role of user or simply monitor the traffic for opportune times to inject or collect traffic
Session and Session ID
agreed-upon duration where client and server are vetted and authenticated
The alphanumeric sequence that uniquely identifies the session is the session ID or session token
*** Categorizing Session Hijacking (3)
1) BRUTE-FORCING AN ID //guessing an ID
2) STEALING AN ID //through sniffing
3) CALCULATING AN ID //calculating a valid session ID simply by looking an existing one and figuring out sequence
Spoofing VS Hijacking
Spoofing //pretend to be someone, but does not take over session
Hijacking //takes over existing active session
*** Session Hijacking process (5)
1) SNIFFING //sniff traffic between the two ends
2) MONITORING //observe flow of traffic
3) SESSION DESYNCHRONIZATION //break the session between the two
4) SESSION ID PREDICTION
5) COMMAND INJECTION
Levels of Session Hijacking
Can take place at NW layer (TCP/UDP) or at a higher level, the APP layer (HTTP/FTP)
*** Attack vs Passive Attacks
Active attack //taking over connection as own; this usually causes DoS on legit client;
Passive attack //monitor traffic between user and server
*** Type of Session IDs (3)
1) EMBEDDED IN A URL //web apps use GET request to follow links embedded in a web page; An attacker can easily browse through victim’s browsing history and gain access by entering the URL of a previously browsed web app
2) EMBEDDED AS HIDDEN FIELD //forms for inputting user data sometimes include a hidden field that is used for sending a client’s session ID
3) COOKIES
*** Types of Application Level Session Hijacking (4)
1) SESSION SNIFFING //finding the session token and gaining access
2) PREDICTING SESSION TOKENS //gathering a few session IDs already used
3) MiTM ATTACK
4) MiTM BROWSER ATTACK //common forms include cross-site scripting (XSS), trojans, and javascript issues;
//XSS - data entering a web app through an untrusted source
Types of Cross-Site Scripting (or XSS) attacks (2)
1) STORED XSS ATTACKS //hacker places code on a target server where victim wishes to access; When victim makes request from server, the script executes
2) REFLECTED XSS ATTACKS //injected code is bounced off a web server (typically a user will click a link executing code)
Define Dynamic Content
any type of content generated on the fly; i.e. user makes a request, which is sent to server; server interprets request and returns data in form of web page
Session Fixation Attack
Web application attack; exploits vulnerabilities in the way session IDs are managed; May mean Session IDs are not regenerated as often as they should be; Vulnerability exists when app fails to create a new session ID for a new user;
Techniques to execute session fixation attack
1) session ID sent o victim in HYPERLINK
2) victim tricked, login form maybe developed by attacker
3) Using tag
4) HTTP header response uses server response to fix session ID in browser;
Techniques for Session Hijacking attacks
1) BLIND HIJACKING //a type of session hijack in which attacker cannot capture return traffic; attacker blindly injects malicious packets w/ out seeing effect
2) IP SPOOFING //attacker acts as legit user
3) SOURCE ROUTING //ensures injected packets are sent via a selected routing path
4) DNS SPOOFING //alter target IP address mappings in an effort to direct the target traffic to an address the attacker specifies;
5) ARP CACHE POISONING //remember ARP is responsible for translating MAC addresses to IP or vice versa (RARP, reverse ARP);
//ARP cache poisoning overwrites victim’s ARP cache, redirecting traffic to an inaccurate physical address mapping (usually the attacker’s machine)
6) DESYNCHRONIZING THE CONNECTION //breaking the linear sequence between victim and host, giving attacker room to jump in; (i.e. attacker tracking connection; he injects large volume of NULL packets to host, this in turn increments the sequence #s of the host packets w/ out them knowing; he has desynchronized the connection and has staged the host packet sequence # to a predictable count based on how many null packets he sent)
*** Types of Network Session Hijacking (3)
1) TCP/IP SESSION HIJACKING //attack on a TCP session, attempt to predict sequence #s, if successful attacker can inject packets that are “in equence”; Each packet in a conversation over TCP increments by 1; Attacker spoofs IP address (acts as legit user)
2) MiTM //#1 session hijack attack; places attacker directly between victim & host; This type of attack looks much different from the other attacks (the other attacks are T-shaped & the original connection between victim & host is not interfered, whereas for MiTM attack, the connection is re-routed from victim, to attacker, to host [[forming a upside down triangle]])
3) UDP Session Hijacking //easier to hack than TCP bc it doesn’t use sequencing for its packets; UDP is a connectionless protocol meaning it doesn’t esablish a verifiable connection between client and host; Same concept though where goal is to fool the victim into thinking the attacker is the server; attacker must get response to client before host does;
