Project Presentation
Ram Santhanam
Application Level Attacks - Session
Hijacking & Defences
What is a session?
Definition from FOLDOC
Typically maintained by the server
Includes a data store or a table to store user state and other user specific
information
Includes an index to the table (aka session key or session-id)
Created on first request or after an authentication process
Session-id exchanged between browser and server on every request.
Different ways to exchange session-ids
A lasting connection between a user (or user agent i.e. browser) and a server
usually involving the exchange of many requests
URL Rewriting
Hidden Form fields
Cookies (most common)
Hijacking
Stealing of this session-id and using it to impersonate and access data
Passive attack difficult to detect
Typical Session
1: Request Connection
2: Create Session
3: Session Id
Client
(Browser)
5: Validate Session
4: Subsequent Requests
(Session id passed)
Server
6: Retrieve Session Data
7: Successful response
Session
Data
Attack Methods
Guessing Session Id
Session Fixing
same subnet as client or server
Man in the Middle Attack (SSL)
trusting private networks, vulnerabilites in web servers, etc
Session Sniffing (typical on non SSL sessions)
predictable, session created before authenticated
Security Vulnerabilities in Hops
shorter length, predictable
ARP Poisoning, DNS Spoofing
Cross Site Scripting (XSS)
User trusting source, application vulnerability
Session Sniffing
1: Request Connection
2: Create Session
3: Session Id
Client
(Browser)
5: Validate Session
4: Subsequent Requests
(Session id passed)
Server
6: Retrieve Session Data
7: Successful response
sniff
Request
(session-id)
Successful
Response
Hacker
Session
Data
Man in the Middle Attack
1: Request HTTPS
Connection
2: Request HTTPS
Connection
4: Provide HTTP Response
3: Provide Server
Certificate
With public key
Client
(Browser)
5: Subsequent Requests
Hacker
Machine 1
Server
6: Forward Request
Request
(session-id)
Wait for Session to be created
Pass Session Id
Successful
Response
Hacker
Machine 2
Cross Site Scripting (XSS)
Hacker inserts a rogue script to a trusted
site.
Common in social / community sites.
Defence Methods
Educating the users
Using high entropy in session id generation (see Tomcat e.g.)
reduce window of vulnerability
Using Context data for validating session-ids.
limit damage if session is hijacked
Re-generating session-ids
difficult to sniff
Forcing Re-authentication or step-up authentication
reduce window of vulnerability
Using SSL for all communications
Higher the entropy more difficult to predict
Timing out sessions
Paying attention to https vs. non-https
Properly signing out
Not clicking on links but copying and pasting them.
make it difficult to use a hijacked id
Input validation
prevent XSS and other vulnerabilities
Tomcat Session Id generation
The session id is generated through by a random number.
For random number generation, Java's SecureRandom class is
used. This class provides a cryptographically strong random
number generator using DSA/RSA/MD5 or SHA-1
The seed (64 bit) for generating the random number is
constructed by bitwise xoring the system time with an entropy
string
The entropy string comes from a hash value constructed from
the device drivers running on the server.
Using the SecureRandom class a 16 (128 bit) byte random
number is generated.
A one way hash of the random number is performed.
A 32 byte (256 bit) hexadecimal number is created from by
taking 4 bits at a time from the 16 bytes.
This 32 byte (256 bit) is used as the jsessionid
Questions?
0
