Project Presentation
Ram Santhanam
Application Level Attacks - Session
Hijacking & Defences
What is a session?

Definition from FOLDOC


Typically maintained by the server





Includes a data store or a table to store user state and other user specific
information
Includes an index to the table (aka session key or session-id)
Created on first request or after an authentication process
Session-id exchanged between browser and server on every request.
Different ways to exchange session-ids




A lasting connection between a user (or user agent i.e. browser) and a server
usually involving the exchange of many requests
URL Rewriting
Hidden Form fields
Cookies (most common)
Hijacking


Stealing of this session-id and using it to impersonate and access data
Passive attack difficult to detect
Typical Session
1: Request Connection
2: Create Session
3: Session Id
Client
(Browser)
5: Validate Session
4: Subsequent Requests
(Session id passed)
Server
6: Retrieve Session Data
7: Successful response
Session
Data
Attack Methods

Guessing Session Id


Session Fixing


same subnet as client or server
Man in the Middle Attack (SSL)


trusting private networks, vulnerabilites in web servers, etc
Session Sniffing (typical on non SSL sessions)


predictable, session created before authenticated
Security Vulnerabilities in Hops


shorter length, predictable
ARP Poisoning, DNS Spoofing
Cross Site Scripting (XSS)

User trusting source, application vulnerability
Session Sniffing
1: Request Connection
2: Create Session
3: Session Id
Client
(Browser)
5: Validate Session
4: Subsequent Requests
(Session id passed)
Server
6: Retrieve Session Data
7: Successful response
sniff
Request
(session-id)
Successful
Response
Hacker
Session
Data
Man in the Middle Attack
1: Request HTTPS
Connection
2: Request HTTPS
Connection
4: Provide HTTP Response
3: Provide Server
Certificate
With public key
Client
(Browser)
5: Subsequent Requests
Hacker
Machine 1
Server
6: Forward Request
Request
(session-id)
Wait for Session to be created
Pass Session Id
Successful
Response
Hacker
Machine 2
Cross Site Scripting (XSS)
Hacker inserts a rogue script to a trusted
site.
 Common in social / community sites.

Defence Methods

Educating the users




Using high entropy in session id generation (see Tomcat e.g.)


reduce window of vulnerability
Using Context data for validating session-ids.


limit damage if session is hijacked
Re-generating session-ids


difficult to sniff
Forcing Re-authentication or step-up authentication


reduce window of vulnerability
Using SSL for all communications


Higher the entropy more difficult to predict
Timing out sessions


Paying attention to https vs. non-https
Properly signing out
Not clicking on links but copying and pasting them.
make it difficult to use a hijacked id
Input validation

prevent XSS and other vulnerabilities
Tomcat Session Id generation








The session id is generated through by a random number.
For random number generation, Java's SecureRandom class is
used. This class provides a cryptographically strong random
number generator using DSA/RSA/MD5 or SHA-1
The seed (64 bit) for generating the random number is
constructed by bitwise xoring the system time with an entropy
string
The entropy string comes from a hash value constructed from
the device drivers running on the server.
Using the SecureRandom class a 16 (128 bit) byte random
number is generated.
A one way hash of the random number is performed.
A 32 byte (256 bit) hexadecimal number is created from by
taking 4 bits at a time from the 16 bytes.
This 32 byte (256 bit) is used as the jsessionid
Questions?