written 8.5 years ago by | • modified 8.5 years ago |
Methods to commit a Session Hijack-
- IP Spoofing:
- IP spoofing is a method where attackers send packets with malicious content to a target machine and want to remain unidentified.
- The victim is unaware that the packet is not from a trusted host, and hence it accepts the packet sending a response back to the source computer.
- The biggest challenge for this is that the attacker must guess the proper sequence number to send the final ACK packet, as if it had come from a real source.
- If this step gets successful then the attacker may have a connection to a victim’s machine as long as the victim’s machine is active.
- Session Side jacking:
- In this method an attacker uses packet sniffing to read network traffic between two parties to steal the session cookie.
- Many websites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server viewed by the client.
- This data includes the session cookie and allows the attacker to impersonate the victim even if the password is not compromised. Unsecured WI-FI hotspots are highly vulnerable.
- Session Fixation:
- In a session fixation attack, an attacker fixes the user’s session ID before the user even logs into the target web server, thereby eliminating the need to obtain the user’s session ID afterwards.
- Cross-Site Scripting:
- In this method a hacker collects malicious data through a hyperlink from a user. The hyperlink holds the malicious content that is located in a website.
- When a user visits a web site and clicks on the link, the hacker sends the malicious data straight to the web application. After he clicks on the link, another page is created and the malicious content is generated within that page.
- The user remains absolutely unaware of the forged content and assumes it to be valid data generated from then host website.
- A SQL injection attack involves the alteration of SQL statements that are used within a web application through the use of attacker-supplied data. Insufficient input validation and improper construction of SQL statements in web applications can expose them to SQL injection attacks.
- Web applications rely on dynamic content to achieve the display of traditional desktop windowing programs. This dynamism is achieved by retrieving updated data from a database.
- In response to a web page request the application will generate a query aggregating portions of the request into the query.
- If the application is not careful about how it constructs the query an attacker can alter the query changing how it is processed by the external service. This technique is called as SQL injection.
- SQL injection is such a prevalent and potentially destructive attack that the Open Web Application Security Project (OWASP) lists it as the number one threat to web applications.
- Example: One of the many possible uses for SQL injection involves bypassing an application login process. The following example shows the general operation of a SQL injection attack. The following HTML form solicits login information from an application user. Although this example uses an HTTP POST request, an attacker could also use HTML forms that use the HTTP GET method.
<form action="/cgi-bin/login" method="post">
Username: <input type="text" name="username">
Password: <input type="password" name="password">
<input type="submit" value="Login">
- When a user enters his or her information into this form and clicks Login, the browser submits a string to the web server that contains the user's credentials. This string appears in the body of the HTTP or HTTPS POST request as:
username=submittedUser&password=submittedPassword
- An application with a vulnerable login process may accept the submitted information and use it as part of the following SQL statement, which locates a user profile that contains the submitted username and password:
select * from Users where (username = 'submittedUser' and password = 'submittedPassword');
- Unless an application uses strict input validation, it may be vulnerable to a SQL injection attack. If an application accepts and processes user-supplied data without any validation, an attacker could submit a maliciously crafted username and password. Consider the following string sent by an attacker:
username=admin%27%29+--+&password=+
Once this string is received and URL-decoded, the application will attempt to build a SQL statement using a username of admin') -- and a password that consists of a single space. Placing these items into the previous SQL statement yields: select * from Users where (username = 'admin') -- and password = ' ');
In the above example the attacker-crafted username changes the logic of the SQL statement to effectively remove the password check. The attacker could successfully log in to the application using the admin account without knowledge of the password to that account.