Question

In: Computer Science

how you will showcase the impact of session hijacking, session prediction, session fixation, session side jacking,...

how you will showcase the impact of session hijacking, session prediction, session fixation, session side jacking, cross-site scripting and illustrate some of the infamous session hijacking exploits to your prospective employer

Solutions

Expert Solution

Social engineering attacks is used to gain access to the system and carry out actions that reveal confidential/secret information of the user. It makes the user break the security procedures and tricks to gain access to the system. There are different types of social engineering attacks such as-

  • Phishing – Attackers creates similar fake website and acquires personal and bank details through this. He targets customer through email and other means.
  • Spear phishing – Similar attack like phishing but the target is narrow towards specific group.
  • Vishing – Attack through phone as a medium
  • Pretexting – Based on a scripted scenario, used to extract PII. The attacker resembles himself as a known person.
  • Baiting – Attacks happen through download links, infected USB’s etc.

there are three primary methods to obtain a valid session ID:

  • Guessing a valid session ID (session prediction)
  • Creating a valid session ID and tricking the user into using it (session fixation)
  • Obtaining a valid session ID from a user (session hijacking)

Most methods focus on session cookies because they are used most commonly to carry session IDs. However, these methods are not limited to cookie hijacking, as many apply equally to session tokens sent in other parts of HTTP requests, such as custom request headers or the request body.

Session Prediction

A session ID must be unique and should be hard to guess. That’s why in most cases session IDs are simply long, randomly generated numbers. However, not every developer uses secure, renowned session management libraries. Some decide to generate session IDs themselves and don’t do it too well.

Session prediction attacks are, in general, all attacks that attempt to guess a valid session ID (of any user) on the basis of how such IDs are generated. For example, a developer might decide to use a base64-encoded Epoch time as a session identifier. Therefore, a valid session ID would look like MTU4MDMwMDE1OQ==. If the attacker figures out this algorithm, they can attempt to guess a valid session token by trying different Epochs and base64-encoding them.

A brute-force attack could also be considered a form of session prediction. If the session key is short and the web server is not protected against multiple attempts, the attacker may try all possible values one by one until they get one that works.

Session Fixation

Session fixation takes place when the attacker generates a valid session ID that has not yet been used and then provides it to the user, who then uses it to authenticate. The attacker must first figure out what format of session IDs is valid and then use social engineering such as phishing or a similar attack technique to trick the user into clicking the login link and providing their credential, thus associating the session ID with the account.

Session Side-Jacking

The term session side-jacking is used to describe man-in-the-middle attacks (MITM) that are performed to steal the session. The attacker listens in on the communication between the web server and the client and intercepts valid session IDs.

There are many session side-jacking techniques that rely on different MITM attack techniques. In the simplest case, when traffic is not encrypted, all it takes is a simple sniffer working in the same local network as the client, monitoring network traffic for user’s connections and packet sniffing. This is especially common in the case of public Wi-Fi networks.

If the website or web application uses exclusively encrypted connections, simple session sniffing won’t do, but there are other tricks that may be attempted.

Cross-site Scripting (XSS)

One of the most effective ways for an attacker to get a session cookie is to use an XSS attack. If your website or web application has an XSS vulnerability, the attacker may trick your user. In this case, the victim visits a page that executes malicious JavaScript in the client browser. Such malicious code accesses the session cookie and then sends it to an attacker-controlled server.

Other Methods

Attackers may also use other methods to obtain session information. For example, they may attempt to infect user computer systems with malware such as trojans. An example of this may be the man-in-the-browser attack, where session identifiers are stolen directly from the user’s web browser.

Defending against Session Hijacking and Similar Attacks

To keep your session IDs safe, follow these rules:

  • Don’t think up ways to generate sessions yourself. Use secure tools available in popular frameworks.
  • Enforce HTTPS use on all your pages, not just the login page. For example, use HSTS, and set the Secure flag for session cookies.
  • Change the session ID after the user logs in.
  • Logout inactive users and invalidate session IDs after a time.
  • Set the HttpOnly flag for session cookies.
  • Regularly scan your website or web application with a vulnerability scanner like Acunetix to discover potential Cross-site Scripting vulnerabilities (and more).

Related Solutions

how you will showcase the impact of session hijacking, session prediction, session fixation, session side jacking,...
how you will showcase the impact of session hijacking, session prediction, session fixation, session side jacking, cross-site scripting and illustrate some of the infamous session hijacking exploits to your prospective employer
Discuss which of the 5 steps of session hijacking you believe represents the most difficult technical...
Discuss which of the 5 steps of session hijacking you believe represents the most difficult technical challenge and explain the methods or approaches you might employ to overcome the challenges.
(i) How will AI impact Biotechnology? (ii) How will AI impact pandemic prediction globally? (iii) How...
(i) How will AI impact Biotechnology? (ii) How will AI impact pandemic prediction globally? (iii) How will AI impact drug or vaccine discovery and development? (iv) How will AI impact space exploration?
The research showcase requires you to research a topic related to the course and will require...
The research showcase requires you to research a topic related to the course and will require you to incorporate at least three critical, scholarly sources related to the text or readings you have selected as the basis for your study. Other types of sources may be used in addition to the scholarly works. Topic ideas: a Chicanx individual (you may build on the research you did for your Chingona Highlight) a collection of works (plays, poetry, artwork, murals, public art...
What can be done to prevent or mitigate the account or service hijacking, when you are...
What can be done to prevent or mitigate the account or service hijacking, when you are using cloud services?
For the following hypothetical situations make a prediction about potential functional impact for the individual: Gallbladder...
For the following hypothetical situations make a prediction about potential functional impact for the individual: Gallbladder removal Hyposecretion of secretin Vagotomy (severing of the vagus nerve) proximal to the stomach Lack of receptors for leptin on cells of the body
1. (4pts) For the following hypothetical situations make a prediction about potential functional impact for the...
1. (4pts) For the following hypothetical situations make a prediction about potential functional impact for the individual:          Gallbladder removal          Hyposecretion of secretin          Vagotomy (severing of the vagus nerve) proximal to the stomach          Lack of receptors for leptin on cells of the body 2. For each of the following digestive enzymes identify which organ or gland it is produced in/secreted by, what stimulus drives the release of that enzyme, and which macromolecules it plays a role in digesting: Enzyme Secreted by...
How does the shape and stacking of thylakoids contributes to the rate of carbon fixation by...
How does the shape and stacking of thylakoids contributes to the rate of carbon fixation by the chloroplast?
what nitrogen fixation is and its role in how nitrogen gets into the food web in...
what nitrogen fixation is and its role in how nitrogen gets into the food web in the first place.
How would bias impact developing of accurate predictive models? How would you minimize the impact of...
How would bias impact developing of accurate predictive models? How would you minimize the impact of bias?
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT