Question

how you will showcase the impact of session hijacking, session prediction, session fixation, session side jacking, cross-site scripting and illustrate some of the infamous session hijacking exploits to your prospective employer

Answer 1

Social engineering attacks is used to gain access to the system and carry out actions that reveal confidential/secret information of the user. It makes the user break the security procedures and tricks to gain access to the system. There are different types of social engineering attacks such as-

• Phishing – Attackers creates similar fake website and acquires personal and bank details through this. He targets customer through email and other means.
• Spear phishing – Similar attack like phishing but the target is narrow towards specific group.
• Vishing – Attack through phone as a medium
• Pretexting – Based on a scripted scenario, used to extract PII. The attacker resembles himself as a known person.
• Baiting – Attacks happen through download links, infected USB’s etc.

there are three primary methods to obtain a valid session ID:

• Guessing a valid session ID (session prediction)
• Creating a valid session ID and tricking the user into using it (session fixation)
• Obtaining a valid session ID from a user (session hijacking)

Most methods focus on session cookies because they are used most commonly to carry session IDs. However, these methods are not limited to cookie hijacking, as many apply equally to session tokens sent in other parts of HTTP requests, such as custom request headers or the request body.

Session Prediction

A session ID must be unique and should be hard to guess. That’s why in most cases session IDs are simply long, randomly generated numbers. However, not every developer uses secure, renowned session management libraries. Some decide to generate session IDs themselves and don’t do it too well.

Session prediction attacks are, in general, all attacks that attempt to guess a valid session ID (of any user) on the basis of how such IDs are generated. For example, a developer might decide to use a base64-encoded Epoch time as a session identifier. Therefore, a valid session ID would look like MTU4MDMwMDE1OQ==. If the attacker figures out this algorithm, they can attempt to guess a valid session token by trying different Epochs and base64-encoding them.

A brute-force attack could also be considered a form of session prediction. If the session key is short and the web server is not protected against multiple attempts, the attacker may try all possible values one by one until they get one that works.

Session Fixation

Session fixation takes place when the attacker generates a valid session ID that has not yet been used and then provides it to the user, who then uses it to authenticate. The attacker must first figure out what format of session IDs is valid and then use social engineering such as phishing or a similar attack technique to trick the user into clicking the login link and providing their credential, thus associating the session ID with the account.

Session Side-Jacking

The term session side-jacking is used to describe man-in-the-middle attacks (MITM) that are performed to steal the session. The attacker listens in on the communication between the web server and the client and intercepts valid session IDs.

There are many session side-jacking techniques that rely on different MITM attack techniques. In the simplest case, when traffic is not encrypted, all it takes is a simple sniffer working in the same local network as the client, monitoring network traffic for user’s connections and packet sniffing. This is especially common in the case of public Wi-Fi networks.

If the website or web application uses exclusively encrypted connections, simple session sniffing won’t do, but there are other tricks that may be attempted.

Cross-site Scripting (XSS)

One of the most effective ways for an attacker to get a session cookie is to use an XSS attack. If your website or web application has an XSS vulnerability, the attacker may trick your user. In this case, the victim visits a page that executes malicious JavaScript in the client browser. Such malicious code accesses the session cookie and then sends it to an attacker-controlled server.

Other Methods

Attackers may also use other methods to obtain session information. For example, they may attempt to infect user computer systems with malware such as trojans. An example of this may be the man-in-the-browser attack, where session identifiers are stolen directly from the user’s web browser.

Defending against Session Hijacking and Similar Attacks

To keep your session IDs safe, follow these rules:

• Don’t think up ways to generate sessions yourself. Use secure tools available in popular frameworks.
• Enforce HTTPS use on all your pages, not just the login page. For example, use HSTS, and set the Secure flag for session cookies.
• Change the session ID after the user logs in.
• Logout inactive users and invalidate session IDs after a time.
• Set the HttpOnly flag for session cookies.
• Regularly scan your website or web application with a vulnerability scanner like Acunetix to discover potential Cross-site Scripting vulnerabilities (and more).