Question

Due to cyber threats in the digital world, an aspiring penetration testers are in demand to enter the field of cybersecurity. A penetration tester is a professional who has the skills of a hacker; they are hired by an organisation to perform simulations of real world attacks because there are wide reaching consequences if systems in any organisation are compromised. Assume, yourself as an aspiring pen tester, how you will showcase the impact of session hijacking, session prediction, session fixation, session side jacking, cross-site scripting and illustrate some of the infamous session hijacking exploits to your prospective employer BAGAD Pty. Ltd.

Answer 1

Most methods focus on session cookies because they are used most commonly to carry session IDs. However, these methods are not limited to cookie hijacking, as many apply equally to session tokens sent in other parts of HTTP requests, such as custom request headers or the request body.

The impact of session hijacking:

Session hijacking is defined as taking over an active TCP/IP communication session without the user’s permission. When implemented successfully, attackers assume the identity of the compromised user, enjoying the same access to resources as the compromised user.

1.Identity theft,

2.Information theft,

3.stealing sensitive data, are some of the common impacts of session hijacking.

session prediction:

A session ID must be unique and should be hard to guess. That’s why in most cases session IDs are simply long, randomly generated numbers. However, not every developer uses secure, renowned session management libraries. Some decide to generate session IDs themselves and don’t do it too well.

Session prediction attacks are, in general, all attacks that attempt to guess a valid session ID (of any user) on the basis of how such IDs are generated. For example, a developer might decide to use a base64-encoded Epoch time as a session identifier. Therefore, a valid session ID would look like MTU4MDMwMDE1OQ==. If the attacker figures out this algorithm, they can attempt to guess a valid session token by trying different Epochs and base64-encoding them.

A brute-force attack could also be considered a form of session prediction. If the session key is short and the web server is not protected against multiple attempts, the attacker may try all possible values one by one until they get one that works.

Session fixation:-

Session fixation is a web attack technique. The attacker tricks the user into using a specific session ID. After the user logs in to the web application using the provided session ID, the attacker uses this valid session ID to gain access to the user’s account.

Session identifiers are used to authenticate users in web applications. This technology has its advantages and disadvantages. If not for session identifiers, we would have to log in to web applications much more frequently than we do. However, a session identifier has the same weakness as a password: the moment that someone knows it, they get access to your account, which may then be used for further attacks and potential privilege escalation.

Attackers get session identifiers in any way that they can. They can use social engineering, phishing, and other measures. There are several attack techniques related to sessions. Session hijacking is all about getting an existing session ID from a logged-in user, for example, using man-in-the-middle techniques to infiltrate communication between the victim’s browser and the web server. In the case of session fixation, the situation is reversed. The victim gets an existing session ID and is tricked into logging in using this identifier, which lets the attacker take over the user’s session later.

Session side jacking:
where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many websites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client. Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised.[1] Unsecured Wi-Fi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access point.

There are many session side-jacking techniques that rely on different MITM attack techniques. In the simplest case, when traffic is not encrypted, all it takes is a simple sniffer working in the same local network as the client, monitoring network traffic for user’s connections and packet sniffing. This is especially common in the case of public Wi-Fi networks.

Cross-site scripting:

where the attacker tricks the user’s computer into running code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations.

So,

How to Prevent Cross-site Scripting (XSS) – Generic Tips

Preventing Cross-site Scripting (XSS) is not easy. Specific prevention techniques depend on the subtype of XSS vulnerability, on user input usage context, and on the programming framework. However, there are certain general strategic principles that you should follow to keep your web application safe.

The steps to be followed are:

• Filter input on arrival. At the point where user input is received, filter as strictly as possible based on what is expected or valid input.
• Encode data on output. At the point where user-controllable data is output in HTTP responses, encode the output to prevent it from being interpreted as active content. Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.
• Use appropriate response headers. To prevent XSS in HTTP responses that aren't intended to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in the way you intend.
• Content Security Policy. As a last line of defense, you can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.

• Session hijacking happens when an intruder takes advantage of a compromised active session by hijacking or stealing the HTTP cookies used to maintain a session on most websites. Another way is by predicting an active session to gain unauthorized access to information in a remote webserver without detection as the intruder uses the credentials of the particular user. The session token or HTTP header can be compromised and manipulated in many ways, including:

• Session Sniffing: Sniffing can be used to hijack a session when there is non-encrypted communication between the web server and the user, and the session ID is being sent in plain text. Hence, if an intruder is monitoring the network, he or she can get the session ID, which they can then use to be automatically authenticated to the webserver. In monitoring the network, ethical hacking tools such as Wireshark and Kismet can be used to capture sensitive data packets such as the session ID from the network.
• Cross-site scripting (XSS): OWASP names cross-site scripting as among the top ten web application security risks. A server can be vulnerable to a cross-site scripting exploit, which enables an attacker to execute malicious code from the user’s side, gathering session information. An attacker can target a victim’s browser and send a scripted JavaScript link, which upon opening by the user, runs the malicious code in the browser hijacking sessions.

This is usually done to attack the social network website and banking websites in order to gain the access over the valid session as well as over the website too. These attacks are one of the commonly experienced cyber threats in today’s network. Most of the websites and networks are vulnerable from this kind of attack. For providing the protection I have given the multiple ways to protecting from this session hijacking attack. I have especially focused on one of the major attacks in this session hijacking attack SSL Strip attack which play very vital role in this kind of attack. Sometimes this session hijacking attack is also known as the Man in the Middle attack (MIMA).In this paper, I have covered many security mechanisms to stay away and protect you and the network. This session hijacking attack is very dangers for the security perspective. Even it can steal all users’ most sensitive data. This can create a big loss for the users financially. From all these types of attack, I have proposed many mechanisms to help the users to stay away from the attack.

The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. Because http communication uses many different TCP connections, the web server needs a method to recognize every user's connections.

THANK YOU!