Difference between revisions of "Session hijacking attack"

From OWASP
Jump to: navigation, search
(Added to subcategory "Exploitation of Authentication")
 
(20 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
{{Template:Attack}}
 
{{Template:Attack}}
 +
<br>
 +
[[Category:OWASP ASDR Project]]
 +
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 +
  
 
==Description==
 
==Description==
 +
The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token.
  
The session hijack attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token.  
+
Because http communication uses many different TCP connections, the web server needs a method to recognize every user’s connections. The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication. A session token is normally composed of a string of variable width and it could be used in different ways, like in the URL, in the header of the http requisition as a cookie, in other parts of the header of the http request, or yet in the body of the http requisition.
  
Because a http communication use many different TCP connection, the web server need a method to recognize every user’s connections. The most useful method in use, depends on a token that the Web Server send to the client browser after a successful client authentication. A session token is normally composed by a string of variable width and it could be used indifferent ways, like: in the URL, in the header of the http requisition as a cookie or in the other parts of the header of the http request or yet in the body of the http requisition.
+
The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.
  
The Session Hijacking attack compromise the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.
+
The session token could be compromised in different ways; the most common are:
 
+
* Predictable session token;
The session token could be compromised in different ways, the most common are:
+
* Session Sniffing;
Predictable session token
+
* Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc);
Session Sniffing
+
* [[Man-in-the-middle attack]]
Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc)
+
* [[Man-in-the-browser attack]]
Man-in-the-middle attacks
+
Man-in-the-browser attacks
+
  
 +
==Risk Factors==
 +
TBD
  
 
==Examples ==
 
==Examples ==
Line 22: Line 28:
 
====Session Sniffing====
 
====Session Sniffing====
  
In the example as we can see, first the attacker uses a sniffer to capture a valid token session called “Session ID”, then he uses the valid token session to gain unauthorized access to the Web Server.  
+
In the example, as we can see, first the attacker uses a sniffer to capture a valid token session called “Session ID”, then he uses the valid token session to gain unauthorized access to the Web Server.  
  
  
Line 30: Line 36:
 
Figure 2. Manipulating the token session executing the session hijacking attack.
 
Figure 2. Manipulating the token session executing the session hijacking attack.
 
</center>
 
</center>
 
  
 
===Example 2===
 
===Example 2===
 
====Cross-site script attack====
 
====Cross-site script attack====
  
The attacker can compromise the session token by using malicious code or programs running at the client-side, the example will show how the attacker could use a XSS attack to steal the session token. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim click on the link, the JavaScript will run and complete the instructions made by the attacker.
+
The attacker can compromise the session token by using malicious code or programs running at the client-side. The example shows how the attacker could use an XSS attack to steal the session token. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker.
The example in figure 3 uses an XSS attack to shows the cookie value of the current session, using the same technique is possible to create a specific Javascript code that will send the cookie to the attacker:
+
The example in figure 3 uses an XSS attack to show the cookie value of the current session; using the same technique it's possible to create a specific JavaScript code that will send the cookie to the attacker.
  
 
<SCRIPT>alert(document.cookie);</SCRIPT>
 
<SCRIPT>alert(document.cookie);</SCRIPT>
Line 48: Line 53:
  
  
 +
'''Other Examples'''
 +
The following attacks intercept the information exchange between the client and the server:
 +
* [[Man-in-the-middle attack]]
 +
* [[Man-in-the-browser attack]]
  
===Other Examples===
+
==Related [[Threat Agents]]==
The following attacks acts intercepting the information exchange between the client and the server
+
* [[:Category: Authorization]]
  
Man-in-the-middle
+
==Related [[Attacks]]==
*[[Man-in-the-middle attack]]
+
* [[Man-in-the-middle attack]]
 +
* [[Man-in-the-browser attack]]
 +
* [[Session Prediction]]
  
Man-in-the-browser
+
==Related [[Vulnerabilities]]==
*[[Man-in-the-browser attack]]
+
* [[:Category:Input Validation Vulnerability]]
  
 +
==Related [[Controls]]==
 +
* [[:Category:Session Management]]
  
 
==References==
 
==References==
*http://www.iss.net/security_center/advice/Exploits/TCP/session_hijacking/default.htm
+
* http://www.iss.net/security_center/advice/Exploits/TCP/session_hijacking/default.htm
 
* http://en.wikipedia.org/wiki/HTTP_cookie
 
* http://en.wikipedia.org/wiki/HTTP_cookie
  
 
+
[[Category:Exploitation of Authentication]]
==Related Threats==
+
[[Category:Attack]]
 
+
[[:Category: Authorization]]
+
 
+
 
+
==Related Attacks==
+
 
+
* [[Man-in-the-middle attack]]
+
* [[Session Prediction]]
+
 
+
==Related Vulnerabilities==
+
[[:Category:Input Validation Vulnerability]]
+
 
+
 
+
==Related Countermeasures==
+
[[:Category:Session Management]]
+
 
+
 
+
==Categories==
+
[[:Category:Session Management]]
+

Latest revision as of 17:25, 6 December 2011

This is an Attack. To view all attacks, please see the Attack Category page.



Last revision (mm/dd/yy): 12/6/2011


Description

The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token.

Because http communication uses many different TCP connections, the web server needs a method to recognize every user’s connections. The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication. A session token is normally composed of a string of variable width and it could be used in different ways, like in the URL, in the header of the http requisition as a cookie, in other parts of the header of the http request, or yet in the body of the http requisition.

The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.

The session token could be compromised in different ways; the most common are:

Risk Factors

TBD

Examples

Example 1

Session Sniffing

In the example, as we can see, first the attacker uses a sniffer to capture a valid token session called “Session ID”, then he uses the valid token session to gain unauthorized access to the Web Server.


Session Hijacking 3.JPG

Figure 2. Manipulating the token session executing the session hijacking attack.

Example 2

Cross-site script attack

The attacker can compromise the session token by using malicious code or programs running at the client-side. The example shows how the attacker could use an XSS attack to steal the session token. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker. The example in figure 3 uses an XSS attack to show the cookie value of the current session; using the same technique it's possible to create a specific JavaScript code that will send the cookie to the attacker.

<SCRIPT>alert(document.cookie);</SCRIPT>


Code Injection.JPG

Figure 3. Code injection.


Other Examples The following attacks intercept the information exchange between the client and the server:

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls

References