10.2 Application Level Session Hijacking

應用層會話劫持：劫持現有session IDs或建立新的未授權session。

Application Level Session Hijacking

• In a session hijacking attack, a session token is stolen or valid session token is predicted to gain unauthorized access to the web server.
• A session token can be compromised in various ways:
  • Session sniffing
  • Predictable session token
  • Man-in-the-middle attack
  • Man-in-the-browser attack
  • Cross-site script attack
  • Cross-site request forgery attack
  • Session replay attack
  • Session fixation

Compromising Sessions IDs using Sniffing

• Attacker uses a sniffer to capture a valid session token or session ID.
• Attacker then uses the valid token session to gain unauthorized access to the web server.

Wireshark, SmartSniffer

Compromising Session IDs by Predicting Session Token

• Attacker can predict session IDs generated by weak algorithms and impersonate a web site user.
• Attackers perform analysis of variable section of session IDs to determine the existence of a pattern.
• The analysis is performed manually or by using various cryptanalytic tools.
• Attackers collect a high number of simultaneous session IDs in order to gather samples in the same time window and keep the variable constant.

• (Hacker破)前台asp random session cookie <-> 後台session ID無法破
• 偷session -> sniffing -> 內網
• 透過中間端取得：
  • http header
  • sniff
• 透過使用者browser：XSS
• TCP/IP Session Hijacking Tool: hunt-1.5
  • 偽造IP/Port/SeqNo./ACKNo.

How to Predict a Session Token

• Most of the web servers use custom algorithms or a predefined pattern to generate sessions IDs.
• Attacker guess the unique session value or deduce the session ID to hijack the sessions.
• Captures: Attacker captures several session IDs and analyzes the pattern.
  • http://www.juggyboy.com/view/JBEX25022014152820
  • http://www.juggyboy.com/view/JBEX25022014153020
  • http://www.juggyboy.com/view/JBEX25022014160020
  • http://www.juggyboy.com/view/JBEX25022014164020
• Predicts: At 16:25:55 on Feb-25, 2014, the attacker can successfully predict the session ID to be http://www.juggyboy.com/view/JBEX25022014162555
  • JBEX: Constant
  • 25022014: Date
  • 162555: Time

Compromising Session IDs Using Man-in-the-Middle Attack

• The man-in-the-middle attack is used to intrude into an existing connection between systems and to intercept messages being exchanged.
• Attackers use different techniques and split the TCP connection into two connections.
  • Client-to-attacker connection
  • Attacker-to-־server connection
• After the successful interception of TCP connection, an attacker can read, modify, and insert fraudulent data into the intercepted communication.
• In the case of an http transaction, the TCP connection between the client and the server becomes the target.

Compromising Session IDs Using Man-in-the-Browser Attack

• Man-in-the-browser attack uses a Trojan Horse to intercept the calls between the browser and its security mechanisms or libraries.
• It works with an already installed Trojan horse and acts between the browser and its security mechanisms.
• Its main objective is to cause financial deceptions by manipulating transactions of Internet Banking systems.

The man-in-the-browser attack will be successful irrespective of security mechanisms such as SSL, PKI, or two-factor authentication in place, as all the expected controls and security mechanisms would seem to work normally.

Steps to Perform Man-in-the-Browser Attack

1. The Trojan first infects the computer's software (OS or application).
2. The Trojan installs malicious code (extension files) and saves it into the browser configuration.
3. After the user restarts the browser, the malicious code in the form of extension files is loaded.
4. The extension files register a handler for every visit to the webpage.
5. When the page is loaded, the extension uses the URL and matches it with a list of known sites targeted for attack.
6. The user logs in securely to the website.
7. It registers a button event handler when a specific page load is detected for a specific pattern and compares it with its targeted list.
8. When the user clicks on the button, the extension uses DOM interface and extracts all the data from all form fields and modifies the values.
9. The browser sends the form and modified values to the server.
10. The server receives the modified values but cannot distinguish between the original and the modified values.
11. After the server performs the transaction, a receipt is generated.
12. Now, the browser receives the receipt for the modified transaction.
13. The browser displays the receipt with the original details.
14. The user thinks that the original transaction was received by the server without any interceptions.

瀏覽器被木馬感染後，木馬可以修改web頁面，修改或者添加http(s)中的任何數據。在這個過程中使用者和伺服器都不曉得。

Compromising Session IDs Using Client-side Attacks

• Cross-Site Scripting (XSS): XSS enables attackers to inject malicious client side scripts into the web pages viewed by other users.
• Malicious JavaScript Codes: A malicious script can be embedded in a web page that does not generate any warning but it captures session tokens in the background and send it to the attacker.
• Trojans: A Trojan horse can change the proxy settings in user's browser to send all the sessions through the attackers machine.

Compromising Session IDs Using Client-side Attacks: Cross-site Script Attack (重要)

• If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker.

• 防：HttpOnly
• <SCRIPT>alert(document.cookie);</SCRIPT>

Compromising Session IDs Using Client-side Attacks: Cross-site Request Forgery Attack (重要)

• Cross-Site Request Forgery (CSRF) attack exploits victim's active session with a trusted site in order to perform malicious activities.

a.k.a. one-click attack or session riding

Compromising Session IDs Using Client-side Attacks: Session Replay Attack

• In a session replay attack, the attacker listens to the conversation between the user and the server and captures the authentication token of the user.
• Once the authentication token is captured, the attacker replays the request to the server with the captured authentication token and gains unauthorized access to the server.

Compromising Session IDs Using Session Fixation

• Session Fixation is an attack that allows an attacker to hijack a valid user session.
• The attack tries to lure a user to authenticate himself with a known session ID and then hijacks the user-validated session by the knowledge of the used session ID.
• The attacker has to provide a legitimate web application session ID and try to lure victim browser to use it.
• Several techniques to execute Session Fixation attack are:
  • Session token in the URL argument
  • Session token in a hidden form field
  • Session ID in a cookie

Session Fixation Attack

• Attacker exploits the vulnerability of a server which allows a user to use fixed SID.
• Attacker provides a valid SID to a victim and lures him to authenticate himself using that SID.

• There are three phases to carry out Session fixation attack:
  • Session set-up phase: 向網站正常請求session ID，但由於網站可能有idle session time-out機制，所以要不斷的重覆請求讓這組session ID存活。
  • Fixation phase: 讓受害者使用這組session ID。
  • Entrace phase: 等待受害者使用這組session ID登入後，攻擊者就可直接使用這組session ID進行操作了。

Session Hijacking Using Proxy Servers

• Attacker lure victim to click on bogus link which looks legitimate but redirect user to attacker server.
• Attacker forwards request to the legitimate server on behalf of victim and serve as a proxy for the entire transaction.
• Attacker then captures the sessions information during interaction of legitimate server and user.

Q1) What type of session hijacking attack is shown in the exhibit?

1. Cross-site scripting Attack
2. SQL Injection Attack
3. Token sniffing Attack
4. Session Fixation Attack