Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Download
Standard view
Full view
of .
Look up keyword
Like this
3Activity
0 of .
Results for:
No results containing your search query
P. 1
A Survey on Session Hijacking

A Survey on Session Hijacking

Ratings:
(0)
|Views: 365|Likes:
Published by ijcsis
With the emerging fields in e-commerce, financial and identity information are at a higher risk of being stolen. The purpose of this paper is to illustrate a common-cumvaliant security threat to which most systems are prone to i.e. Session Hijacking. It refers to the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. Sensitive user information is constantly transported between sessions after authentication and hackers are putting their best efforts to steal them. In this paper, we will be setting the stages for the session hijacking to occur, and then discussing the techniques and mechanics of the act of session hijacking, and finally providing general strategies for its prevention.
With the emerging fields in e-commerce, financial and identity information are at a higher risk of being stolen. The purpose of this paper is to illustrate a common-cumvaliant security threat to which most systems are prone to i.e. Session Hijacking. It refers to the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. Sensitive user information is constantly transported between sessions after authentication and hackers are putting their best efforts to steal them. In this paper, we will be setting the stages for the session hijacking to occur, and then discussing the techniques and mechanics of the act of session hijacking, and finally providing general strategies for its prevention.

More info:

Published by: ijcsis on Nov 02, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

11/22/2011

pdf

text

original

 
1
 A Survey on Session Hijacking
 
P. Ramesh Babu D.Lalitha Bhaskari CPVNJ Mohan Rao
Dept of Computer Science & Engineering Dept of Computer Science &Systems Engineering Dept of ComputerScience & EngineeringSri Prakash College of Engineering AU College of Engineering (A) Avanthi Institute of Engineering& TechnologyTuni-533401, INDIA Visakhapatnam-530003, INDIA Narsipatnam-531113, INDIAE-mail:rameshbabu_kb@yahoo.co.in E-mail:lalithabhaskari@yahoo.co.in E-mail:mohanrao_c@yahoo.com
Abstract
With the emerging fields in e-commerce,financial and identity information are at ahigher risk of being stolen. The purpose of this paper is to illustrate a common-cum-valiant security threat to which most systemsare prone to i.e. Session Hijacking.
It refersto the exploitation of a valid computer sessiontogain unauthorized access to information orservices in a computer system.
Sensitive userinformation is constantly transportedbetween sessions after authentication andhackers are putting their best efforts to stealthem.In thispaper, wewill be setting thestages for the session hijacking to occur, andthendiscussing the techniques andmechanics of the act of session hijacking,and finally providing general strategies forits prevention
.
Key words: session hijacking, packet,application level, network level, sniffing,spoofing, server, client, TCP/IP, UDP andHTTP
1. Introduction
Session hijackingrefers to the exploitation of avalid computer sessionto gain unauthorizedaccess to information or services in a computersystem or t
he session hijack is a processwhereby the attacker inserts themselves intoan existing communication session betweentwo computers. Generally speaking, sessionhijack attacksare usually waged against aWorkstationserver type of communicationsession; however, hijacks can be conductedbetween a workstation computercommunicating with a network basedappliance like routers, switches or firewalls.Now we will substantiate the clear view of stages and levels of session hijacking.“Indeed, in a study of 45Web applicationsin production at client companiesfound that31 percent of e-commerce applicationswerevulnerable to cookie manipulation andsession hijacking[3]. Section 2 of thispaper deals with the different stages of session hijacking, section 3 deals in depthdetails of where session hijacking can bedone followed by discussion of Avoidanceof session hijacking. Section 5 concludes thepaper.
2. Stages of session hijacking
Before we can discuss the detailsof sessionhijacking, we need to befamiliar with thestages on which this act plays out. We haveto identify thevulnerable protocols and alsoobtain an understanding of what sessions areand how they are used.Based on our survey,wehave found that the three main protocolsthatmanage the data flow on which sessionhijacking occurs are TCP, UDP, andHTTP.
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 7, October 201076http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
2
2.1 TCP
TCP standsfor Transmission ControlProtocol.Wedefine it as “one of the mainprotocols in TCP/IP networks. TCPthe IPprotocol deals only with packets and TCPenable two hoststo establish a connectionand exchange streams of data. TCPguarantees delivery of data and alsoguarantees that packets will bedelivered inthe same order in which they were sent.”[2]The last part of TCP definition is importantin our discussion ofsession hijacking. Inorder to guarantee that packets are deliveredin the rightorder, TCP usesacknowledgement (ACK) packets andsequence numbers tocreate a “full duplexreliable stream connection between two endpoints,”[4] with the end points referring tothe communicating hosts. The two figuresbelow provide a brief description of howTCP works:
Figure 1: TCP Session establishmentusing Three-Way Handshake Method
(Figure and TCP summary taken [1])The connection between the client and theserver begins with a three-way handshake(Figure 1). It proceeds as follows:
Client sends a synchronization(SYN) packet to the server with initialsequence number X.
Server responds by sending aSYN/ACK packet that contains the server'sown sequence number p and an ACKnumber for the client's original SYN packet.This ACK number indicates the nextsequence number the server expects fromthe client.
Clientacknowledges receipt of theSYN/ACK packet by sending back to theserver an ACK packet with the nextsequence number it expects from the server,which in this case isP+1.
Figure 2: Sending Data over TCP
(Figure and TCP summary taken from[1])After the handshake, it’s just a matter of sending packets and incrementingthesequence number to verify that the packetsare getting sent and received.In Figure 2,the client sends one byte of info (the letter“A”) with the sequencenumber X+1 and theserver acknowledges the packet by sendingan ACKpacket with number x+2 (x+1, plus1 byte for the A character) as the nextsequence number expected by the server.The period where all this data isbeing sentover TCP between client and server is calledthe TCP session. Itis our first stage onwhich session hijacking will play out.
2.2 UDP
The next protocol is UDP whichstandsforUser DatagramProtocol.It isdefinedas “aconnectionless protocol that, like TCP, runson top of IP networks. Unlike TCP/IP,UDP/IP provides very few errorrecoveryservices, offering instead a direct way tosend and receivedatagram’s over an IPnetwork.”[6] UDPdoesn’t use sequencenumbers like TCP. It is mainly used forbroadcasting messages across the network orfor doing DNS queries. Onlinefirst person
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 7, October 201077http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
3
shooters like Quake and Half-life make useof this protocol.Since it’s connectionlessand does not have any of the more complexmechanisms that TCP has, it is even morevulnerable to session hijacking.The periodwhere the data is being sent over UDPbetween client and serveris called the UDPsession. UDP is our second stage for sessionhijacking.
2.3 HTTP
HTTP stands for Hyper Text TransferProtocol. We define HTTP as the underlyingprotocolused by the World Wide Web.HTTP defines how messages areformattedand transmitted, and what actions Webservers and browsersshould take in responseto various commands. For example, whenyouenter a URL in your browser, thisactually sends an HTTP command totheWeb server directing it to fetch and transmitthe requested Webpage. ”[2]It is also important to note that HTTP is astateless protocol. Each transactionin thisprotocol is executed independently with noknowledge of pasttransactions. The result isthat HTTP has no way of distinguishing oneuserfrom the next. To uniquely track a userof a web application and to persisthis/herdata within the HTTP session, the webapplication defines its ownsession to holdthis data. HTTP is the final stage on whichsession hijackingoccurs, but unlike TCPand UDP, the session to hijack has more todo withthe web applicationsimplementation instead of the protocol(HTTP).
3. Levels of session hijacking
Session hijacking can be done at two levels:Network Level and Application Level.Network level hijacking involves TCP andUDP sessions, whereas Application levelsession hijack occurs with HTTP sessions.Attacks at each level are not unrelated,however. Most of the time, they will occurtogether depending on the system that isattacked. For example, a successful attack on as TCP session will no doubt allow oneto obtain the necessary information to makea direct attack on the user session on theapplication level.
3.1 Network level hijacking
The network level refers to the interceptionand tampering of packets transmittedbetween client and server during a TCP orUDP session. Network level sessionhijacking is particularly attractive tohackers, because they do not have tocustomize their attacks on a per webapplication basis. It is an attack on the dataflow of the protocol, which is shared by allweb applications[7].
3.1.1 TCP Session hijacking
The goal of the TCP session hijacker is tocreate a state where the client andserver areunable to exchange data, so that he can forgeacceptable packetsfor both ends, whichmimic the real packets. Thus, attackerisable to gain controlof the session. At thispoint, the reason why the client and serverwill droppackets sent between them isbecause the server’s sequence number nolonger matches the client’s ACK numberand likewise, the client’s sequencenumberno longer matches the server’s ACKnumber. To hijack the session in the TCPnetwork the hijacker should employfollowing techniques: they are as follows[7]
IP Spoofing
Blind Hijacking
Man in the Middle attack (packetsniffing)
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 7, October 201078http://sites.google.com/site/ijcsis/ISSN 1947-5500

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->