Professional Documents
Culture Documents
Types of Attacks:-
1) Session Hijacking :- During a session hijacking, a malicious hacker places
himself in between your computer and the website's server(Facebook for instance).
while you are engaged in an active session.
2) Session Fixation :- Session Fixation attack fixes an established sessiom on the
victim's browser.
Steps to Reproduce :-
1)
2)
3)
Risk Factors:-
1) Predictable login credentials
2) User authentication credentials that are not protected when stored
3) Session IDs exposed in the URL (e.g URL rewriting)
4) Session IDs vulnerable to session fixation attacks
5) Session value that does not time out or get invalidated after logout
6) Session IDs that are not rotated after successful login.
7) Passwords, session IDs, and other credentials sent over unencrypted connections
Prevention :-
1) Use Multifactor Authentication
2) Do not sent session id in URLs
3) Invalidate session id after logout.
4) Do not leak session token via any header
5) Limit or increasingly delay failed login attempts
6) Implement weak-password checks