Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Session hijacking from another angle

Tags:

security

php

I have been working on a secure login/portal type set of tools, the general code is free from SQL injections, XSS etc, I have mulitple things in place to stop session hijacking.

  1. regenerate session's ID for EVERY page
  2. Compare the user's IP with the IP at login
  3. compare the user's user_agent with the agent at login
  4. have short session time outs

etc

I have done all I can think of to stop hijacking, however I have still located a situation where it might be possible and would like to know if anyone has any ideas.

Imagine a situation where you have 2 users behind a firewall which does SNAT/DNAT, so both apart to come from the same IP. They are both identical machines supplied by the same place. One connects to the site and logs in, the other copies the PHPSESSID cookie and can simply steal the session.

This might sound like an extreme example, however this is very similar to my place of work, everyone is behind a firewall so looks to be the same IP, and all machines are managed/supplied by the IT team, so all have the same version of browser, OS etc etc.

I am trying to think of another way (server side) to stop the hijacking or minimize it further, I was thinking of a token which gets embedded into every URL (changed for each page), and checked.

I am looking for ideas or suggestions, if you want to offer code or examples you're welcome, but I am more interested in out of the box ideas or comments on my token idea.

like image 837
Wolf Avatar asked Aug 28 '10 22:08

Wolf


People also ask

What are five methods of session hijacking?

There are five key methods of Session hijacking: Session Fixation. Session Side Jacking. Cross Site Scripting.

What are the two main types of session hijacking?

There are two types of session hijacking depending on how they are done. If the attacker directly gets involved with the target, it is called active hijacking, and if an attacker just passively monitors the traffic, it is passive hijacking.

How does session hijacking occur?

The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. Because http communication uses many different TCP connections, the web server needs a method to recognize every user's connections.

What is the best defense against session hijacking?

The best defense against session hijacking is to force secure, encrypted communications over TLS/SSL. This is also sometimes called "HTTPS". Cookies will still be sent with every request but their contents will not be visible because the entire communication will be encrypted while in transit.


1 Answers

Force everything to use HTTPS.

I think you are referring to a passive attack where a user in the network sniffs the cookie. For that, you don't need HTTPS. There are several options that are sufficient when the parties are sure to whom they're talking (e.g. you could do a DH exchange first and the server would encrypt a token the client would use in the next request...), but it's not worth the trouble going down that route.

If the user initially types in a non-https address, an active attack is still possible, but there's nothing you can do in that case. In the future, you might prevent future attacks of this kind once the user establishes one unadulterated connection to your site through HTTP strict transport security..

like image 110
Artefacto Avatar answered Sep 24 '22 12:09

Artefacto