Session hijacking

Session hijacking ( English for about " abduction of a communication session ") is an attack on a connection lossy data communication between two computers . While the participants in a connectionless communication messages without defined relative to each other exchange, is initially a logical connection (with a connection-type communication session , Eng. Session established). If one of the communication partners authenticates itself to the other within the session, this represents a trust relationship. The attacker's goal is to "hijack" this session to exploit the trust relationship in order to gain the same privileges as the legally authenticated user.

Since communication over computer networks is divided into layers , this attack can be carried out on any layer that provides for connection-based communication.

Session hijacking is similar to a spoofing attack, but the attacker already has all the necessary information available at this point.

Methods

A session hijacking is initially a passive sniffing ahead of data communication. The attacker collects the information necessary for the attack. If these are exchanged via unencrypted protocols such as HTTP , Telnet , FTP , POP3 , etc., the attacker only has to gain either direct access to the physical layer (network cable, WLAN range ) or communication through a man-in-the-middle attack (Janus attack) redirect over yourself. If the data transmission is encrypted, the attacker must first break this encryption.

TCP session hijacking

The legitimate user establishes a TCP connection using a three-way handshake . After authentication, the attacker tries to take over the dialog by manipulating the response packets and sending them faster than the originally addressed server or client . To do this, the attacker must know the sequence number, which is transmitted in plain text in the case of unencrypted connections. If his packets with the correct sequence numbers and the falsified sender now arrive before the real packets, the addressed server will evaluate them and ignore the real packets.

Hijacking web sessions

Basically, HTTP is a connectionless / stateless protocol, since every HTTP request is accepted by the web server as a new connection, processed and then closed again immediately. Since many web applications are dependent on assigning their users beyond the duration of such a request, they implement their own session management. For this purpose, a unique session ID is generated at the beginning of each session , which the user's browser transmits for all subsequent inquiries in order to identify himself to the server. The session ID is transmitted via a GET or POST argument or - as is usually the case - via a cookie . If the attacker can read or guess this session ID, he can pretend to be the authenticated user by sending the session ID in his own requests and thus take over the session. Web applications that do not require the old password to change the password also encourage legitimate users to be locked out of their own access ( account lockout ).

Countermeasures

Basically there are two ways to prevent session hijacking : firstly, by preventing the sniffing out of the necessary information through encrypted transmissions, or secondly, by not basing the trust relationship on the weak security of a shared secret , for example by using challenge-response authentication begins. For example, HTTPS requires the server to authenticate to the client using a digital certificate and then encrypts the connection's user data. As with any use of cryptography, the following also applies here: It is not enough that cryptography is theoretically secure; it has to be the actual implementation too.

Many hijacking techniques create anomalies in network traffic, which intrusion detection systems (IDS) can detect. The detection of such an attack can only be the first link in a chain of countermeasures.

Web-specific measures

It should be ensured that the corresponding web application is not susceptible to cross-site scripting , as this is probably one of the main methods used by attackers to read the document.cookie object via JavaScript and thus hijack the session.