A Survey on Session Hijacking by ijcsis


More Info
									                                                  (IJCSIS) International Journal of Computer Science and Information Security,
                                                  Vol. 8, No. 7, October 2010

                       A Survey on Session Hijacking
       P. Ramesh Babu                           D.Lalitha Bhaskari                         CPVNJ Mohan Rao
Dept of Computer Science & Engineering   Dept of Computer Science &Systems Engineering     Dept of Computer Science & Engineering
  Sri Prakash College of Engineering             AU College of Engineering (A)           Avanthi Institute of Engineering & Technology
         Tuni-533401, INDIA                      Visakhapatnam-530003, INDIA                     Narsipatnam-531113, INDIA
 E-mail:rameshbabu_kb@yahoo.co.in                E-mail:lalithabhaskari@yahoo.co.in           E-mail:mohanrao_c@yahoo.com

With the emerging fields in e-commerce,                          Workstation server type of communication
financial and identity information are at a                      session; however, hijacks can be conducted
higher risk of being stolen. The purpose of                      between       a    workstation      computer
this paper is to illustrate a common-cum-                        communicating with a network based
valiant security threat to which most systems                    appliance like routers, switches or firewalls.
are prone to i.e. Session Hijacking. It refers                   Now we will substantiate the clear view of
to the exploitation of a valid computer session to               stages and levels of session hijacking.
gain unauthorized access to information or                       “Indeed, in a study of 45 Web applications
services in a computer system. Sensitive user                    in production at client companies found that
information is constantly transported                            31 percent of e-commerce applications were
between sessions after authentication and                        vulnerable to cookie manipulation and
hackers are putting their best efforts to steal                  session hijacking” [3]. Section 2 of this
them. In this paper, we will be setting the                      paper deals with the different stages of
stages for the session hijacking to occur, and                   session hijacking, section 3 deals in depth
then discussing the techniques and                               details of where session hijacking can be
mechanics of the act of session hijacking,                       done followed by discussion of Avoidance
and finally providing general strategies for                     of session hijacking. Section 5 concludes the
its prevention.                                                  paper.

Key words: session hijacking, packet,
application level, network level, sniffing,
                                                                 2. Stages of session hijacking
spoofing, server, client, TCP/IP, UDP and
                                                                 Before we can discuss the details of session
                                                                 hijacking, we need to be familiar with the
                                                                 stages on which this act plays out. We have
1. Introduction                                                  to identify the vulnerable protocols and also
                                                                 obtain an understanding of what sessions are
Session hijacking refers to the exploitation of a                and how they are used. Based on our survey,
valid computer session to gain unauthorized                      we have found that the three main protocols
access to information or services in a computer                  that manage the data flow on which session
system or the session hijack is a process                        hijacking occurs are TCP, UDP, and HTTP.
whereby the attacker inserts themselves into
an existing communication session between
two computers. Generally speaking, session
hijack attacks are usually waged against a


                                                           76                                http://sites.google.com/site/ijcsis/
                                                                                             ISSN 1947-5500
                                        (IJCSIS) International Journal of Computer Science and Information Security,
                                        Vol. 8, No. 7, October 2010

2.1 TCP                                                sequence number the server expects from
                                                       the client.
TCP stands for Transmission Control
Protocol. We define it as “one of the main                   Client acknowledges receipt of the
protocols in TCP/IP networks. TCP the IP               SYN/ACK packet by sending back to the
protocol deals only with packets and TCP               server an ACK packet with the next
enable two hosts to establish a connection             sequence number it expects from the server,
and exchange streams of data. TCP                      which in this case is P+1.
guarantees delivery of data and also
guarantees that packets will be delivered in
the same order in which they were sent.”[2]
The last part of TCP definition is important
in our discussion of session hijacking. In
order to guarantee that packets are delivered
in     the    right   order,    TCP      uses
acknowledgement (ACK) packets and
sequence numbers to create a “full duplex                   Figure 2: Sending Data over TCP
reliable stream connection between two end               (Figure and TCP summary taken from [1])
points,” [4] with the end points referring to
the communicating hosts. The two figures               After the handshake, it’s just a matter of
below provide a brief description of how               sending packets and incrementing the
TCP works:                                             sequence number to verify that the packets
                                                       are getting sent and received. In Figure 2,
                                                       the client sends one byte of info (the letter
                                                       “A”) with the sequence number X+1 and the
                                                       server acknowledges the packet by sending
                                                       an ACK packet with number x+2 (x+1, plus
                                                       1 byte for the A character) as the next
                                                       sequence number expected by the server.
   Figure 1: TCP Session establishment                 The period where all this data is being sent
  using Three-Way Handshake Method                     over TCP between client and server is called
(Figure and TCP summary taken [1])                     the TCP session. It is our first stage on
                                                       which session hijacking will play out.
The connection between the client and the
server begins with a three-way handshake               2.2 UDP
(Figure 1). It proceeds as follows:
                                                       The next protocol is UDP which stands for
      Client sends a synchronization                  User Datagram Protocol. It is defined as “a
(SYN) packet to the server with initial                connectionless protocol that, like TCP, runs
sequence number X.                                     on top of IP networks. Unlike TCP/IP,
                                                       UDP/IP provides very few error recovery
     Server responds by sending a                     services, offering instead a direct way to
SYN/ACK packet that contains the server's              send and receive datagram’s over an IP
own sequence number p and an ACK                       network.”[6] UDP doesn’t use sequence
number for the client's original SYN packet.           numbers like TCP. It is mainly used for
This ACK number indicates the next                     broadcasting messages across the network or
                                                       for doing DNS queries. Online first person


                                                 77                                http://sites.google.com/site/ijcsis/
                                                                                   ISSN 1947-5500
                                        (IJCSIS) International Journal of Computer Science and Information Security,
                                        Vol. 8, No. 7, October 2010

shooters like Quake and Half-life make use             session hijack occurs with HTTP sessions.
of this protocol. Since it’s connectionless            Attacks at each level are not unrelated,
and does not have any of the more complex              however. Most of the time, they will occur
mechanisms that TCP has, it is even more               together depending on the system that is
vulnerable to session hijacking. The period            attacked. For example, a successful attack
where the data is being sent over UDP                  on as TCP session will no doubt allow one
between client and server is called the UDP            to obtain the necessary information to make
session. UDP is our second stage for session           a direct attack on the user session on the
hijacking.                                             application level.

2.3 HTTP                                               3.1 Network level hijacking
HTTP stands for Hyper Text Transfer                    The network level refers to the interception
Protocol. We define HTTP as the underlying             and tampering of packets transmitted
protocol used by the World Wide Web.                   between client and server during a TCP or
HTTP defines how messages are formatted                UDP session. Network level session
and transmitted, and what actions Web                  hijacking is particularly attractive to
servers and browsers should take in response           hackers, because they do not have to
to various commands. For example, when                 customize their attacks on a per web
you enter a URL in your browser, this                  application basis. It is an attack on the data
actually sends an HTTP command to the                  flow of the protocol, which is shared by all
Web server directing it to fetch and transmit          web applications [7].
the requested Web page. ” [2]

It is also important to note that HTTP is a            3.1.1 TCP Session hijacking
stateless protocol. Each transaction in this
protocol is executed independently with no             The goal of the TCP session hijacker is to
knowledge of past transactions. The result is          create a state where the client and server are
that HTTP has no way of distinguishing one             unable to exchange data, so that he can forge
user from the next. To uniquely track a user           acceptable packets for both ends, which
of a web application and to persist his/her            mimic the real packets. Thus, attacker is
data within the HTTP session, the web                  able to gain control of the session. At this
application defines its own session to hold            point, the reason why the client and server
this data. HTTP is the final stage on which            will drop packets sent between them is
session hijacking occurs, but unlike TCP               because the server’s sequence number no
and UDP, the session to hijack has more to             longer matches the client’s ACK number
do      with    the     web     application’s          and likewise, the client’s sequence number
implementation instead of the protocol                 no longer matches the server’s ACK
(HTTP).                                                number. To hijack the session in the TCP
                                                       network the hijacker should employ
                                                       following techniques: they are as follows [7]

3. Levels of session hijacking                               IP Spoofing
Session hijacking can be done at two levels:                 Blind Hijacking
Network Level and Application Level.                         Man in the Middle attack (packet
Network level hijacking involves TCP and
UDP sessions, whereas Application level                     sniffing)


                                                 78                                http://sites.google.com/site/ijcsis/
                                                                                   ISSN 1947-5500
                                         (IJCSIS) International Journal of Computer Science and Information Security,
                                         Vol. 8, No. 7, October 2010

IP Spoofing                                             Man in the Middle attack (packet
IP spoofing is “a technique used to gain
unauthorized access to computers, whereby               This technique involves using a packet
the intruder sends messages to a computer               sniffer that intercepts the communication
with an IP address indicating that the                  between the client and server. With all the
message is coming from a trusted host.”[2]              data between the hosts flowing through the
Once the hijacker has successfully spoofed              hijacker’s sniffer, he is free to modify the
an IP address, he determines the next                   content of the packets. The trick to this
sequence number that the server expects and             technique is to get the packets to be routed
uses it to inject the forged packet into the            through the hijacker’s host. [1]
TCP session before the client can respond.
By doing so, he creates the “desynchronized             3.1.2 UDP Session hijacking
state.” The sequence and ACK numbers are
no longer synchronized between client and               Hijacking a session over User Datagram
server, because the server registers having             Protocol (UDP) is exactly the same as over
received a new packet that the client never             TCP, except that UDP attackers do not have
sent. Sending more of these packets will                to worry about the overhead of managing
create an even greater inconsistency                    sequence number and other TCP
between the two hosts.                                  mechanisms. Since UDP is connectionless,
                                                        injecting data into session without being
Blind Hijacking                                         detected is extremely easy. If the “man in
                                                        the middle” situation exists, this can be very
If source routing is disabled, the session              easy for the attacker, since he can also stop
hijacker can also employ blind hijacking                the server’s reply from getting to the client
where he injects his malicious data into                in the first place [6]. Figure4 shows how an
intercepted communications in the TCP                   attacker could do this.
session. It is called “blind” because the
hijacker can send the data or commands, but
cannot see the response. The hijacker is
basically guessing the responses of the client
and server. An example of a malicious
command a blind hijacker can inject is to set
a password that can allow him access from
another host.

                                                            Figure4: Session Hijacking over UDP

                                                        DNS queries, online games like the Quake
                                                        and Half-Life, and peer-to-peer sessions are
                                                        common protocols that work over UDP; all
                                                        are popular target for this kind of session
         Figure3: Blind Injection


                                                  79                                http://sites.google.com/site/ijcsis/
                                                                                    ISSN 1947-5500
                                          (IJCSIS) International Journal of Computer Science and Information Security,
                                          Vol. 8, No. 7, October 2010

3.2 Application level hijacking                          browser history and get access to a web
                                                         application if it was poorly coded. Session
The application level refers to obtaining                info in the form submitted through the
session IDs to gain control of the HTTP user             POST command is harder to access, but
session as defined by the web application. In            since it is still sent over the network, it can
the application level, the session hijacker not          still be accessed if the data is intercepted.
only tries to hijack existing sessions, but              Cookies are accessible on the client’s local
also tries to create new sessions using stolen           machine and also send and receive data as
data. Session hijacking at the application               the client surfs to each page. The session
level mainly involves obtaining a valid                  hijacker has a number of ways to guess the
session ID by some means in order to gain                session ID or steal it from one of these
control of an existing session or to create a            locations.
new unauthorized session.
                                                         Observation (Sniffing)
3.2.1 HTTP Session hijacking
                                                         Using the same techniques as TCP session
HTTP session hijacking is all about                      hijacking, the hijacker can create the “man
obtaining the session ID, since web                      in the middle” situation and use a packet
applications key off of this value to                    sniffer. If the HTTP traffic is sent
determine identity. Now we will see the                  unencrypted, the session hijacker has traffic
techniques involved in HTTP session                      redirected through his host where he can
hijacking [7].                                           examine the intercepted data and obtain the
                                                         session ID. Unencrypted traffic could carry
Obtain Session IDs                                       the session ID and even usernames and
                                                         passwords in plain text, making it very easy
Session IDs generally can be found in three              for the session hijacker to obtain the
locations [5]:                                           information required to steal or create his
                                                         own unauthorized session.
    Embedded in the URL, which is
   received by the application through                   Brute Force
   HTTP GET requests when the client
   clicks on links embedded with a page.                 If the session ID appears to be predictable,
                                                         the hijacker can also guess the session ID
    Within the fields of a form and
                                                         via a brute force technique, which involves
   submitted to the application. Typically
                                                         trying a number of session IDs based upon
   the session ID information would be
                                                         the pattern. This can be easily set up as an
   embedded within the form as a hidden
                                                         automated attack, going through multiple
   field and submitted with the HTTP
                                                         possibilities until a session ID works. “In
   POST command.
                                                         ideal circumstances, an attacker using a
    Through the use of cookies.                         domestic DSL line can potentially conduct
                                                         up to as many as 1000 session ID guesses
All three of these locations are within the              per second.” Therefore, if the algorithm that
reach of the session hijacker. Embedded                  produces the session ID is not random
session info in the URL is accessible by                 enough, the session hijacker can obtain a
looking through the browser history or                   usable session ID rather quickly using this
proxy server or firewall logs. A hijacker can            technique.
sometimes reenter in the URL from the

                                                   80                                http://sites.google.com/site/ijcsis/
                                                                                     ISSN 1947-5500
                                         (IJCSIS) International Journal of Computer Science and Information Security,
                                         Vol. 8, No. 7, October 2010

Misdirected Trust [5]                                   Strong Session ID’s so that they cannot be
                                                        hijacked or deciphered at any cost. SSL
It refers to using HTML injection and cross-            (Secure Socket layer) and SSH (Secure
site scripting to steal session information.            Shell) also provides strong encryption using
HTML injection involves finding a way to                SSL certificates so that session cannot be
inject malicious HTML code so that the                  hijacked, but tools such as Cain & Bell can
client’s browser will execute it and send               spoof the SSL certificates and decipher
session data to the hijacker. Cross-site                everything! Expiring sessions after a definite
scripting has the same goal, but more                   period of time requires re-authentication
specifically exploits a web application’s               which will useless the hacker’s tricks [7].
failure to validate user-supplied input before
                                                         Methods to avoid session hijacking include
returning it to the client system. Cross-site”
refers to the security restrictions placed on
data associated with a web site (e.g. session
                                                               An open source solution is ArpON
cookies). The goal of the attack is to trick
                                                        "Arp handler inspectiON". It is a portable
the browser into executing injected code
                                                        ARP handler which detects and blocks all
under the same permissions as the web
                                                        Man in the Middle attacks through ARP
application domain. By doing so, he can
                                                        poisoning and spoofing attacks with a static
steal session information from the client
                                                        ARP inspection (SARPI) and dynamic ARP
side. The success of such an attack is largely
                                                        inspection (DARPI) approach on switched
dependent on the susceptibility of the
                                                        LANs with or without DHCP. This requires
targeted web application.
                                                        an agent on every host that is to be
4. Avoidance of Session
Hijacking                                                      Use of a long random number or
                                                        string as the session key. This reduces the
                                                        risk that an attacker could simply guess a
         To protect your network with session
                                                        valid session key through trial and error or
hijacking, a user has to implement both
                                                        brute force attacks.
security measures at Application level and
Network level. Network level hijacks can be                    Regenerating the session id after a
prevented by ciphering the packets so that              successful login. This prevents session
the hijacker cannot decipher the packet                 fixation because the attacker does not know
headers, to obtain any information which                the session id of the user after he has logged
will aid in spoofing. This encryption can be            in.
provided by using protocols such as IPSEC,
SSL, SSH etc. Internet security protocol                       Encryption of the data passed
(IPSEC) has the ability to encrypt the packet           between the parties; in particular the session
on some shared key between the two parties              key. This technique is widely relied-upon by
involved in communication [7]. IPSec runs               web-based banks and other e-commerce
in two modes: Transport and Tunnel. In                  services, because it completely prevents
Transport Mode only the data sent in the                sniffing-style attacks. However, it could still
packet is encrypted while in Tunnel Mode                be possible to perform some other kind of
both packet headers and data are encrypted,             session hijack.
so it is more restrictive [4].
         To prevent your Application session                  Some services make secondary
to be hijacked it is recommended to use                 checks against the identity of the user. For


                                                  81                                http://sites.google.com/site/ijcsis/
                                                                                    ISSN 1947-5500
                                         (IJCSIS) International Journal of Computer Science and Information Security,
                                         Vol. 8, No. 7, October 2010

example, a web server could check with                  6. References
each request made that the IP address of the
user matched the one last used during that              [1] Lam, Kevin, David LeBlanc, and Ben
session. This does not prevent attacks by               Smith. “Hacking: Fight Back: Theft On The
somebody who shares the same IP address,                Web: Prevent Session Hijacking.” Microsoft
however, and could be frustrating for users             TechNet Festival. Winter 2005. 1 Jan. 2005.
whose IP address is liable to change during a
browsing session.                                       [2] <http://www.webopedia.com/>.
      Alternatively, some services will
change the value of the cookie with each and             [3] Morana, Marco. “Make It and Break It:
every request. This dramatically reduces the            Preventing Session Hijacking and Cookie
window in which an attacker can operate                 Manipulation.” Secure Enterprise Summit,
                                                        23 Nov. 2004.
and makes it easy to identify whether an
attack has taken place, but can cause other
technical problems                                      [4] William Stallings, Network Security
                                                        Essentials, 3 rd Edition, Pearson Edition.
      Users may also wish to log out of                [5]Ollman,          Gunter,    “Web     Session
websites whenever they are finished using               Management:         Best Practices in Managing
them                                                    HTTP Based          Client Sessions.” Technical
                                                        Info: Making        Sense of Security. Accessed
5. Conclusion                                           20 Dec. 2004.

Session hijacking remains a serious threat to           [6] Kevin L. Paulson, “Hack proofing your
networks and web applications on the web.               network “1st Edition, Global Knowledge
This paper provides a general overview of               Professional reference. Syngress Edition
how the malicious exploit is done and how
the information security engineer can protect           [7] “Session Hijacking in Windows
networks and web applications from this                 Networks.”. By Mark Lin, Date Submitted:
threat. It is important to protect our session          1/18/2005 GSEC Practical Assignment
data at both the network and application                v1.4c (Option 1) of SANS Institute of
levels. Although implementing all of the                Information Security.
countermeasures discussed here does not
completely guarantee full immunity against              [8] www.wikipedia.com
session hijacking, it does raise the security
bar and forces the session hijacker to come
up with alternate and perhaps more complex
methods of attack. It is a good idea to keep
testing and monitoring our networks and
applications to ensure that they will not be
susceptible to the hijacker’s tricks.

        We hope earnestly that the paper we
presented will cater the needs of novice
researchers and students who are interested
in session hijacking.


                                                  82                                http://sites.google.com/site/ijcsis/
                                                                                    ISSN 1947-5500
                                        (IJCSIS) International Journal of Computer Science and Information Security,
                                        Vol. 8, No. 7, October 2010

Authors Profile                                                           Dr. C.P.V.N.J Mohan Rao
                                                                          is a Professor in the
                                                                          Department of Computer
                    Ms. Dr D. Lalitha                                     Science and Engineering
                    Bhaskari is an Associate                              and principal of Avanthi
                    professor      in    the                              Institute of Engineering &
                    department of Computer                                Technology - Narsipatnam.
                    Science and Engineering            He did his PhD from Andhra University and his
                    of Andhra University.              research interests include Image Processing,
                    She did her Phd from               Networks & Data security, Data Mining and
                    JNTU Hyderabad in the              Software Engineering. He has guided more than
area of Steganography and Watermarking.                50 M.Tech Projects. He received many honors
Her areas of interest include Theory of                and he has been the member for many expert
computation,      Data     Security,  Image            committees, member of many professional
Processing, Data communications, Pattern
                                                       bodies and Resource person for various
Recognition. Apart from her regular
academic activities she holds prestigious
responsibilities like Associate Member in
the Institute of Engineers, Member in IEEE,
Associate Member in the Pentagram
Research Foundation, Hyderabad, India. She
is also the recipient of “Young Engineers”
Award from the prestigious Institution of
Engineers (INDIA) for the year 2008 in
Computer Science discipline.

                   Mr. P. Ramesh babu is an
                   Assistant Professor in the
                   Department of Computer
                   Science & Engineering of
                   Sri Prakash college of
                   Engineering-Tuni.      His
                   research interests include
Steganography,       Digital    Watermarking,
Information security and Data communications.
Mr.Ramesh babu did his M.Tech in Computer
Science & Engineering from JNTU Kakinada.
He has 5 years of good teaching experience.
Contact him at: rameshbabu_kb@yahoo.co.in


                                                 83                                http://sites.google.com/site/ijcsis/
                                                                                   ISSN 1947-5500

To top