I have wrote many a articles on cookie stealing,today i thought to write on How to steal cookies on a remote computer by a method known as session hijacking,and introduce to cookie stealing
What is session hijacking?
session hijacking is taking over a user session and stealing cookies on a remote computer. essentially it is when two computers establish a connection and an attacker assumes the position of one of the computers through their session id.By using the authenticated state stored as a session variable, a session-based application can be open to hijacking. When a request is sent to a session-based application, the browser includes the session identifier, usually as a cookie, to access the authenticated session. Rather than snoop for usernames and passwords, a hacker can use a session ID to hijack an existing session and steal cookies on a remote computer
How it works
1. an admin logs into his control panel of his website.
2. a session id is generated.
3. his computer mysteriously goes offline without logging out (hehe)
4. you can then guess his session id
5. if the session id is right, you can assume his admin privileges
http sessions are stateless. i guess when they developed http they weren't thinking about individual sessions. session id's were created to track a single user for each page he viewed without re-authenticating every time. a session id properly identify's the user and allows them access.session hijacking does require cookie theft, if you dont want to guess the damn session id for years, this is where xss and other forms of exploits on web applications come in. if you fail to see the "phpsessid=3209U3R6IMH2' in your browser then
most likely their is a hidden Torrent on the page with the php session idd value. naturally this would be yours
if your logged in.
![]()
Suppose:
1. user A and user B are both logged in at rafayhackingarticles.blogspot.com
2. user has no admin permissions. User B does.
3. user A messages, or posts a link somewhere for user B to click.
4. when user B clicks the link the 'hot link' logs their referrer.
OR
Surfjack is the name given to an attack that allows a man in the middle to hijack session cookies even when the victim is making use of SSL instead of plaintext HTTP. This video shows the tool being demonstrated against a Gmail account. The proof of concept tool (also called surfjack) is able to work on both Ethernet by making use of ARP cache poisoning, and WiFi in monitor mode. Although Gmail somehow fixed the issue by setting the cookies to "secure", many other sites are still vulnerable.
How to prevent session hijacking:
The SSL only helps with sniffing attacks. If an attacker has access to your machine I will assume they can copy your secure cookie too.
At the very least, make sure old cookies lose their value after a while. Even a successful hijaking attack will be thwarted when the cookie stops working. If the user has a cookie from a session that logged in more than a month ago, make them reenter their password. Make sure that whenever a user clicks on your site's "log out" link, that the old session UUID can never be used again.
I'm not sure if this idea will work but here goes: Add a serial number into your session cookie, maybe a string like this:
SessionUUID, Serial Num, Current Date/Time
Encrypt this string and use it as your session cookie. Regularly change the serial num - maybe when the cookie is 5 minutes old and then reissue the cookie. You could even reissue it on every page view if you wanted to. On the server side, keep a record of the last serial num you've issued for that session. If someone ever sends a cookie with the wrong serial number it means that an attacker may be using a cookie they intercepted earlier so invalidate the session UUID and ask the user to reenter their password and then reissue a new cookie.
Remember that your user may have more than one computer so they may have more than one active session. Don't do something that forces them to log in again every time they switch between computers.
What is session hijacking?
session hijacking is taking over a user session and stealing cookies on a remote computer. essentially it is when two computers establish a connection and an attacker assumes the position of one of the computers through their session id.By using the authenticated state stored as a session variable, a session-based application can be open to hijacking. When a request is sent to a session-based application, the browser includes the session identifier, usually as a cookie, to access the authenticated session. Rather than snoop for usernames and passwords, a hacker can use a session ID to hijack an existing session and steal cookies on a remote computer
How it works
1. an admin logs into his control panel of his website.
2. a session id is generated.
3. his computer mysteriously goes offline without logging out (hehe)
4. you can then guess his session id
5. if the session id is right, you can assume his admin privileges
http sessions are stateless. i guess when they developed http they weren't thinking about individual sessions. session id's were created to track a single user for each page he viewed without re-authenticating every time. a session id properly identify's the user and allows them access.session hijacking does require cookie theft, if you dont want to guess the damn session id for years, this is where xss and other forms of exploits on web applications come in. if you fail to see the "phpsessid=3209U3R6IMH2' in your browser then
most likely their is a hidden Torrent on the page with the php session idd value. naturally this would be yours
if your logged in.
Stealing cookies on a remote computer - session hijacking
Suppose:
1. user A and user B are both logged in at rafayhackingarticles.blogspot.com
2. user has no admin permissions. User B does.
3. user A messages, or posts a link somewhere for user B to click.
4. when user B clicks the link the 'hot link' logs their referrer.
OR
Surfjack is the name given to an attack that allows a man in the middle to hijack session cookies even when the victim is making use of SSL instead of plaintext HTTP. This video shows the tool being demonstrated against a Gmail account. The proof of concept tool (also called surfjack) is able to work on both Ethernet by making use of ARP cache poisoning, and WiFi in monitor mode. Although Gmail somehow fixed the issue by setting the cookies to "secure", many other sites are still vulnerable.
How to prevent session hijacking:
The SSL only helps with sniffing attacks. If an attacker has access to your machine I will assume they can copy your secure cookie too.
At the very least, make sure old cookies lose their value after a while. Even a successful hijaking attack will be thwarted when the cookie stops working. If the user has a cookie from a session that logged in more than a month ago, make them reenter their password. Make sure that whenever a user clicks on your site's "log out" link, that the old session UUID can never be used again.
I'm not sure if this idea will work but here goes: Add a serial number into your session cookie, maybe a string like this:
SessionUUID, Serial Num, Current Date/Time
Encrypt this string and use it as your session cookie. Regularly change the serial num - maybe when the cookie is 5 minutes old and then reissue the cookie. You could even reissue it on every page view if you wanted to. On the server side, keep a record of the last serial num you've issued for that session. If someone ever sends a cookie with the wrong serial number it means that an attacker may be using a cookie they intercepted earlier so invalidate the session UUID and ask the user to reenter their password and then reissue a new cookie.
Remember that your user may have more than one computer so they may have more than one active session. Don't do something that forces them to log in again every time they switch between computers.
Comments