Session Hijacking

[litewarez]

Heya guys,

Just going to do a little talk about Session Hijacking today...

What is Session Hijacking
Session hijacking is a way that a hacker can gain access to someone else's session and gain access to private parts of your site.

How does it work:
Session hijacking works by an external source (hacker) gets access to a cookie file from a user and then sets a cookie on his machine to fool your site to thinking that the hacker is actually the user.

Example of how a session works:
Session works in a way where your server gives out a unique id to a user's cookie, and stores a file with session data in temporary files.

from the moment you call session_start(); a cookie is sent to the browser witch is stored, lets take this example.

PHP Code: 

session_start();
/*
  1. A check is made to get a session id from the cookie, if exists see 1.a, if not see 1b
    1a. php checks to see if session_COOKIE_ID exists in /tmp and loads t he data
    1b. A new session id is created and a new blank file is created called session_SID.tmp
  2. The session data is loaded into $_SESSION
*/#
if(isset($_SESSION['logged_in']))
{
    //Blah
} 


Now if you read that then you would realise by sending someone else's Session within the headers will allow you to be logged in as that user. not good

Preventing this from happening!
Theres a few ways to prevent hijacking and im going to show you them.

The first way is to check the users User-Agent, so if its another user agent then you can stop the session.

Heres an example

PHP Code: 

session_start();

$ua = md5($_SERVER['HTTP_USER_AGENT']);

if(isset($_SESSION['SECURITY_UA']))
{
     if($ua != $_SESSION['SECURITY_UA'])
     {
          die('Session Hijacking Attempt');
     }
} 


But the problem with this is that the hacker can gain the USER AGENT aswell so this would still be penetrable.

The next way is to mix it up so to speek, so that we mix data the hacker can never get.

PHP Code: 

session_start();

$ua = md5($_SERVER['HTTP_USER_AGENT']."SeCrEtStRiNgAhAcKeRCaNtGet");

if(isset($_SESSION['SECURITY_UA']))
{
     if($ua != $_SESSION['SECURITY_UA'])
     {
          die('Session Hijacking Attempt');
     }
} 


OK so this looks good, and works pretty well, the hacker would have to do a lot of attempts to get this, but we all know about rainbow tables, well the latter of us so this still can be improved, HOW you ask.. let me show you

PHP Code: 

session_start();
$newtoken = uniquid(rand(0,1000),true);
$oldtoken = $_SESSION['TOKEN'];
$ua = md5($_SERVER['HTTP_USER_AGENT'] . $newtoken);

//Update the data
$_SESSION['TOKEN'] = $newtoken;

if(isset($_SESSION['SECURITY_UA']))
{
     if($oldtoken  != $_SESSION['SECURITY_UA'])
     {
          die('Session Hijacking Attempt');
     }else
     {
         $_SESSION['SECURITY_UA'] = $ua; //new hash
     }
} 


What this is doing is storing 2 items in the user session, a token and a hash of UA and the token, then as the user changes the page they get there old tokens checked and refreshed to a totally new one, so no tokens are ever the same.

Implementing such things will practically stop Hijackers in there tracks.

NOTE:

Have you ever noticed that sites like facebook log you out if you close your browser, and reopen it, and others just dont log you out.

Think how that's handled Fingerprint the browsers session.

litewarez Reviewed by litewarez on 23rd Aug 2010. Session Hijacking Heya guys, Just going to do a little talk about Session Hijacking today... What is Session Hijacking Session hijacking is a way that a hacker can gain access to someone else's session and gain access to private parts of your site. How does it work: Session hijacking works by an external source (hacker) gets access to a cookie file from a user and then sets a cookie on his machine to fool your site to thinking that the hacker is actually the user. Rating: 5

[cgworld]

Well session hijacking can't be done on every kind of sites , only on some custom made cms that are not very famous with vulnerabilities

[litewarez]

as a web developer i never use open source cms's as such, iu always create a framework where 1 edit filters threw the whole of my site.

and you would not believe the logs i get. so your wrong, there's hackers trying everyone, its only script kiddies who copy and past a vuln.

[Mr Happy]

I use a basic encripted one using the user agent but I don't add random inputs like you have in the last example only static ones but will now in the unlikely event they get that far.

I do really like your tuts litewarez even if I don't use them all their bookmarked in the brain for later

[litewarez]

haha Mr Happy, no probs dood.

its nice to share

[Ar!yaN]

but where we need to add this code ?

[litewarez]

You can add the code into a functions and call the functions just after session_start();

or you can just add the code after session_start() in your application.

[cgworld]

Some good pics from a good friend to make you understand this topic :



--------------------------





--------------------------------------------


And Very nice one :

[Ar!yaN]

lite bro , i need to know little more as i am noob

i have two vb forums, so which files i need to edit in that ?

[cgworld]

LOL man dont worry about it, VB is fine ! hehehe
this is for applications made by you , lets say you are a programmer, this will help you to overcome session hijacking if you ever make an web app !