Session Hijacking

Experiences in Passively Detecting Session Hijacking Attacks in IEEE 802.11 Networks

Session Hijacking Internet Security Whitepapers

Session hijacking is a common and serious threat to wireless local area network (WLAN) security (Schmoyer, Lim & Owen 2004). This attack exploits deficiencies in the WLAN state machine, namely unauthenticated management frames and the loose coupling of the IEEE 802.11i and IEEE 802.1X state machines (Mishra & Arbaugh 2003), and can be launched using off-the-shelf hardware and software. Session hijacking combines denial of service (DoS) and identity spoofing attacks. Typically an adversary forces a legitimate mobile station (STA) to terminate its connection to an access point (AP) by sending it a disassociation/deauthentication management frame with the source MAC address spoofed to be that of the AP. This results in the STA disconnecting from the network. The adversary can now associate with the AP, by masquerading the MAC address of the STA, and hence taking over its session. Neither the original IEEE 802.11 standards, nor the recent IEEE 802.11i standard specify mechanisms for protecting the integrity of the management frames, leaving IEEE 802.11 based WLANs vulnerable to management frame spoofing and the associated denial of service attacks that such spoofing permits (Bellardo & Savage 2003). In this paper the terms Wireless and Wireless Local Area Networks refer to IEEE 802.11 infrastructure networks (IEEE 1999).

Session Fixation Vulnerability in Web-based Applications

Session Hijacking Internet Security Whitepapers

Web-based applications frequently use sessions to provide a friendly environment to their users. HTTP [1] is a stateless protocol, which means that it provides no integrated way for a web server to maintain states throughout user’s subsequent requests. In order to overcome this problem, web servers – or sometimes web applications – implement various kinds of session management. The basic idea behind web session management is that the server generates a session identifier (ID) at some early point in user interaction, sends this ID to the user’s browser and makes sure that this same ID will be sent back by the browser along with each subsequent request. Session IDs thereby become identification tokens for users, and servers can use them to maintain session data (e.g., variables) and create a session-like experience to the users.

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Session Hijacking Internet Security Whitepapers

Session hijacking can be done at two levels: Network Level and Application Level. Network layer hijacking involves TCP and UDP sessions, whereas Application level session hijack occurs with HTTP sessions. Successful attack on network level sessions will provide the attacker some critical information which will than be used to attack application level sessions, so most of the time they occur together depending on the system that is attacked. Network level attacks are most attractive to an attacker because they do not have to be customized on web application basis; they simply attack the data flow of the protocol, which is common for all web applications.

Session Hijacking in Wireless Networks

Session Hijacking Internet Security Whitepapers

The term session hijacking refers to the exploitation of a valid computer session - sometimes also called a session key or Id - to attain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of the magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer.

Session Management in Web Applications

Session Hijacking Internet Security Whitepapers

Many web applications still suffer from weak session management. For "medium security", a good cookie-based standard solution can be sufficient. For higher security needs, a Dynamic Link-based approach is recommended. Each web application should be checked against all problem categories mentioned above. Never trust user input.

T-Sight Realtime Tutorial

Session Hijacking Internet Security Whitepapers

This section contains a tutorial on how to use T-Sight to monitor your network in realtime for suspicious activity, and then to respond to that activity with T-Sight's Active Countermeasures. After installing T-Sight under Windows NT 4.0 (including the device driver) and rebooting, you should now be able to run T-Sight Realtime Monitor.