Chapter 12: Session Hijacking Flashcards
3 ways of determining the session ID
1) BRUTE-FORCING AN ID //guessing an ID
2) STEALING AN ID //through sniffing
3) CALCULATING AN ID //calculating a valid session ID simply by looking an existing one and figuring out sequence
Spoofing VS Hijacking
Spoofing //pretend to be someone, but does not take over session
Hijacking //takes over existing active session
*** Attack vs Passive Attacks
Active attack //taking over connection as own; this usually causes DoS on legit client;
Passive attack //monitor traffic between user and server
3 places for web session IDs
1) EMBEDDED IN A URL //web apps use GET request to follow links embedded in a web page; An attacker can easily browse through victim’s browsing history and gain access by entering the URL of a previously browsed web app
2) EMBEDDED AS HIDDEN FIELD //forms for inputting user data sometimes include a hidden field that is used for sending a client’s session ID
3) COOKIES
Session Fixation Attack
Using an existing/old session ID (like from a cookie)
Web application attack; exploits vulnerabilities in the way session IDs are managed; May mean Session IDs are not regenerated as often as they should be; Vulnerability exists when app fails to create a new session ID for a new user;
*** Types of Network Session Hijacking (3)
1) TCP/IP SESSION HIJACKING //attack on a TCP session, attempt to predict sequence #s, if successful attacker can inject packets that are “in equence”; Each packet in a conversation over TCP increments by 1; Attacker spoofs IP address (acts as legit user)
2) MiTM //#1 session hijack attack; places attacker directly between victim & host; This type of attack looks much different from the other attacks (the other attacks are T-shaped & the original connection between victim & host is not interfered, whereas for MiTM attack, the connection is re-routed from victim, to attacker, to host [[forming a upside down triangle]])
3) UDP Session Hijacking //easier to hack than TCP bc it doesn’t use sequencing for its packets; UDP is a connectionless protocol meaning it doesn’t esablish a verifiable connection between client and host; Same concept though where goal is to fool the victim into thinking the attacker is the server; attacker must get response to client before host does;
Source Routing
Picking your router path.
STORED XSS ATTACKS
1) STORED XSS ATTACKS //hacker places code on a target server where victim wishes to access; When victim makes request from server, the script executes
REFLECTED XSS ATTACKS
2) REFLECTED XSS ATTACKS //injected code is bounced off a web server (typically a user will click a link executing code)
BLIND HIJACKING
1) BLIND HIJACKING //a type of session hijack in which attacker cannot capture return traffic; attacker blindly injects malicious packets w/ out seeing effect
IP SPOOFING
2) IP SPOOFING //attacker acts as legit user
DNS SPOOFING
4) DNS SPOOFING //alter target IP address mappings in an effort to direct the target traffic to an address the attacker specifies;
ARP CACHE POISONING
5) ARP CACHE POISONING //remember ARP is responsible for translating MAC addresses to IP or vice versa (RARP, reverse ARP);
//ARP cache poisoning overwrites victim’s ARP cache, redirecting traffic to an inaccurate physical address mapping (usually the attacker’s machine)
DESYNCHRONIZING THE CONNECTION
6) DESYNCHRONIZING THE CONNECTION //breaking the linear sequence between victim and host, giving attacker room to jump in; (i.e. attacker tracking connection; he injects large volume of NULL packets to host, this in turn increments the sequence #s of the host packets w/ out them knowing; he has desynchronized the connection and has staged the host packet sequence # to a predictable count based on how many null packets he sent)
