Presentation is loading. Please wait.

Presentation is loading. Please wait.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Published byMya Lewin Modified over 9 years ago

Similar presentations

Presentation on theme: "Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me."— Presentation transcript:

1 Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me

2 Introduction Transport Layer Security (TLS), and its predecessor Secure Sockets Layer (SSL) as many will know it, are cryptographic protocols used to offer communication security over the Internet. Hypertext Transfer Protocol Secure (HTTPS) is not actually a protocol in and of itself. It is actually the use of Hypertext Transfer Protocol (HTTP) on top of TLS which affords the standard HTTP communications protocol the protection of TLS. Session Hijacking (a.k.a. Session Sidejacking) is a form of Man In The Middle (MITM) attack in which a malicious attacker has access to the transport layer and can eavesdrop on communications. When communications are not protected they can steal the unique session ID and impersonate the victim on the target site. This grants the attacker access to your account and data.

3 Why do we use TLS? To verify the website you are connecting to is the genuine website. To ensure the privacy of your data during transit. To ensure the integrity of your data during transit.

4 Example When first visiting the site you are using HTTP.
The sensitive login form is loaded over HTTPS.

5 Example The login form is loaded over HTTPS to ensure the integrity of the form in transit. This prevents a man in the middle from altering the form. The login form then submits the user credentials over HTTPS to ensure the same man in the middles can’t read the credentials in transit. The TLS certificate also allows us to be confident that the website we are viewing is actually the website it claims to be. The fact that TLS has been utilised is an acknowledgement that a man in the middle could access or modify data during transit.

6 Example The problem arises when the site reverts back to loading content over HTTP once the user has authenticated. The assumption is that now the sensitive user credentials have been exchanged we no longer need to protect the traffic during transit.

7 Why does this matter? HTTP and HTTPS are stateless protocols. This means each time you request some new content from the site (a page, image or any form of media) the server does not know who you are, it does not remember you. To combat this, when you first visit a site you are issued a unique session ID. With each request you send to the site, your session ID is sent with it. This is how the site identifies you. Once you have logged in on the secure login page, your session ID lets the server remember you have logged in without having to keep sending your username and password to prove your identity. Once the website reverts back to HTTP your session ID still has to be sent but is no longer afforded the protection offered by TLS.

8 Summary TLS (HTTPS) was used to protect your username and password during the logon process to prevent a man in the middle viewing the content of your traffic and stealing your credentials. The session ID is not being afforded the same level of protection but an attacker could use it to impersonate you on the target website. All they need to do is substitute their own session ID with your session ID and the server will believe the attacker is you. Once your session ID has been obtained this is a trivial task. The attacker is then logged in to your account and can do anything that you could do.

9 Conclusion Whilst obtaining your session ID does not generally reveal your username or password the attacker can still access your account as if they were logged in as you. This attack is possible because TLS is not used across the entire site. We accept an attacker could access our traffic, which is why we need TLS in the first instance. Sites regularly fail to protect the session ID which can be considered an equivalent to your user credentials on the target website. Forcing all traffic to the site over HTTPS would completely mitigate a session hijacking attack.

10 Thanks You can find more info covering this and other forms of attack on my blog: Please feel free to share this information generously but do provide attribution back to my site. This work is licensed under the Creative Commons Attribution 3.0 Unported License. To view a copy of this license, visit

Download ppt "Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me."

Similar presentations

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.

HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
SECURE SITES. A SECURE CONNECTION TERMS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client.

SECURE SITES. A SECURE CONNECTION TERMS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client.
Secure Socket Layer.

Secure Socket Layer.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
Lori Fitterling LI843 SSL Secured Sockets Layer. What is Secure Sockets Layer (SSL)? It is protection of data transferred over the Internet using encryption.

Lori Fitterling LI843 SSL Secured Sockets Layer. What is Secure Sockets Layer (SSL)? It is protection of data transferred over the Internet using encryption.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
OPSEC Awareness Briefing Man-In-The-Middle Attacks (MITM)

OPSEC Awareness Briefing Man-In-The-Middle Attacks (MITM)
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

Similar presentations

Ads by Google