Heya guys,
Just going to do a little talk about Session Hijacking today...
What is Session Hijacking
Session hijacking is a way that a hacker can gain access to someone else's session and gain access to private parts of your site.
How does it work:
Session hijacking works by an external source (hacker) gets access to a cookie file from a user and then sets a cookie on his machine to fool your site to thinking that the hacker is actually the user.
Example of how a session works:
Session works in a way where your server gives out a unique id to a user's cookie, and stores a file with session data in temporary files.
from the moment you call session_start(); a cookie is sent to the browser witch is stored, lets take this example.
Now if you read that then you would realise by sending someone else's Session within the headers will allow you to be logged in as that user. not good
Preventing this from happening!
Theres a few ways to prevent hijacking and im going to show you them.
The first way is to check the users User-Agent, so if its another user agent then you can stop the session.
Heres an example
But the problem with this is that the hacker can gain the USER AGENT aswell so this would still be penetrable.
The next way is to mix it up so to speek, so that we mix data the hacker can never get.
OK so this looks good, and works pretty well, the hacker would have to do a lot of attempts to get this, but we all know about rainbow tables, well the latter of us so this still can be improved, HOW you ask.. let me show you
What this is doing is storing 2 items in the user session, a token and a hash of UA and the token, then as the user changes the page they get there old tokens checked and refreshed to a totally new one, so no tokens are ever the same.
Implementing such things will practically stop Hijackers in there tracks.
NOTE:
Have you ever noticed that sites like facebook log you out if you close your browser, and reopen it, and others just dont log you out.
Think how that's handled Fingerprint the browsers session.
Just going to do a little talk about Session Hijacking today...
What is Session Hijacking
Session hijacking is a way that a hacker can gain access to someone else's session and gain access to private parts of your site.
How does it work:
Session hijacking works by an external source (hacker) gets access to a cookie file from a user and then sets a cookie on his machine to fool your site to thinking that the hacker is actually the user.
Example of how a session works:
Session works in a way where your server gives out a unique id to a user's cookie, and stores a file with session data in temporary files.
from the moment you call session_start(); a cookie is sent to the browser witch is stored, lets take this example.
PHP:
session_start();
/*
1. A check is made to get a session id from the cookie, if exists see 1.a, if not see 1b
1a. php checks to see if session_COOKIE_ID exists in /tmp and loads t he data
1b. A new session id is created and a new blank file is created called session_SID.tmp
2. The session data is loaded into $_SESSION
*/#
if(isset($_SESSION['logged_in']))
{
//Blah
}
Now if you read that then you would realise by sending someone else's Session within the headers will allow you to be logged in as that user. not good
Preventing this from happening!
Theres a few ways to prevent hijacking and im going to show you them.
The first way is to check the users User-Agent, so if its another user agent then you can stop the session.
Heres an example
PHP:
session_start();
$ua = md5($_SERVER['HTTP_USER_AGENT']);
if(isset($_SESSION['SECURITY_UA']))
{
if($ua != $_SESSION['SECURITY_UA'])
{
die('Session Hijacking Attempt');
}
}
But the problem with this is that the hacker can gain the USER AGENT aswell so this would still be penetrable.
The next way is to mix it up so to speek, so that we mix data the hacker can never get.
PHP:
session_start();
$ua = md5($_SERVER['HTTP_USER_AGENT']."SeCrEtStRiNgAhAcKeRCaNtGet");
if(isset($_SESSION['SECURITY_UA']))
{
if($ua != $_SESSION['SECURITY_UA'])
{
die('Session Hijacking Attempt');
}
}
OK so this looks good, and works pretty well, the hacker would have to do a lot of attempts to get this, but we all know about rainbow tables, well the latter of us so this still can be improved, HOW you ask.. let me show you
PHP:
session_start();
$newtoken = uniquid(rand(0,1000),true);
$oldtoken = $_SESSION['TOKEN'];
$ua = md5($_SERVER['HTTP_USER_AGENT'] . $newtoken);
//Update the data
$_SESSION['TOKEN'] = $newtoken;
if(isset($_SESSION['SECURITY_UA']))
{
if($oldtoken != $_SESSION['SECURITY_UA'])
{
die('Session Hijacking Attempt');
}else
{
$_SESSION['SECURITY_UA'] = $ua; //new hash
}
}
What this is doing is storing 2 items in the user session, a token and a hash of UA and the token, then as the user changes the page they get there old tokens checked and refreshed to a totally new one, so no tokens are ever the same.
Implementing such things will practically stop Hijackers in there tracks.
NOTE:
Have you ever noticed that sites like facebook log you out if you close your browser, and reopen it, and others just dont log you out.
Think how that's handled Fingerprint the browsers session.