Latest Announcemnent
New thread
Status
Not open for further replies.
L

litewarez

Active Member
1,367
2008
1
0
Heya guys,

Just going to do a little talk about Session Hijacking today...

What is Session Hijacking
Session hijacking is a way that a hacker can gain access to someone else's session and gain access to private parts of your site.

How does it work:
Session hijacking works by an external source (hacker) gets access to a cookie file from a user and then sets a cookie on his machine to fool your site to thinking that the hacker is actually the user.

Example of how a session works:
Session works in a way where your server gives out a unique id to a user's cookie, and stores a file with session data in temporary files.

from the moment you call session_start(); a cookie is sent to the browser witch is stored, lets take this example.

PHP: 
session_start();
/*
  1. A check is made to get a session id from the cookie, if exists see 1.a, if not see 1b
    1a. php checks to see if session_COOKIE_ID exists in /tmp and loads t he data
    1b. A new session id is created and a new blank file is created called session_SID.tmp
  2. The session data is loaded into $_SESSION
*/#
if(isset($_SESSION['logged_in']))
{
    //Blah
}

Now if you read that then you would realise by sending someone else's Session within the headers will allow you to be logged in as that user. :( not good

Preventing this from happening!
Theres a few ways to prevent hijacking and im going to show you them.

The first way is to check the users User-Agent, so if its another user agent then you can stop the session.

Heres an example
PHP: 
session_start();

$ua = md5($_SERVER['HTTP_USER_AGENT']);

if(isset($_SESSION['SECURITY_UA']))
{
     if($ua != $_SESSION['SECURITY_UA'])
     {
          die('Session Hijacking Attempt');
     }
}

But the problem with this is that the hacker can gain the USER AGENT aswell so this would still be penetrable.

The next way is to mix it up so to speek, so that we mix data the hacker can never get.

PHP: 
session_start();

$ua = md5($_SERVER['HTTP_USER_AGENT']."SeCrEtStRiNgAhAcKeRCaNtGet");

if(isset($_SESSION['SECURITY_UA']))
{
     if($ua != $_SESSION['SECURITY_UA'])
     {
          die('Session Hijacking Attempt');
     }
}

OK so this looks good, and works pretty well, the hacker would have to do a lot of attempts to get this, but we all know about rainbow tables, well the latter of us ;) so this still can be improved, HOW you ask.. let me show you

PHP: 
session_start();
$newtoken = uniquid(rand(0,1000),true);
$oldtoken = $_SESSION['TOKEN'];
$ua = md5($_SERVER['HTTP_USER_AGENT'] . $newtoken);

//Update the data
$_SESSION['TOKEN'] = $newtoken;

if(isset($_SESSION['SECURITY_UA']))
{
     if($oldtoken  != $_SESSION['SECURITY_UA'])
     {
          die('Session Hijacking Attempt');
     }else
     {
         $_SESSION['SECURITY_UA'] = $ua; //new hash
     }
}

What this is doing is storing 2 items in the user session, a token and a hash of UA and the token, then as the user changes the page they get there old tokens checked and refreshed to a totally new one, so no tokens are ever the same.

Implementing such things will practically stop Hijackers in there tracks.

NOTE:

Have you ever noticed that sites like facebook log you out if you close your browser, and reopen it, and others just dont log you out.

Think how that's handled ;) Fingerprint the browsers session.
 
17 comments
Well session hijacking can't be done on every kind of sites , only on some custom made cms that are not very famous with vulnerabilities ;)
 
as a web developer i never use open source cms's as such, iu always create a framework where 1 edit filters threw the whole of my site.

and you would not believe the logs i get. so your wrong, there's hackers trying everyone, its only script kiddies who copy and past a vuln.
 
I use a basic encripted one using the user agent but I don't add random inputs like you have in the last example only static ones but will now in the unlikely event they get that far.

I do really like your tuts litewarez even if I don't use them all their bookmarked in the brain for later :P
 
You can add the code into a functions and call the functions just after session_start();

or you can just add the code after session_start() in your application.
 
Some good pics from a good friend to make you understand this topic :


2qw298o.png

--------------------------




108e9sj.png

--------------------------------------------
20sc2z8.png


And Very nice one :
 
LOL man dont worry about it, VB is fine ! hehehe
this is for applications made by you , lets say you are a programmer, this will help you to overcome session hijacking if you ever make an web app !
 
yea VB / PHPBB they have Session Fixation Implemented already, this mainly for personal apps you create.

Another method that i would bet face-book's code goes along is something like this .

PHP: 
$timeout = 60 * 60; // 1 hour
$fingerprint = md5('MY-SECRET-SALT'.$_SERVER['HTTP_USER_AGENT']);

session_start();

if(
    (isset($_SESSION['last_active']) && (time() > ($_SESSION['last_active']+$timeout)))
    || (isset($_SESSION['fingerprint']) && $_SESSION['fingerprint']!=$fingerprint)
    || isset($_GET['logout']) )
{
    //Logout!
}

session_regenerate_id(); //ALWAYS BEFORE
$_SESSION['last_active'] = time();
$_SESSION['fingerprint'] = $fingerprint;

And within your html create a javascript file to ping the server every 30 seconds to keep them alive. this is called a heartbeat.
 
Another way is to create a database with session keys and IP's or maybe IP ranges? Then, check whether the session id and IP match up. If not throw an error, etc
 
depending on your settings in IPB session hijacking can occer but there are settings you can use under the security settings that can help prevent it. Just be careful with them as some will make it to where users can't login or can not stay logged in.

Nice tut Litewarez
 
Yea heres an example of it in action in LitePHP witch i now use for anysite or system i create :)

PHP: 
<?php
class Library_session
{
	private $_session = array();
	public $_core_timeout = 600; //10 Minuetes (Sufficiant ?)
	
	function __construct()
	{
		if(!session_id())
		{
			ini_set('session.use_cookies', 'On');
			ini_set('session.use_trans_sid', 'Off');
			session_set_cookie_params(0, '/');
			
			//Prevent session hijacking by regeneration!
			session_regenerate_id();
			session_start();
		}
		$this->_session =& $_SESSION;
		
		//Scan the suer agent to prevent session hijackin
		$this->checkHijackAttempt();
	}
	
	private function checkHijackAttempt()
	{
		if(isset($this->_litephp_security))
		{
			if($this->_litephp_security != md5($_SERVER['HTTP_USER_AGENT']) || $this->_litephp_security_t < (time() + $this->_core_timeout))
			{
				unset($this->_session);
				unset($_SESSION);
				session_destroy();
			}
		}else
		{
			//As the session is fresh we create a UA hash!
			$this->_litephp_security	= md5($_SERVER['HTTP_USER_AGENT']);
		}
		$this->_litephp_security_t	= time(); //Timeout
	}
	
	//Usage $this->Library->Session->some_var('trim',array('Library_user','check_id')); //will trim and get the returned value from 2nd funtion
	function __call($key,$args)
	{
		if(!isset($this->_session[$key]))
		{
			return false;
		}
		
		$return = $this->_session[$key];
		
		foreach($args as $func)
		{
			if(is_callable($func))
			{
				$return = call_user_func_array($func,$return);
			}
		}
		return $return;
	}
	
	function __get($key)
	{
		return isset($this->_session[$key]) ? $this->_session[$key] : false;
	}
	
	public function __set($key,$val)
	{
		$this->_session[$key] = $val;
	}
}
?>

this only uses level 2 security, witch I will be upgrading soon :)
 
Status
Not open for further replies.
Back
Top