Re: Session Hijacking over HTTP

From: Christophe Vandeplas (christophe@vandeplas.com)
Date: Wed Mar 19 2008 - 03:02:35 EST

• Next message: Shenk, Jerry A: "RE: Session Hijacking over HTTP"
• Previous message: Serg B: "Re: Session Hijacking over HTTP"
• In reply to: 11ack3r: "Session Hijacking over HTTP"
• Next in thread: Marco Ivaldi: "Re: Session Hijacking over HTTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On 3/18/08, 11ack3r <11ack3r@gmail.com> wrote:
> Hello Everyone,
>
> I was curious to know how would webmail portals like gmail.com and
> yahoo.com protect their users from session hijacking when they use
> HTTP after authentication.

I don't exactly know about how they do it, but there are clever ways
to lower the risk of being exploited by storing client-information in
the server-side session.

This way when an attacker hijacks the session he should also spoof
that information. This lowers the chance of being attacked, but should
not be considered as safe as SSL (like the others said).

Example: Store in the server-side session information like:
- session id
- IP addr of client
- user-agent string (or part of the string)

If you notice that the session-id is the same, but these variables are
different there is a high risk of having a hijacked session.

Nice things you can also do are sending an http-redirect to
http://en.wikipedia.org/wiki/Session_Hijacking . The attacker _wil
know_ that _you know_ what he's doing. He also knows you are probably
logging these events and might even have a triggered alert. Most of
the attackers will stop trying here.

Another nice thing to do is to alert the real user that there were
security issues and that he should re-login to verify his identity.
Please only do this when logging in over a secure connection, you
don't want to give a sniffing attacker the real password of the
account :-)

We did implement this for a proof of concept. And the reaction of the
audience was nice when seeing a) the redirection and b) the alert at
the real-user-side.

Cheers

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Shenk, Jerry A: "RE: Session Hijacking over HTTP"
• Previous message: Serg B: "Re: Session Hijacking over HTTP"
• In reply to: 11ack3r: "Session Hijacking over HTTP"
• Next in thread: Marco Ivaldi: "Re: Session Hijacking over HTTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:28 EDT