With the emergence of Web 2.0, people increasingly share their information online. Very often, this information is not intended to be shared with everyone. Hence, it becomes important for websites to restrict access to certain resources.
Maintain States with Sessions
One intuitive way of achieving this is to build an authentication system that requires login and logout. Once the user has logged in to a system, the user can access to resources that are otherwise locked. However, the bad news is that HTTP is a stateless protocol. What this means is that when the client machine sends a HTTP request to the server requesting for resources, without using other technologies, the server has no idea whether the client has previously logged in or not. To overcome this limitation, we introduce sessions. A session is set up or established when a user logs in, and torn down when the user logs out or the session expires. With sessions, server can maintain states of a particular user so that it can know whether a user has logged in or not.
HTTP Cookies
Quite often, session data is stored in the client’s computer rather than the server’s. This reduces the storage requirement on the server side. To implement this, the server sends state data to the client, who stores it in the form of magic cookie in its computer. When the client wishes to initiate new HTTP request, it sends its request together with information contained in the cookie. With this information, the server knows which state the client is in; hence it can generate the appropriate response.
What is Session Hijacking?
Session hijacking is a technique that exploits the vulnerabilities of a session in order to gain unauthorized access to systems. As previously mentioned, clients can prove themselves as having logged in by presenting valid session data (known as session key). In other words, anyone who can present such session key will be identified as valid clients. Thus, if hackers can generate or steal session key, they can gain unauthorized access.
Session Sidejacking and How to Avoid
There are many ways in which hackers can obtain the session data. One direct way is to intercept the messages passed between the client and server. This is called packet sniffing. As the client has to use the session data to communicate with the server, the hacker can steal this piece of information via the network traffic. (In fact, this is not difficult at all by using some freely available packet sniffing software like Wireshark). Once the session data is known to the hacker, the hacker can produce the session key to impersonate the user in order to gain unauthorized access.
To combat with this kind of behavior, messages passed between servers and clients are often encrypted – this means that even if the hacker can observe the network, the session data will be unreadable. Although encryption can eliminate stealing of session data via packet sniffing, it is important to know that not all content are encrypted before communicating with the other side. Since encryption and decryption takes time, the website developer may choose not to encrypt all kinds of information that is communicated. This information will hence not be protected.
Pattern Guessing and How to Avoid
Hackers can also try to guess a valid session key. This sounds impossible at first glance, but hackers can first register an account themselves and then analyze the session data that they have, with the hope of finding some patterns. If the website is poorly designed such that the pattern is fixed and easily found, the hackers may derive the session key of other users.
To deal with this technique, modern websites often use long random numbers or strings as session key, which will be changed upon each successive client activity. As a result, it will be almost impossible for hackers to guess the session key.
Most Important Factor – User as the Owner of Credentials
So far, we have mentioned two ways that a hacker can get the session key, and the corresponding combating measure that a web developer can do. However, since the session key is stored in the client’s computer, if the hackers can have access to the client’s computer, then everything will be easy. Hackers can for example trick users into running some malicious scripts that reveal session keys to the hackers. Hence, users are recommended to scan their computers regularly for computer viruses. Do not open suspicious attachments from emails and do not download suspicious software from the Internet.
Associated Blog Topic: What is “session hijacking”? What are its security threats? How can web developers avoid it?
Associated Blog Topic: What is “session hijacking”? What are its security threats? How can web developers avoid it?
No comments:
Post a Comment