Session Hijacking

(OBJ 2.4)

Session Management

• Fundamental security component in web applications
• Enables web applications to uniquely identify a user across a number of different actions and requests, while keeping the state of the data generated by the user and ensuring it is assigned to that user

Cookie

• Text file used to store information about a user when they visit a website
  • Information can be stored in database or in cookies
• The reason for using cookies is because HTTP is a stateless protocol. This means that the server doesn't preserve any information about the client by default, so if you want to store information you need to store it either on the cookie or in the database
• Cookies must be protected because they contain client information that is being transmitted across the Internet
• Session cookies
  • Non-persistent, reside in memory, and are deleted when the browser instance is closed
• Persistent Cookies
  • Cookies that are stored in the browser cache until they are deleted by the user or pass a defined expiration date
  • Cookies should be encrypted if they store confidential information

Session Hijacking

• A type of spoofing attack where the attacker disconnects a host then replaces it with his or her own machine, spoofing the original host's IP address
• Session hijacking attacks can occur through the theft or modification of cookies

Session Prediction Attacks

• A type of spoofing attack where the attacker attempts to predict the session token to hijack a session
• A session token must be generated using a non-predictable algorithm and it must not reveal any information about the session client
  • Essentially a one-time use ticket for that session

Cookie Poisoning

• Modifies the contents of a cookie after it has been generated and sent by the web service to the client's browser so that the newly modified cookie can be used to exploit vulnerabilities in the web app
• You want to make sure you validate the input of your web app to account for any tampered-with cookies.
• By doing encryption of your cookie during transmission and storage, you can help prevent this
• Ensure that if you delete cookies from the browser cache when the client terminates their session, it doesn't leave those cookies sitting there, being able to be poisoned by somebody else.
• As programmer, think throughly about the ways to protect information when using cookies