Session Hijacking
This is my 22nd blog on web application security penetration testing. In this blog I will explain about Session Hijacking.
In my last blog, I have explained about WordPress Users Disclosure Vulnerability Hope everyone liked it. If you haven’t read it yet please follow along.
What is Session Hijacking?
Session Hijacking: Session Hijacking it is an act of hijacking/stealing user’s session token and re-use it to access active user’s session to perform necessary operations.
Session token is unique for each user after login. The session token could be compromised in different ways; the most common are:
· Predictable session token; (Analyzing session traffic using Burp Suite Session Analyzer)
· Session Sniffing;
· Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc.);
How to test for Session Hijacking?
Step 1 Login to the application as admin user using credentials.
Step 2] click on EditThisCookie extension.
Step 3] Copy Session cookie. Don’t logout admin or else cookie expire. Then login into application as normal user in new incognito window.
Step 4] Edit cookie by pressing FN+f12. Replace normal users’ cookie by admin cookie and update it.
Step 5] Refresh page if you are getting admin session instead of normal user’s session means session hijacking is there.
In this blog, I will use above steps to perform session hijacking as application is not vulnerable to other vulnerabilities like XSS or Session Sniffing, etc. To maintain the confidentiality of the client let’s consider redacted.com as a program name as usual.
I was working under Grey box testing approach where I have given two different user credentials those are,
Admin User (High Privileged User)
Demo-User (Low Privileged User)
Below is the Step by Step POC for complete exploitation:
- Login into the application with Admin account and note down the session id.
2. Capture the Admin Session Id. Copy somewhere in the file.
3. Login as a Normal Demo-User in separate incognito tab and as shown in below screenshot, replace Normal user session ID with the Admin user session ID.
4. Now refresh Normal user page after replacing admin’s session ID. As shown in below screenshot, Normal user successfully accessed the Admin user’s session.
Normal Demo-User got Admin’s Session,
Impact:
After successfully hijacking a session, the attacker gains complete access to user’s data, and is permitted to perform operations instead of the user whose session was hijacked.
Recommendation:
To prevent misuse of a valid session, strict session management policies must be put in place. The following practices can be followed for better session management:
• A random token should be generated at the server side, which should be sent to the client in every response and this token should be validated for every request from the client. This token should be valid for only one response-request pair, i.e., once a token value is sent in response, the server will accept immediate next request only if it is carrying the token value sent in last response. This way an attacker, even if he can get a session id, will never be able to validate the token.
• After the user logs out, the session id should be destroyed immediately.
•Make sure that all session identifiers are transmitted over an encrypted protocol.
•Enforce the Secure and HttpOnly flags on sensitive cookies using a Web Application Firewall.
•Ensure that session identifiers are transmitted only using the SSL session where they originated. Track sessions across SSL renegotiations and integrate with framework solutions to support common SSL termination/re-encryption architectures.
• Alert the user and de-authorize the oldest session when multiple simultaneous logins are detected. Multiple simultaneous logins are prohibited by default, but may be enabled by changing a configuration setting.
•Tie the session ID to the SSL session and provide configurable options for actions to take if the session ID is transmitted over a new SSL session. Expose integration points with perimeter technologies to facilitate SSL termination, renegotiation, and other transitions.
References:
Session hijacking attack:
Please note that, I am trying to help beginners and professionals both with my cybersecurity blogs. I am keeping things simpler rather than making it complex. If you are enjoying reading my blogs Please do like and follow for more reads!
Thank!
