Wednesday, September 17, 2014

Hacking Sessions to Hack into others account

Recently I've successfully hacked into somebody else account as an white collar using Session Hijacking on one of the Highest Traffic eCommerce Site. So thought of sharing for study purpose only.

What is session hijacking?
"Session hijacking (a.k.a cookie hijacking) is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system."



E.g. on an typical eCommerce Site, a user can Hack into anybody's account using SessionId, and access Confidential user information like:
  • All Credit Cards details, All Postal Addresses, Mobile Numbers, Email address, All orders, shopping & favorites lists etc.
Further a hacker can,
  • Get the order at his place by changing address,
  • Place new order or cancel any genuine order
  • Call the customer pretending Company Representative to extract further information.

How the hell this haapens!
  1. Login to 2 different browsers on different or same machines (say user A & B).
  2. Pick up user B' Session Id value
  3. Edit user A's SessionId with the above Value (cookie editor!)
  4. BOOM!!! user "A" can access all the B's information.

What how the real hacker can get a session id?
  1. User can sniff the session Ids of other users, and he can do the rest.
  2. Brute force session id generation, and the rest you know already, don't you!

Be Proactive rather than reactive! 
Here are some examples of usual defense-in-depth strategies:
  1. Security of HTTP (HTTPS)
  2. Secure randomization (leading to extreme difficulty in guessing)
  3. Re-authentication (reenter password) for accessing sensitive information
  4. Regenerating the session id after a successful login to prevent session fixation
  5. Secondary checks against the identity of the user like check same IP, user agent
  6. Two factor authentication
Please note, you have to find out first the target site which is vulnerable to the above security threat

Resources:
  1. https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
  2. http://technet.microsoft.com/en-us/magazine/2005.01.sessionhijacking.aspx 
  3. http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html 
  4. http://techcrunch.com/2012/11/18/facebook-https/
Posted by at
Labels: , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

LinkWithin

Related Posts with Thumbnails