Session Hijacking - Essay Example

Session Hijacking Session hijacking is a term used in computer science as a method of gaining access to a computer system’s information without authorization, by exploiting a valid session of a computer (session keys). It can also be used to refer to stealing of a magic cookie where in this case a cookie is used to refer to a piece of text that is used to for maintaining website sessions and storing its address. The process of session hijacking can be simply referred to as getting access to an existing session that is active (Hope & Walther, 2008). This will enable the hacker to gain access to information and resources that are sensitive like details of bank, passwords and much more which belong to another person in this case a victim. There are two types of attacks in session hijacking namely; the active and passive attack. In active attack, the hacker identifies a session that is active and takes over by force by forcing one member to be inactive (offline). In passive attack, there is hijacking of a session by a hacker who remains inactive and observes information being transmitted from and to the computers. The attack strategy known as the denial of service is used as a common component in these attacks to either crash it or jamming its network connection. In some instances a hybrid method of attack exists which the hacker may either watch an active session for sometime before taking over or the attacker may decide to inactively watch a session for sometime before becoming active and hijacking it (Hope & Walther, 2008). Another form of the hybrid method is where one watches a session and introduces data into the session that is active periodically with no intentions of hijacking the session In perpetrating a session hijack, four methods are used. These are session fixation, session side jacking, and cross-side scripting. In session fixation, the attacker sets the id of the user’s session to another one, which is known to him. For instance, he can send an email to the user containing a link that has an id of a particular session and wait for the user to log in. This will enable him to hijack the user’s session. Session side jacking is whereby the attacker reads network traffic using packet sniffing between two session users with the aim of stealing the cookie of the session. To prevent such attackers from side jacking, many websites use SSL encryption in login pages so as to prevent session attackers from accessing their passwords (Srinivasan, 2006). Once authenticated, encryption is not used in any other part of the site. This gives the attackers chance to intercept every data, which is submitted to the web pages or servers accessible to the client. Because this data normally contains the session cookie, he/she is allowed to impersonate the victim, irrespective of the password itself being compromised. Wi-Fi hotspots that are not secured are especially more vulnerable because anyone who is sharing the network is generally able to read many of the web traffics between the access point and the other node. Furthermore an attacker who has physical access can easily steal the key of the session, for example by getting the memory or file contents of the most appropriate part of the server or computer user. In cross-site scripting, an attacker tricks the computer of the user into running code that is seen as trustworthy, as it happens to be a component of the server. According to Srinivasan, the attacker is therefore allowed to obtain a cookie copy or do other operations. Code Injection Code injection is a term that is used to describe the concept of processing data that is invalid which is caused by the exploitation of a computer bug. Code injection when used by an attacker can have disastrous results as the hacker might use it to present a new code into the program of the computer which will alter its course of functioning. Other types of code injection are as a result of interpretation errors, which present a given meaning to a user input. This might mean that the victim might not be able to differentiate between a system command and a user input which might be hacked or hijacked. Code injection has various uses which might either be intentional or unintentional. The intentional use might be disadvantageous or advantageous. Code injection might be applied using scripting by cross sites to steal sessions form the browser of a website among other harmful uses. According to Goodin (2007), code injection might be put into constructive use by other developers to improve their software as those methods are usually considered economical/cheap in the implementation of features which are considered special by the developers, although the results can be very destructive and dangerous. In some instances, the code injection might be unintentionally used. It might happen if the user unsuspectingly provides a program input which is not a product of the original developers of that system. For example the user might present as input a file that is malformed which functions well in one application but is poisonous to a system that is receiving it. Code injection can be prevented by various methods like encoding of an input or output, validation of an input among others; all this prevention methods utilize the handling of a secure input and output (Christey, 2006). These solutions mainly deal with the introduction of a code that is based on the web into an application that favors the side or functioning of the server. However there are some other ways which are used in detecting the occurrence of code injection that is controlled/intentional or non-controlled/unintentional and their isolation. There are different examples of code injection including SQL injection which utilizes the syntax to introduce commands that alter the original meaning of a question or change a database, there is also the shell injection which enables most software to perform a command line programmatically. Another example is the ASP/PHP injection, these are different types of attacks that allow a hacker to provide a server with a code which resembles an original program bet it is an injected infected file. Dangers of Session Hijacking and Code Injection Due to the vulnerability of most systems, both session hijacking and code injection pose a great danger, which might lead to the crushing of most of operational systems (Christey 2006). This vulnerability mostly arises due to the fact that most systems use TCP/IP as their main protocol of communication. This mostly exposes them to the dangerous attacks of the TCP hijacking session. The problem of few ineffective countermeasures also makes session hijacking and code injection a big threat to existing systems. The process of session hijacking and code injection is a very simple process to establish with the presence of good software hence anyone can do it and also due to its simplicity it can easily be spread within various systems. Code injection and session hijacking is very dangerous due to the kind of information that can be obtained when a hacker attacks a system (Goodin, 2007). The information hijacked may be confidential and of great importance and if gotten by an individual with ill intentions, it might highly affect the victim. Also there is not much that can be done to prevent and protect a system against hijackers/hackers. This is due to the fact that the hackers use various methods and strategies in hijacking and once they have gained access into an active session, dealing with them becomes a problem. Also there are some hackers who go unnoticed while they have in actual sense already hijacked a session by employing the passive form of session hijacking. References Hope, P. & Walther, B. (2008). Session Hacking: Web Security Testing. OReilly Media, Inc. Srinivasan, R. (2006). Session Hackers: More Effective Ways for Computer Hackers. Arizona; Arizona State University. Retrieved on 21ST April, 2011. From http://www.google.com/url?sa=t&source=web&cd=4&ved=0CBsQFjAD&urlasu.edu%2F~rsriniv8%2FDocuments%2Fsrini.Html Christey, S. M. (2006). "Dynamic Evaluation Vulnerabilities in PHP applications". Retrieved on 2011-4-21. From http://seclists.org/lists/fulldisclosure/2006/May/0035.html.  Goodin, D. (2007). "Strange Spoofing Technique Evades Anti-Phishing Filters; The Register. Retrieved on 2011-4-21. From http://www.theregister.co.uk/2007/05/25/strange_spoofing_technique. Read More