9

Click here to load reader

Session hijacking with XSS

Embed Size (px)

DESCRIPTION

Security testing: Session hijacking using cross site scripting techniques. Basic introduction about cookies, sessions, need for cookies, how they are hijacked, purposes etc

Citation preview

Page 1: Session hijacking with XSS

SESSION HIJACKING WITH XSS

"I BECOME YOU"

Page 2: Session hijacking with XSS

SESSION IN COOKIE

• HTTP AND HTTPS ARE STATELESS PROTOCOLS

• TO COMBAT THIS, WHEN YOU FIRST VISIT A SITE YOU ARE ISSUED A UNIQUE SESSION ID

Page 3: Session hijacking with XSS

COOKIE…

• IS A SMALL PIECE OF TEXT STORED BY THE USER BROWSER.

• IS SENT AS AN HEADER BY THE WEB SERVER TO THE WEB BROWSER ON THE CLIENT SIDE.

• IS STATIC AND IS SENT BACK BY THE BROWSER UNCHANGED EVERY TIME IT ACCESSES THE SERVER.

• HAS A EXPIRATION TIME THAT IS SET BY THE SERVER AND ARE DELETED AUTOMATICALLY

AFTER THE EXPIRATION TIME.

• COOKIE IS USED TO MAINTAIN USERS AUTHENTICATION AND TO IMPLEMENT SHOPPING CART DURING HIS NAVIGATION, POSSIBLY ACROSS MULTIPLE VISITS.

Page 4: Session hijacking with XSS

HIJACKING : “ I BECOME YOU”

Page 5: Session hijacking with XSS

HIJACKER’S PERSONA

• Is a Customer Service user with limited access (level 5)

• Has knowledge in hacking• Has coding skills• With a wicked motive of gaining

full access to the application

Page 6: Session hijacking with XSS

HOW…

1. STEAL THE SESSION INFORMATION (USING XSS ATTACK)

2. REPLACE HIJACKER’S COOKIE WITH VICTIM’S

Page 7: Session hijacking with XSS

HOW HE PLANS THE ATTACK…

• LOOKS FOR VULNERABILITIES IN THE APPLICATION

• SEES AN OPPORTUNITY TO DO AN XSS EXPLOITATION IN

“KNOWLEDGEBASE” MODULE

• PLANT A MALICIOUS SCRIPT IN FAQ ENTRY.

Page 8: Session hijacking with XSS

• VICTIM VISIT THE FAQ ENTRY AND CLICK ON THE LINK TO “SEE MORE INFO”

• VICTIMS COOKIE INFORMATION IS SENT TO HIJACKER’S WEBSITE WHERE THE INFORMATION GETS LOGGED

Page 9: Session hijacking with XSS

• HACKER USES A COOKIE EDITOR TO CHANGE THE VALUES OF THE COOKIE AND LOGIN TO THE

APPLICATION AS THE VICTIM


Productivity VCW CR200iNG-XPvcwsecurity.com/wp-content/uploads/2016/06/VCW... · - Protection against SQL Injections, Cross-site Scripting (XSS), Session Hijacking, URL Tampering,

Productivity VCW CR200iNG-XPvcwsecurity.com/wp-content/uploads/2016/06/VCW... · - Protection against SQL Injections, Cross-site Scripting (XSS), Session Hijacking, URL Tampering,

Documents
Session Hijacking Windows Networks 2124 (1)

Session Hijacking Windows Networks 2124 (1)

Documents
Module 6 Session Hijacking

Module 6 Session Hijacking

Technology
Cyber Security Master’s Program...Module 11: Session Hijacking - Know what is session hijacking and its types, tools, countermeasures, and session hijacking penetration testing Module

Cyber Security Master’s Program...Module 11: Session Hijacking - Know what is session hijacking and its types, tools, countermeasures, and session hijacking penetration testing Module

Documents
Web Security - GitHub Pages · Cross-site Scripting (XSS), Session Hijacking, and Cross-site Request Forgery (CSRF) •These share some common causes with memory safety vulnerabilities;

Web Security - GitHub Pages · Cross-site Scripting (XSS), Session Hijacking, and Cross-site Request Forgery (CSRF) •These share some common causes with memory safety vulnerabilities;

Documents
Future-ready Security for SME networks CR100iNG Data Sheet · -Automatic signature updates via Cyberoam Threat Research Labs ... Cross-site Scripting (XSS), Session Hijacking, URLTampering,

Future-ready Security for SME networks CR100iNG Data Sheet · -Automatic signature updates via Cyberoam Threat Research Labs ... Cross-site Scripting (XSS), Session Hijacking, URLTampering,

Documents
The Hacker's Guide To Session Hijacking

The Hacker's Guide To Session Hijacking

Technology
98802258 Session Hijacking Ppt

98802258 Session Hijacking Ppt

Documents
Session hijacking with android devices

Session hijacking with android devices

Documents
KC Dec2006 Attacking The App - OWASP · PDF fileGood at network security, ... Session Hijacking with XSS ... Microsoft PowerPoint - KC_Dec2006_Attacking_The_App.ppt Author:

KC Dec2006 Attacking The App - OWASP · PDF fileGood at network security, ... Session Hijacking with XSS ... Microsoft PowerPoint - KC_Dec2006_Attacking_The_App.ppt Author:

Documents
Session Hijacking - Bukan Coder · J Key Session Hijacking Techniques J Network Level Session Hijacking J Brute Forcing Attack . J TCP/IP Hijacking J Session Hijacking Process ~ J

Session Hijacking - Bukan Coder · J Key Session Hijacking Techniques J Network Level Session Hijacking J Brute Forcing Attack . J TCP/IP Hijacking J Session Hijacking Process ~ J

Documents
Segurança no PHP - ULisboaRegister Globals Paths Cross-Site Scripting (XSS) Cross-Site Request Forgeries (CSRF) SQL Injection Session Hijacking Links Questões Title Segurança no

Segurança no PHP - ULisboaRegister Globals Paths Cross-Site Scripting (XSS) Cross-Site Request Forgeries (CSRF) SQL Injection Session Hijacking Links Questões Title Segurança no

Documents
SESSION HIJACKING - jntuhsd.in

SESSION HIJACKING - jntuhsd.in

Documents
CSE 154 - University of Washington · • Session Hijacking: Stealing another user's session cookie to masquerade as that user. • Cross-Site Scripting (XSS) or HTML Injection: Inserting

CSE 154 - University of Washington · • Session Hijacking: Stealing another user's session cookie to masquerade as that user. • Cross-Site Scripting (XSS) or HTML Injection: Inserting

Documents
SESSION HIJACKINGcs3.calstatela.edu/~egean/cs5781/lecture-notes/CEHv9/Ch12.pdfSession hijacking is roughly a stolen session. A session represents a connection. Session hijacking incorporates

SESSION HIJACKINGcs3.calstatela.edu/~egean/cs5781/lecture-notes/CEHv9/Ch12.pdfSession hijacking is roughly a stolen session. A session represents a connection. Session hijacking incorporates

Documents
Cs3 Session Hijacking

Cs3 Session Hijacking

Documents
Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place

Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place

Documents
Session Hijacking Windows Networks 2124

Session Hijacking Windows Networks 2124

Documents
Ceh v5 module 10 session hijacking

Ceh v5 module 10 session hijacking

Technology
Future-ready Security for SOHO/ROBO networks CR35iNG Data ... · - Protection against SQL Injections, Cross-site Scripting (XSS), Session Hijacking, URL Tampering, Cookie Poisoning

Future-ready Security for SOHO/ROBO networks CR35iNG Data ... · - Protection against SQL Injections, Cross-site Scripting (XSS), Session Hijacking, URL Tampering, Cookie Poisoning

Documents
 · Web viewCross Site Scripting (XSS) Session Hijacking Malicious File Execution Directory traversals Remote File Inclusion Attacks OS Command Injection Scanning/Probing – scanning

 · Web viewCross Site Scripting (XSS) Session Hijacking Malicious File Execution Directory traversals Remote File Inclusion Attacks OS Command Injection Scanning/Probing – scanning

Documents
CEHv8 Module 11 Session Hijacking

CEHv8 Module 11 Session Hijacking

Documents
Session Hijacking… · Overview of Session Hijacking Session hijacking refers to the exploitation of a valid com puter session where an attacker takes over a session between two

Session Hijacking… · Overview of Session Hijacking Session hijacking refers to the exploitation of a valid com puter session where an attacker takes over a session between two

Documents
Dialog Attack Sniffing – Spoofing Session Hijacking

Dialog Attack Sniffing – Spoofing Session Hijacking

Documents
Session hijacking by rahul tyagi

Session hijacking by rahul tyagi

Technology
Ethical Hacking Module X Session Hijacking. EC-Council Module Objective Spoofing Vs Hijacking Types of session hijacking TCP/IP concepts Performing Sequence

Ethical Hacking Module X Session Hijacking. EC-Council Module Objective Spoofing Vs Hijacking Types of session hijacking TCP/IP concepts Performing Sequence

Documents
Session Hijacking Ppt

Session Hijacking Ppt

Documents
Hacking Fb Using Session Hijacking

Hacking Fb Using Session Hijacking

Documents
SPMCIL...Protection against SQL Injections, Cross-site Scripting (XSS). Session Hijacking. URL Tampering, Cookie Poisoning etc. - Support for HTTP 0.9M .011.1 - Back-end servers supported:

SPMCIL...Protection against SQL Injections, Cross-site Scripting (XSS). Session Hijacking. URL Tampering, Cookie Poisoning etc. - Support for HTTP 0.9M .011.1 - Back-end servers supported:

Documents
11 Session Hijacking

11 Session Hijacking

Documents