9

Click here to load reader

Session hijacking with XSS

Embed Size (px)

DESCRIPTION

Security testing: Session hijacking using cross site scripting techniques. Basic introduction about cookies, sessions, need for cookies, how they are hijacked, purposes etc

Citation preview

Page 1: Session hijacking with XSS

SESSION HIJACKING WITH XSS

"I BECOME YOU"

Page 2: Session hijacking with XSS

SESSION IN COOKIE

• HTTP AND HTTPS ARE STATELESS PROTOCOLS

• TO COMBAT THIS, WHEN YOU FIRST VISIT A SITE YOU ARE ISSUED A UNIQUE SESSION ID

Page 3: Session hijacking with XSS

COOKIE…

• IS A SMALL PIECE OF TEXT STORED BY THE USER BROWSER.

• IS SENT AS AN HEADER BY THE WEB SERVER TO THE WEB BROWSER ON THE CLIENT SIDE.

• IS STATIC AND IS SENT BACK BY THE BROWSER UNCHANGED EVERY TIME IT ACCESSES THE SERVER.

• HAS A EXPIRATION TIME THAT IS SET BY THE SERVER AND ARE DELETED AUTOMATICALLY

AFTER THE EXPIRATION TIME.

• COOKIE IS USED TO MAINTAIN USERS AUTHENTICATION AND TO IMPLEMENT SHOPPING CART DURING HIS NAVIGATION, POSSIBLY ACROSS MULTIPLE VISITS.

Page 4: Session hijacking with XSS

HIJACKING : “ I BECOME YOU”

Page 5: Session hijacking with XSS

HIJACKER’S PERSONA

• Is a Customer Service user with limited access (level 5)

• Has knowledge in hacking• Has coding skills• With a wicked motive of gaining

full access to the application

Page 6: Session hijacking with XSS

HOW…

1. STEAL THE SESSION INFORMATION (USING XSS ATTACK)

2. REPLACE HIJACKER’S COOKIE WITH VICTIM’S

Page 7: Session hijacking with XSS

HOW HE PLANS THE ATTACK…

• LOOKS FOR VULNERABILITIES IN THE APPLICATION

• SEES AN OPPORTUNITY TO DO AN XSS EXPLOITATION IN

“KNOWLEDGEBASE” MODULE

• PLANT A MALICIOUS SCRIPT IN FAQ ENTRY.

Page 8: Session hijacking with XSS

• VICTIM VISIT THE FAQ ENTRY AND CLICK ON THE LINK TO “SEE MORE INFO”

• VICTIMS COOKIE INFORMATION IS SENT TO HIJACKER’S WEBSITE WHERE THE INFORMATION GETS LOGGED

Page 9: Session hijacking with XSS

• HACKER USES A COOKIE EDITOR TO CHANGE THE VALUES OF THE COOKIE AND LOGIN TO THE

APPLICATION AS THE VICTIM


Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place

Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place

Documents
CEHv9 Module 10 Session Hijacking (1)

CEHv9 Module 10 Session Hijacking (1)

Documents
Ceh v5 module 10 session hijacking

Ceh v5 module 10 session hijacking

Technology
Ce hv7 module 11 session hijacking

Ce hv7 module 11 session hijacking

Documents
SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking Telerik Software Academy ASP.NET MVC

SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking Telerik Software Academy ASP.NET MVC

Documents
Hacking Fb Using Session Hijacking

Hacking Fb Using Session Hijacking

Documents
SESSION HIJACKINGcs3.calstatela.edu/~egean/cs5781/lecture-notes/CEHv9/Ch12.pdfSession hijacking is roughly a stolen session. A session represents a connection. Session hijacking incorporates

SESSION HIJACKINGcs3.calstatela.edu/~egean/cs5781/lecture-notes/CEHv9/Ch12.pdfSession hijacking is roughly a stolen session. A session represents a connection. Session hijacking incorporates

Documents
The Hacker's Guide To Session Hijacking

The Hacker's Guide To Session Hijacking

Technology
Module 11 Session Hijacking

Module 11 Session Hijacking

Documents
Future-ready Security for SOHO/ROBO networks CR35iNG Data ... · - Protection against SQL Injections, Cross-site Scripting (XSS), Session Hijacking, URL Tampering, Cookie Poisoning

Future-ready Security for SOHO/ROBO networks CR35iNG Data ... · - Protection against SQL Injections, Cross-site Scripting (XSS), Session Hijacking, URL Tampering, Cookie Poisoning

Documents
Future-ready Security for SME networks CR100iNG Data Sheet · -Automatic signature updates via Cyberoam Threat Research Labs ... Cross-site Scripting (XSS), Session Hijacking, URLTampering,

Future-ready Security for SME networks CR100iNG Data Sheet · -Automatic signature updates via Cyberoam Threat Research Labs ... Cross-site Scripting (XSS), Session Hijacking, URLTampering,

Documents
SESSION HIJACKING - jntuhsd.in

SESSION HIJACKING - jntuhsd.in

Documents
CEH - Module 11 : Session Hijacking

CEH - Module 11 : Session Hijacking

Technology
Session Hijacking

Session Hijacking

Technology
CSE 154 - University of Washington · • Session Hijacking: Stealing another user's session cookie to masquerade as that user. • Cross-Site Scripting (XSS) or HTML Injection: Inserting

CSE 154 - University of Washington · • Session Hijacking: Stealing another user's session cookie to masquerade as that user. • Cross-Site Scripting (XSS) or HTML Injection: Inserting

Documents
Productivity VCW CR200iNG-XPvcwsecurity.com/wp-content/uploads/2016/06/VCW... · - Protection against SQL Injections, Cross-site Scripting (XSS), Session Hijacking, URL Tampering,

Productivity VCW CR200iNG-XPvcwsecurity.com/wp-content/uploads/2016/06/VCW... · - Protection against SQL Injections, Cross-site Scripting (XSS), Session Hijacking, URL Tampering,

Documents
Session hijacking for dummies

Session hijacking for dummies

Technology
Session Hijacking Windows Networks 2124 (1)

Session Hijacking Windows Networks 2124 (1)

Documents
Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University

Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University

Documents
11 Session Hijacking

11 Session Hijacking

Documents
Dialog Attack Sniffing – Spoofing Session Hijacking

Dialog Attack Sniffing – Spoofing Session Hijacking

Documents
Web Security - GitHub Pages · Cross-site Scripting (XSS), Session Hijacking, and Cross-site Request Forgery (CSRF) •These share some common causes with memory safety vulnerabilities;

Web Security - GitHub Pages · Cross-site Scripting (XSS), Session Hijacking, and Cross-site Request Forgery (CSRF) •These share some common causes with memory safety vulnerabilities;

Documents
Module 6 Session Hijacking

Module 6 Session Hijacking

Technology
CyberLab CCEH Session - 11 Session Hijacking

CyberLab CCEH Session - 11 Session Hijacking

Education
Session Hijacking… · Overview of Session Hijacking Session hijacking refers to the exploitation of a valid com puter session where an attacker takes over a session between two

Session Hijacking… · Overview of Session Hijacking Session hijacking refers to the exploitation of a valid com puter session where an attacker takes over a session between two

Documents
Session Hijacking - Bukan Coder · J Key Session Hijacking Techniques J Network Level Session Hijacking J Brute Forcing Attack . J TCP/IP Hijacking J Session Hijacking Process ~ J

Session Hijacking - Bukan Coder · J Key Session Hijacking Techniques J Network Level Session Hijacking J Brute Forcing Attack . J TCP/IP Hijacking J Session Hijacking Process ~ J

Documents
Session Hijacking Module 11 1778

Session Hijacking Module 11 1778

Documents
Ce hv8 module 11 session hijacking

Ce hv8 module 11 session hijacking

Technology
CEH Module 15: Session Hijacking

CEH Module 15: Session Hijacking

Documents
Ethical Hacking and Countermeasures - The Eye...Session Hijacking Levels Session hijacking takes place at two levels: •Newtork Leve Hl ajicknig • Application level Hijacking Network

Ethical Hacking and Countermeasures - The Eye...Session Hijacking Levels Session hijacking takes place at two levels: •Newtork Leve Hl ajicknig • Application level Hijacking Network

Documents