9

Click here to load reader

Session hijacking with XSS

Embed Size (px)

DESCRIPTION

Security testing: Session hijacking using cross site scripting techniques. Basic introduction about cookies, sessions, need for cookies, how they are hijacked, purposes etc

Citation preview

Page 1: Session hijacking with XSS

SESSION HIJACKING WITH XSS

"I BECOME YOU"

Page 2: Session hijacking with XSS

SESSION IN COOKIE

• HTTP AND HTTPS ARE STATELESS PROTOCOLS

• TO COMBAT THIS, WHEN YOU FIRST VISIT A SITE YOU ARE ISSUED A UNIQUE SESSION ID

Page 3: Session hijacking with XSS

COOKIE…

• IS A SMALL PIECE OF TEXT STORED BY THE USER BROWSER.

• IS SENT AS AN HEADER BY THE WEB SERVER TO THE WEB BROWSER ON THE CLIENT SIDE.

• IS STATIC AND IS SENT BACK BY THE BROWSER UNCHANGED EVERY TIME IT ACCESSES THE SERVER.

• HAS A EXPIRATION TIME THAT IS SET BY THE SERVER AND ARE DELETED AUTOMATICALLY

AFTER THE EXPIRATION TIME.

• COOKIE IS USED TO MAINTAIN USERS AUTHENTICATION AND TO IMPLEMENT SHOPPING CART DURING HIS NAVIGATION, POSSIBLY ACROSS MULTIPLE VISITS.

Page 4: Session hijacking with XSS

HIJACKING : “ I BECOME YOU”

Page 5: Session hijacking with XSS

HIJACKER’S PERSONA

• Is a Customer Service user with limited access (level 5)

• Has knowledge in hacking• Has coding skills• With a wicked motive of gaining

full access to the application

Page 6: Session hijacking with XSS

HOW…

1. STEAL THE SESSION INFORMATION (USING XSS ATTACK)

2. REPLACE HIJACKER’S COOKIE WITH VICTIM’S

Page 7: Session hijacking with XSS

HOW HE PLANS THE ATTACK…

• LOOKS FOR VULNERABILITIES IN THE APPLICATION

• SEES AN OPPORTUNITY TO DO AN XSS EXPLOITATION IN

“KNOWLEDGEBASE” MODULE

• PLANT A MALICIOUS SCRIPT IN FAQ ENTRY.

Page 8: Session hijacking with XSS

• VICTIM VISIT THE FAQ ENTRY AND CLICK ON THE LINK TO “SEE MORE INFO”

• VICTIMS COOKIE INFORMATION IS SENT TO HIJACKER’S WEBSITE WHERE THE INFORMATION GETS LOGGED

Page 9: Session hijacking with XSS

• HACKER USES A COOKIE EDITOR TO CHANGE THE VALUES OF THE COOKIE AND LOGIN TO THE

APPLICATION AS THE VICTIM