Professional Documents
Culture Documents
A Review Paper On Session Hijacking Atta
A Review Paper On Session Hijacking Atta
A Review Paper On Session Hijacking Atta
Abstract
i
Contents
Abstract i
List of Figures iv
1 Introduction 1
1.2 Objectives 10
1.3 Methodology 10
1.4 Motivation 11
2 Related Works 12
3 Literature Review 12
4 Problem Statement 17
5 Gap Analysis 19
6 Comparative Analysis 21
CONTENTS
Comparative Analysis 22
Conclusion 24
Appendix A 25
Bibliography 27
ii
List of Tables
iii
List of Figures
1.1 Active Session Hijacking . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Passive Session Hijacking . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Blind Spoofing Attack ........................ 4
1.4 Non-Blind Spoofing Attack . . . . . . . . . . . . . . . . . . . . . . 5
1.5 Sniffing Attack ............................ 6
1.6 Brute Force Attack . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.7 Cross Site Scripting(XSS) ...................... 7
3.5 Average users experienced latency per request for cookies with
HTTP,HTTPS,OTC with HTTP and OTC with HTTPS . . . . . 16
3.6 Original Session Cookie Flags . . . . . . . . . . . . . . . . . . . . 16
iv
Chapter 1
Introduction
1
CHAPTER 1. INTRODUCTION
server is then fooled into treating the attacker’s connection as the original user’s
valid session. There are three types of session hijacking.
An attacker attacks an existing active session between a user and a server using
active session hijacking. Using a denial of service attack, the attacker hijacks an
active session and puts himself in the place of a valid user (DOS). Using a packet
capturing tool like Wireshark, the attacker sniffs the connection and collects all
data packets between the user and the server before launching the DOS assault.
Denial of service attack occurs when an attacker floods the target with traffic by
sending a large number of requests or information to the target network,
rendering the server unavailable. As a result, the target system is unable to use
the services sent by the server, and the target machine may shut down or crash
in order to handle the traffic flood. The server waits a short time before sending
another connectivity request to the user computer, at which point the attacker
disguises himself as a valid user and sends an acknowledgement to the server,
allowing the attacker to connect to the server in the place of a valid user. Figure
1 shows an active session hijacking diagram to demonstrate superior active
session hijacking.[1]
2
CHAPTER 1. INTRODUCTION
In passive session hijacking, the attacker places himself between the valid user
and the server, sending valid packets to the user while impersonating a server,
and receiving packets from the user while impersonating a valid user, and
sending them to the server while impersonating a valid user. In this Passive
Session Hijacking technique, the attacker can make changes to the data packets
while neither the user nor the server is aware of the changes. As a result, the
attacker will be able to gather all of the necessary information for his or her
nefarious activities. The attacker does, however, have one disadvantage. Attacker
only read data between the user and the server while the session is ongoing; if
the user logs out or the server resets the connection for any reason, the attacker
will be unable to access the data packets and the session will be permanently
terminated.[2]
The Active Session Hijacking and Passive Session Hijacking techniques are
combined to form Hybrid Session Hijacking. To accomplish their goal, the
3
CHAPTER 1. INTRODUCTION
attackers deploy both active and passive session hijacking techniques. The
following are the two types of hybrid session hijacking:
4
CHAPTER 1. INTRODUCTION
see the packets moving over the same network, it is simple for the attacker to
monitor traffic from the same network. Attackers keep an eye on the connection
and try to estimate the TCP sequence number of the next packets in order to use
the TCP sequence number to get authentication through the connection.
Attackers determine the right sequence number and re-establish the connection
with the server using that number. But the fundamental difficulty with this
approach is that today’s routers don’t allow packets to be broadcast on the
network; instead, they keep it switched off to protect packets. To bypass this
obstacle, the attacker resets the connection, putting him between routers and
allowing him to grab the first broadcast packet.[3]
Sniffing:
Sniffing is a type of attack in which an attacker takes over a network and steals
the session ID. The attacker continues to watch the victim’s network traffic,
looking for any packets traveling unencrypted. If the attacker finds any packets
traveling unencrypted, it checks to see if they contain a session ID. If the attacker
obtains the session ID from the packet, it takes over the already established
session between the victim and the server, allowing the attacker to create a new
session
5
CHAPTER 1. INTRODUCTION
6
CHAPTER 1. INTRODUCTION
cross-site scripting (XSS). This XSS attack is also known as a client-side code
injection attack because it allows a malicious script (malicious payload) to be
executed on any website or online application. This attack essentially exploits
vulnerable targets; many websites have been patched to address these security
flaws.[4]
Reflected XSS:
When a web application returns user input in an error message, search result, or
any other response that includes some or all of the input provided by the user as
part of the request, without making that data safe to render in the browser, and
7
CHAPTER 1. INTRODUCTION
without permanently storing the user provided data, it is called reflected XSS.
Stored XSS:
When user input is stored on the target server, such as in a database, a message
forum, a visitor log, or a comment field, stored XSS happens. The saved data from
the web application can then be retrieved by a victim without the data being made
safe to render in the browser. With the development of HTML5 and other browser
technologies, we may see the attack payload, such as an HTML5 database, being
permanently kept in the victim’s browser and never being communicated to the
server.
Dom-Based XSS:
8
CHAPTER 1. INTRODUCTION
which allows them to take control of other people’s accounts. To carry out a DOM-
based XSS attack, the attacker must insert data into a source, which will then be
• Attacker
• Victim
9
CHAPTER 1. INTRODUCTION
• Server
When transmitted over the network to the server, the victim is led to feel that the
data he is transferring is secure and encrypted. However, the data that is flowing
has no validity because the encryption has been removed and the data is in plain
text, making it vulnerable to MITM.[5]
1.2 Objectives
The long-term goal of the research is to understand the limitations and
prevention methods of various type of session hijacking. The objective of the
current study is to provide a comprehensive review of the literature and industry
practices in relation to session hijacking. Particularly, the study has the following
sub-
objectives:
algorithm.
The findings of this study will be useful to practitioners and software suppliers in
establishing better session hijacking and look-ahead scheduling methods and
tools.
1.3 Methodology
A literature review and conceptual modeling are the key research methods used
in this study. The initial step towards a ”Cryptography Operation Module” is to
hijack sessions using an organized manner.
10
CHAPTER 1. INTRODUCTION
This study will first review various types of session hijacking and their
characteristics. Based on this understanding, a classification method will be
developed to categorize session hijacking factors for the purpose of preventing
attacks like MITM, MitMO (Man In The Mobile Attack), DOS and so on. In the
second stage
of this study, existing prevention techniques of session hijacking will be identified
based on a comprehensive review of current industry practices and academic
researches. Finally, once the prevention and modeling techniques are identified,
a conceptual prevention technique for session hijacking will be outlined.
1.4 Motivation
Session Hijacking is one of the dangerous attack among several vulnerabilities. So
it is very important to secure web application from Cyberattacks like XSS,
spoofing, sniffing, SSL stripping attack. Attacker’s motive is to steal the data of the
user and taking over the control of the session. After taking over the control of
the session, attackers can access to all the information of the users.
11
Chapter 2
Related Works
• Modified One-Time-Cookies
Chapter 3
Literature Review
While reviewing all the related papers of this particular area, it was found that
there are many ways to deal with session hijacking such as, Cookie manager, uses
of various encryption algorithm, session id regeneration, two-way verification,
changing cookie value after a certain period, etc. But the big question here is, are
they feasible and if they are, how good will they act in current era of
technology.
Server-Side Cookie Manager
12
In this paper[6] authors preliminary focus was on developing a web application
with secure session management will prevent attackers from getting hold on to
some session id. In order to do that, they used a server-side cookie manager that
puts together a set-cookie for the user and allocates a response- cookie from the
user’s end.
Both of these are set with HTTP. But using HTTP to generate cookies is not secure
at all, where using HTTPS could’ve been a better solution. The preventing
techniques that are proposed to use in this paper may work fine for a short
period, but it’s not a long-term solution.
13
CHAPTER 3. LITERATURE REVIEW
regeneration, Auto sign out, attack detection report, and protect me feature.
For modern day prevention technique, these processes are really effective but
then again, they lack security. There are quite a few vulnerabilities that can be
breached. There are better and more effective encryption techniques available
14
CHAPTER 3. LITERATURE REVIEW
Modified One-Time-Cookies
While reviewing the paper [9] we found that the authors are proposing an idea to
prevent session hijacking by modifying the existing One-Time-Cookie, in short,
OTC method. They proposed a mechanism that uses OTC to prevent an attacker
to gain access to a cookie and back-end server. Basically, a reverse proxy with
OTC, IP, Session ID, and browser fingerprinting are used to prevent adversary
from capturing session credentials. Their proposed system is shown below:
Figure 3.4: Block Diagram of preventing Session Hijacking with Modified OTC
15
CHAPTER 3. LITERATURE REVIEW
Figure 3.5: Average users experienced latency per request for cookies with HTTP,
HTTPS, OTC with HTTP and OTC with HTTPS
So overall, most of the proposals from different paper lacks effective approaches.
We can use techniques such as Blowfish, AES, or DES which are faster and more
secure, rather than using the most commonly used - RSA technique. As we know
AES and DES is much more complicated than RSA. On the other hand Blowfish is
much more efficient.
16
Chapter 4
Problem Statement
In the paper [12] the authors proposed a reverse proxy server that employs the
concept of a one-time cookie, with each HTTP request being associated with a
unique session token. Their proposed cryptography module ensures cookie
confidentiality, authenticity, and integrity. But they used RSA algorithm to
generate Asymmetric Key Pair. Their scheme can prevent session hijacking
through replay attack and cookie poisoning attacks by using OTC instead of
expensive HTTPS connections. But if they use Blowfish algorithm it can be faster
than RSA algorithm. Because the blowfish encryption process is 178,958% faster
than RSA. As well as the decryption process 420.44188% faster than RSA
algorithm.
Here [13] the authors presented Cookie Monster, a process driven experiment
that can be run against any cookie-granting (i.e. session identification generation)
application to test the strength of the cookie generation algorithm. As long as
session identifiers are granted to requesting client machines, the Cookie Monster
17
CHAPTER 4. PROBLEM STATEMENT
processes are applicable to any operating system, web server, and web
application. Their Bockscar tool was created to automate the entire process of
being assigned a unique session identifier, which was then analyzed to determine
how many consecutive sessions could be requested before the application
assigned a duplicate. Their Cookie Monster process is introduced in the following
1. Log into a web application with the attacker machine running Bockscar and
2. Retrieve the assigned cookie from the attacker’s machine and store it in a
3. Save the assigned cookie in a database that stores both the cookie and the
timestamp.
4. End the session between the attack computer and the web application so
that the next web request can be issued to the same attacker machine with
a new unique code. They concluded the setup and execution of the entire
experiment in a 90 days window as introduced. To be a credible testing tool,
their Bockscar tool requires considerable exception handling work. Too
many unexpected problems caused testing to be postponed until a new
iteration of cases could be run. Their process was too lengthy and time
consuming and they faced a lot of errors during the test process
In the paper [14] the authors focused on detailing the session hijacking attack and
demonstrated how harmful it is to network security. They explore numerous
defenses to the session hijacking assault in this work, which do not completely
prevent the attack but make it more difficult for the attacker to succeed. There
are still many adjustments that need to be made to the web applications and
server in order to permanently end the session hijacking assault. The main focus
18
of this work is on session hijacking countermeasures. They did not show any
In the paper [15], the authors shared their analysis and evaluation of SSL/TLS
attacks. The most popular and extensively used application for safeguarding web
browser sessions is SSL/TLS. TLS can also be used to establish a VPN by tunneling
a complete network stack, as well as providing authentication and encryption for
SIP and any other client-server interaction. Their second section examines
certain SSL/TL-related exploits. Section three discusses current attacker’s flaws
as well as the limitations of current countermeasures. The SSL Record Protocol is
the bottom layer, whereas the SSL Handshake Protocol, SSL Alert Protocol, and
SSL Change Cipher Spec Protocol are the three sub protocols of the higher layer.
Data fragmentation, compression, authentication, and encryption are all features
of the SSL Record Protocol. The SSL Handshake Protocol allows two parties
(server and client) to authenticate each other and negotiate encryption, MAC
techniques, and cryptographic keys. Alert messages are sent via the SSL Record
Protocol using the SSL Alert Protocol. This report investigated the most common
assaults and their countermeasures. Certain attacks are only semi-practical, but
with some improvements, they could become feasible in the near future.
Chapter 5
Gap Analysis
19
in two-way authentication, each client and server must obtain their certificates
from CAs. Thus, once all aspects have been verified by one another, an SSL
connection may be successfully established.[16]
• Each client must obtain an SSL certificate from a CA. this can be a problem
Client.
• Asymmetric encryption and decryption like SSL is about 1000 times slower
client must use SSL to verify each other. So the connection speed will be
In the Gateway:
All operations between client and server (on the Internet) are ARP over standard
gateways is insecure, allowing attackers to use them. victim node. The gateway
may also use a static ARP table to prevent this attack. [17]
CHAPTER 5. GAP ANALYSIS
• Not suitable for wireless networks specially with DHCP configuration such
EV SSL Certificate:
EV SSL certificate is a new type of SSL certificate. This is also known as extended
validation of certificate. Generic SSL certificates are relatively easy to obtain from
certificate authorities. So plain SSL certificates contributed to phishing attacks.
On the other side, getting an EV SSL certificate requires careful CA authentication.
All CAs Applicants must meet uniform criteria that require verification of their
legal nature for use domain. [16]
20
• The cost of obtaining an EV SSL certificate is 1.5 to 2.5 times more expensive
web browsers. It does not recognize the EV SSL certificate separately. In this
Cookie Proxy:
Chapter 6
Comparative Analysis
S/N Author Title Methodology Limitations
1 [Israel Detection various types Didn’t use more
O. Ogundele, and of session efficient
Abigail Prevention of hijacking and encryption
O. Akinade et al] Session how the techniques
Hijacking in attack works
Web Ap-
plication
Management.
2 [Abeer SSL/TLS The most This report
W.Eldewahi, Attacks: popular and investigated the
Tasneem M.H. Sharfi, Analy- extensively most common
Abdelhamid sis and used for assaults and
A.Mansor Evaluation application countermeasures
et el] only.
3 [Joshua J Pauli, Cookie Automate the Their Bockscar
Patrick H Monster entire tool faced a lot of
Engebretson,Michael process of error in the test
J Ham et al] being process.
assigned a
unique
21
session
identifier.
22
8 [Karis D’silva etAn Ef- Preventing They mainly
al] fective SQLi & focused only SQLi
Method for Session attacks &
Pre- hijackin prevention.
venting g attack
SQL In- using
jection Attack SHA-1 hashing
and algorithm.
Session
Hijacking
Table 6.1: Comparative analysis among existing countermeasures
Conclusion
This paper provides all the information of session hijacking attack and shows how
dangerous it is for the network security. Still many peoples are unaware about
these kind of attacks and network security expert also don’t take it much
seriously and lack of knowledge of session hijacking attack there is still poor
session management of some of the web application and web server. We would
like to draw conclusion to this paper by proposing an idea that could work better
in prevention of Session Hijacking. There’s this new algorithm in the process
called Blowfish.
We highly recommend the future researchers to work more on Blowfish
algorithm in order to give the users a more secure internet experience.
Appendix A
Our Survey has been conducted based on the given factors:
• Usability and User Friendliness: If an approach does not need any special
configuration, then the approach can be called user-friendly and it will be
an effective solution. An approach cannot be called user-friendly if there is
a necessity of too much configuration, too much expensive to deploy.
23
• Resource Utilization: Some of the existing approaches need high RAM,
CPU, high network bandwidth usage, or storage in server-side and client
side. If any of these is missing, then the approach may not be successful to
mitigate the attack or will be slow in response.
Bibliography
[1] P. Kamal, “State of the art survey on session hijacking,” Global Journal of
Computer Science and Technology, 2016.
[3] V. Jain, D. R. Sahu, and D. S. Tomar, “Session hijacking: Threat analysis and
countermeasures,” in Int. Conf. on Futuristic Trends in Computational
Analysis and Knowledge Management, 2015.
[6] C. Palmer, “Secure session management with cookies for web applications,”
iSEC Partners, Inc, 2008.
24
ACM Transactions on Internet Technology (TOIT), vol. 12, no. 1, pp. 1–24,
2012.
BIBLIOGRAPHY
[16] K. Cheng, M. Gao, and R. Guo, “Analysis and research on https hijacking
attacks,” in 2010 Second International Conference on Networks Security,
Wireless Communications and Trusted Computing, vol. 2. IEEE, 2010, pp.
223–226.
25