Currently, large numbers of people are migrating to teleconferencing services to work. This offers advantages and obstacles that some companies have not taken into account. Concerns about online security have increased as the COVID-19 epidemic has advanced. One of these problems is session hijacking, and you can already see why it’s important to address it.
The FBI revealed that it has received many reports on video conferences hijacked. In these instances, someone sabotaged the meetings by displaying inappropriate content. Two schools in Massachusetts reported intruders in their online classes. Also, in one of these cases, the intruder yelled at the address of the teacher’s home. This proves not only the importance of checking your security systems; It proves that valuable information is at risk when accessing these online tools.
What is session hijacking?
Session hijacking is the exploitation of a computer session to get illegal access to its data. Through the theft of a system’s cookies, a user can authenticate itself to a remote server and gain access to it. After stealing the cookies, an attacker could use them to hijack the session. Session IDs are a delight for malicious hackers. With a session ID, you can gain unauthorized access to a web application and impersonate a valid user.
Most session hijacking methods focus on cookies because they are most often used to carry session information. In general, there are three main methods of obtaining a valid session ID:
Session Prediction
Session prediction attacks are those in which you try to guess a valid session ID (from any user). This is usually done based on how the application generates IDs. A session ID must be unique and hard to guess. This is why the recommendation is to use long, randomly generated numbers. In fact, it’s better to use a session management library to generate such IDs. However, some companies choose to generate their IDs themselves and don’t do it too well. This opens the door to more session hijacking attemps.
For example, a developer could use the base64 Epoch algorithm to generate an ID. This would generate a valid session ID like this: MTU4MDMwMDE1OQ ==. If the attacker discovers the use of this algorithm, they can guess a session token by trying different Epochs on base64.
A brute force attack is also a form of session prediction. This occurs when the webserver is not protected against multiple login attempts. If the session key is short, the attacker can try all possible values until he gets the one that works.
Session Side-Jacking
This term describes session hijacking attacks by a man in the middle (MITM). The attacker spies both the server and the client, intercepting a valid ID. If the traffic is not encrypted, the attacker puts a tracker that works on the same network as the client. This tracker monitors network traffic, user connections, and packet traffic. This works in public Wi-Fi networks, a common practice in the current contingency.
When a website or application uses only encrypted connections, session tracking doesn’t work. For this, the recommendation is to use tools that encrypt the private data of the server.
Session fixation
This happens when the attacker generates a valid, unused session ID. The attacker then provides it to the user, who uses it to authenticate themselves in the session. For such attacks to work, the attacker must first determine which session ID format is valid. Through a technique such as phishing, it tricks the user into clicking the malicious link. Then, the user provides him with his credentials, associating the ID with the attacker’s account.
The exact stages of the attack and its difficulty depend on many factors. For example, if the app saves session data, the attacker may need to create a fake phishing site. It becomes more difficult for the attacker if the session IDs are only accepted from cookies. If so, the attacker must use techniques such as Cross-site Scripting (XSS).
Cross-site Scripting (XSS)
Cross-site Scripting refers to client-side code injection attacks. First, the attacker includes malicious code on a page or application. When the victim visits the web page or app, it loads the malicious script into the user’s browser. Such malicious code accesses session cookies and sends them to the attacker’s server.
A web page or web application is vulnerable to XSS if it uses unprotected user input. The best way to prevent these attacks is by scanning the victim’s browser. There are many scanning tools that execute these scans regularly.
How can you defend yourself against session hijacking?
There are different ways to prevent session hijacking. There are even ways to detect session hijacking attempts before they occur. To keep your session IDs secure, follow these steps:
- Don’t generate your own session IDs. Use a safe tool to generate them.
- Apply the use of HTTPS Certification on all your pages. Don’t limit yourself to the login page.
- Change the session ID after each user logs on.
- Log out of inactive users. Invalidate session IDs after a set amount of time.
- But most importantly: scan your website or web application with a vulnerability scanner.
The importance of vulnerability scanning
Vulnerability scanning tools find new and existing threats that may affect your apps. They allow recognizing, classifying and characterizing vulnerabilities. They can work even between computers, network infrastructures, software and hardware systems.
Acunetix is the most reliable tool on the market to secure your website. It is a scanner that works in any kind of code, including HTML5, JavaScript and PHP. It detects any irregularity in the code and generates reports to the administrator. These reports allow a comprehensive analysis of the evolution in website security. It even generates recommendations on how to detect and repair security flaws.
If you want to know more about this tool, please contact us. At GB Advisors we offer the best software on the market. We have a team of professionals ready to help you on your way to a more efficient IT environment.
