#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2001
    Posts
    181
    Rep Power
    14

    Session hijacking


    Next week, I will present my project about web security with my advisor. I have many question with session hijack

    1. If I login in some website and url is http://www.somewebsite.com/staff.ph...345678910abcdef

    if someone use sniffer to sniff this url and enter this url. So he can use my session and act as me in this session. Is this call Session hijack?

    2. if 1 is session hijack. If http://www.somewebsite.com/staff.php not pass session ID in url but keep Session ID in cookie on client (Which keep in memory not text file). In this situation, If intruder want to hijack session. Is intruder must have session ID in his computer's memory. Is it possible to do?

    3. in 1. someone use sniffer to sniff url and get http://www.somewebsite.com/staff.ph...345678910abcdef but if this site use ssl , Is intruder can sniff and get url http://www.somewebsite.com/staff.ph...345678910abcdef and act as me?

    4. I test by login into hotmail and yahoo mail. when I already login and click to inbox. I copy url in inbox page

    http://us.f144.mail.yahoo.com/ym/lo...d=4pr0eksnhfbc4
    and
    http://lw15fd.law15.hotmail.msn.com...56ff083f01ad68f

    I sent this url to my frient and ask he to open it. but when he open this url. he get login form not inbox page.
    How these site make session secure?
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2001
    Posts
    29
    Rep Power
    0
    Now I'm no php expert, but I think I may be able to help you. The trick is to use sessions to register some variable other than the session_id, and then check for this variable when the user tries to access a page requiring said variable. For example if you ask someone to enter a username before accessing a page, you would do something like this:

    PHP Code:
    <?php
    session_start
    ();
    session_register("username");
    ?>
    This way the registered variable is not passed in the URL, and so it cannot just be copied and pasted by someone else.

    To verify that the variable $username is set, you could just use an if statement near the head of any page that you want made secure:

    PHP Code:
    <?php
    if(!isset($username)) {
    ?>
    Page with login form
    <?php

    } else { 
    ?>
    Whatever page you are protecting
    <?php
    ?>
    There are more eloquent ways of doing this but I think this gives you the basic idea of what is going on.
  4. #3
  5. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    19
    1. Yes

    2. Yes. Cookies can be spoofed. You have no control over what's on the client's computer. He could have hacked his browser or written his own (fairly simple with the open source browsers out there).

    3. No. SSL would prevent hijacking. Of course it would have to be used exclusively on pages that use sessions.

    4. There are way too many possibilities here. The most obvious is time. Was the session still active when your friend went there? Another is that the server looked at the user agent strings. Unfortunately, this can be spoofed as well, but your friend probably didn't do that. Less likely, they looked at the IP, but again that can be spoofed AND would block some legitimate users. There are several others, but the ONLY secure way is to use SSL. This is true for ALL server side technologies trying to maintain state, NOT just PHP.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2001
    Posts
    181
    Rep Power
    14
    Thanks very much. I have more question from question 2.

    1. If browser is Netscape and IE (not opensource), Is intruder can hack it. Do you know how to? because it keep in memory.

    2. If some website keep cookie in text file, which contain username and password.so when I visit website. I don't need login everytime. It automatic login. If intruder sniff cookie and copy in his computer. Can he automatic login with me?

    3. If my computer have about 30 cookies in text file. If I visit amazon website, and this website read it's cookie. How it know that this cookie is it's cookie.

    4. Can amazon website read cookie from other website on my computer? Is anyway to do it?

    If you have more information about this topic, please let me know? especially how to do it?

    Thanks again.
  8. #5
  9. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    19
    1) Huh? A cracker isn't going to go after the cookie in the client software. He'll sniff it as the packet is in transport.

    2) Yes.

    3) You don't need to know. The browser handles this, but the spec is on Netscape's site, or at least it used to be. MS may have it as well. No standard has to be followed by the browser since only that browser will look at it's cookies. Just as long as it can find the cookie based on the domain name...

    4) Not supposed to be able to. Of course, MS has been infamous for allowing security holes...

    Why would I tell you how to do it? You want to crack some site?
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2001
    Posts
    181
    Rep Power
    14
    Why would I tell you how to do it? You want to crack some site?
    No, I don't want hack website. I only want to know how to do it. as I tell you, Next week, I will present my project. I'm 4 years student major computer engineering.

    My project is about Web Security.
    So I want to know

    I must present how to hack it and how to protect it.

    In my project I'm research about

    Openbsd Security
    Apache Security
    MySQL Security
    PHP Security

    I know these problem can solve with SSL. But I want to present, if not SSL. What happen!!
  12. #7
  13. phpkid ~~~~~~ :o)
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Nov 2000
    Location
    NJ, USA
    Posts
    2,534
    Rep Power
    16
    See from your questions I can see that you don't have much idea about how cookie works and how in general sessions are being utilised by websites.

    I wonder in that situation how you would learn , how to hack/crack it.

    I guess you need to know more about the basics.

    JD
    _____________________________
    d.k.jariwala (JD)
    ~ simple thought, simple act ~
    I blog @ http://jdk.phpkid.org

IMN logo majestic logo threadwatch logo seochat tools logo