Is HTTPS the only defense against Session Hijacking in an open network?

security session encryption https cryptography
18,925

Solution 1

Firesheep is nothing new. Session hijacking has been around for as long as web applications have been using Session IDs. Usually hackers just set their own cookie by typing this into the address bar: javascript:document.cookie='SOME_COOKIE'. This tool is for script kiddies that fear 1 line of JavaScript.

Cookies can be hijacked if you don't use HTTPS for the entire life of the session and this is a part of OWASP A9 - Insufficient Transport Layer Protection. But you can also hijack a session with XSS.

1) Use httponly cookies.

2) Use "secure cookies" (Horrible name, but it's a flag that forces the browser to make the cookie HTTPS only.)

3) Scan your web application for XSS.

Also don't forget about CSRF! (Which Firesheep doesn't address.)

Solution 2

The Rook has answered some of it, I'll just answer the other parts of your question.

Is 100% HTTPS at all times the only way to prevent this type of session hijacking?

That's right. 100% HTTPS is the only way. And 100% is key.

Couldn't people simply sniff the entire HTTPS Traffic including the handshake, or is this stuff safe? (I'm thinking of replay attacks, but have no knowledge in that area)

HTTPS has built-in protection against replay attacks. If implemented correctly, HTTPS is truly safe.

Even if HTTPS is implemented correctly, there are ways to get around it. SSL Strip is one such tool. The tool doesn't exploit SSL, it just exploits the fact that people always type mybank.com in the url instead of https://mybank.com.

Solution 3

I do beleive SSL is cheap and a complete solution. But till you dont have it or looking for some extra layers here is how to protect your SESSIOn data.

As always defence in dept is the way to go. 1st Use Sessions to store user login data 2nd If admin logged in also check for DB, might slows a little but as there is a small number of admins and rest are users this is a feasible security plus. 3rd PROTECT YOUR SESSION <= !

Session protection: Put session start into an object file where you call an "is_session_valid()" function on self construct. This function would check for (IP / TIME / Browser) for $_SERVER superglobal, and store them in session. Up on Next load see if values are the same if not just waste no more resources logout user and show index page.

This is not a complete solution as it might be same browser on same network e.g. Wifi with lot of users and session hijacked might also be recent (in time). But till no SSL is used this is FAR BETTER then nothing. Anyhow rarely happens that the victim and the hijacker use same everything....so this effectively mitigates chances of successfull attack even without any SSL!

Original idea by Kevin Skoglund if ineterested in securing your APP see his secure PHP tutorial. https://www.lynda.com/PHP-tutorials/Creating-Secure-PHP-Websites/133321-2.html

P.S. Several other defenses (CSRF least) needs to be used to have a somewhat secure AP

Bye :-)

Share:
18,925
Michael Stum
Author by

Michael Stum

The same thing we do every night, Pinky. Try to take over the world! Full-Stack Developer on Stack Overflow Enterprise, working to make our little corner of the Internet better for all of us.

Updated on June 14, 2022

Comments

  • Michael Stum
    Michael Stum almost 2 years

    So with Firesheep, everyone in a public Wi-Fi now has a one-click session hijack tool.

    The way it works - to my understanding - is that it simply captures all traffic and grabs the session cookie (so it doesn't steal passwords).

    From my understanding, this also means that a HTTPS secured login does not solve this alone, as further HTTP traffic would include the Session Cookie in clear text again.

    Tying the session to a specific IP address is useless thanks to NAT, and tying it to the user agent is easy to spoof.

    So is 100% HTTPS at all times the only way to prevent this type of session hijacking? Couldn't people simply sniff the entire HTTPS Traffic including the handshake, or is this stuff safe? (I'm thinking of replay attacks, but have no knowledge in that area.)

    Of course, not using public/open Wi-Fi Networks is the better choice, but I'm still interested what a website developer can do to protect his/her users.

  • Kenny Cason
    Kenny Cason over 13 years
    "this tool is for script kiddies that fear 1 line of JavaScript." haha +1 as soon as I can vote again
  • Konrad Rudolph
    Konrad Rudolph over 13 years
    No, this tool is for dumb executives that need to be shown that anyone can hack their precious site.
  • splattne
    splattne over 13 years
    http session hijacking has been going on for more than two decades? Really?
  • Michael Stum
    Michael Stum over 13 years
    Indeed, Session Hijacking is old, but it is still seen as a theoretical issue. Especially since having 100% HTTPS is quite expensive (Certs and Increased Server load) it's often neglected. Hence wondering if it's the only possibility - seems so, as Secure Cookies expect to run on HTTPS and HttpOnly doesn't help at all if you intercept at a network level.
  • telent
    telent over 13 years
    The first browser to support cookies was (according to wikipedia) netscape .9 beta (october 1994). "Two decades" is probably pushing the timeline a bit ...
  • Darron
    Darron over 13 years
    HTTP Session hijacking also can be used against session ID's in query parameters.
  • rook
    rook over 13 years
    @Michael Stum a ssl handshake is cached. HTTPS is very cheap and is the only way to provide a secure session for your users. (Period end of story.)
  • rook
    rook over 13 years
    @telent yes i agree with Darron, session id's where transmitted via GET before cookies. Sessions are as old as web applications, so probably more than 2 decades.
  • rook
    rook over 13 years
    +1 for ssl strip. Although i thought it was obvious that https must be used 100% of the time. Oah well.
  • telent
    telent over 13 years
    It's 2010. Two decades ago it was 1990. I am prepared to bet that there were not many web applications in 1990 whose users were at risk of being sniffed on open wireless networks. The 802.11b standard only appeared in 1999, after all
  • telent
    telent over 13 years
    I'm not disputing that the potential exists, but to dismiss Firesheep as "nothing new" is to neglect the social and PR aspects of its release more than slightly. Now we can get managers to agree it's a real risk, at last - isn't that something new?
  • Piskvor left the building
    Piskvor left the building over 13 years
    @telent: Cue the wave of denial in 3...2...1... (Real Story: Many moons ago, I was tasked to "check for security issues;" I found several, wrote a simple and scary proof-of-concept, the execs' reaction was "Nah, who would want to hack us? We need more cowbell instead." Then one day, a normal user incidentally typed 150; instead of 150 into a form and deleted all their records for the day (seriously!). Some security fixes were allowed after that. Luckily, I no longer work there)
  • Piskvor left the building
    Piskvor left the building over 13 years
    @telent: On the other hand, two decades ago, most people on an Ethernet network would not be connected through layer-2 switches, but using a shared medium - e.g. a BNC coax, or 10BaseT with hubs. So, like with open wireless, each computer could see all traffic on that network segment. Basically the same issue on a different physical medium.
  • Michael Stum
    Michael Stum over 13 years
    I'm not sure if the 'two decades ago' remark is worth that much discussion :) It's been around for ages, that's true. FireSheep is an old concept, but it's a high visibility tool that now makes session hijacking available to your mom, not just to script kiddies anymore. Also, it shows again that WLAN (which works like a Hub rather than a Switch) is absolutely insecure, no matter what. Hence my question, because for my next web app I'd really like to avoid this :)
  • rook
    rook over 13 years
    @Michael Stum your right about the whole 2 decades nonsense, i changed my post. As an application developer I am not too concerned with unskilled attackers. This attack is trivial to defend against from the application's preservative, just set a few cookie flags. On a side note I am happy to see that people are taking OWASP A9 more seriously.
  • martinstoeckli
    martinstoeckli over 12 years
    To use HTTPS all the time is surely the best way, but not the only possible. You can leave the session cookie unsecure to maintain the session, and have a second (HTTPS only) cookie to handle the authentication. It's a good way to separate the two concerns maintaining the session and authentication, even when using HTTPS all the time.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to make TLS connection from PHP in web server, and safely
Can HTTPS connections be hijacked with a man-in-the-middle attack?
SSL session persistence and secure cookies
AES with password based SecretKeySpec vs PBE
How difficult is it to crack HTTPS?
Two SSL certificates with same key
Strength of RSA Encrypting an AES Key
How should I create my DES key? Why is an 7-character string not enough?
SecureRandom safe seed in Java
Sending password safely from the front-end to the back-end using MD5