tailieunhanh - Module 15 Session Hijacking

In computer science, session hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer (see HTTP cookie theft) | Ethical Hacking and Countermeasures Version 6 Module XV Session Hijacking IM c E H News Certified Ethical Hacker Holes in Embedded Devices IP-based session management 29 01 2008 1 0 39 22 Posted byGNUCITIZEN Devices that implement IP address-based session management follow the algorithm described by the pseudocode shown below if submitted username and submitted password credentials on device config then do white-list user s source IP address The implications are obvious devices located in environments in which different users share the same proxy are vulnerable to administrative session hijacking attacks. Please note that this session hijacking attack has nothing to do with the classic TCP hijacking attack in which sequence numbers are predicted by the attacker. Therefore attacking a device susceptible to a IP address-based session management vulnerability does not require the attacker to interceptfsniff the traffic between the victim admin user and the target device. Rather this attack performs session hijacking at the HTTP application layer by providing the piece of information that is used by the target device to know who has access to authenticated resources on the web console a trusted source IP address in this case. As an example let s consider a corporate environment in which hundreds of users share the same proxy while browsing the web. Now let s imagine that the administrator of the vulnerable device never checked the bypass proxy serverfor local addresses option on his her web browser. In other words the administrator usually configures the vulnerable device via a proxy which is used by everyone else in the network. The result is that any malicious user using the same proxy as the administrator of the target device can gain full administrative access via the web console by simply adding the device s IP address on the browser s address bar. Of course this attack would be more realistic by automating the process of hijacking the admin session on the web bt