Skip to main content

Cookie Protection for Avoiding Session Hijacking Attacks - Introduction

When we are developing a web application/web page, session and cookies are the most important factors to handle the user operations as well as provide enough security to the application/page. Attackers are using many ways to attack the web based applications. But most of the time they are using session hijacking to hack the network. Because session hijacking is very easy to do and attacker no need to put his effort to hack that system [permission to the system provided by the session]. So, session/cookie implementation is not only a thing but proper [secure/httponly] cookie/session implementation is needed.

This blog is written to “how to create cookie/session?”, “how to read cookie?”, “what is session hijacking?” and “how to protect the session hijacking?”

What is cookie?

Cookie is a file created by the web servers[here tomcat] to store some data specific to the website [here login app] to track the usage of the website by the user. Specific data/ anatomy of cookie as follows.
  1. Name - Name of the cookie
  2. Value - Value of the cookie
  3. Expiration - how long the cookie can survive?
  4. Path - which path the cookie can be use. [Example facebook cookies can be used only for facebook not for google]
  5. Domain - domain for the cookie. [google/facebook]
  6. Secure flag - ensure the cookie is transmitted over a secure server connection
  7. HTTPOnly - ensure the cookie cannot be accessed by the client side script
These above mentioned attributes are need to implemented properly to avoid the session hijacking.

What is session?

It is a server side storage of information which let the user to do what in their website based on the cookie in the user’s browsers.

How to create cookie?
Cookie <cookie> = new Cookie(<cookie name>, <cookie value>);
<cookie>.setMaxAge(<time in second>);
<cookie>.setPath(<path>);
<cookie>.setDomain(<domain>);
<cookie>.setComment(<comments>);
<cookie>.setSecure(<true/false>);
<cookie>.setHttpOnly(<true/false>);
response.addCookie(<cookie>);

How to read cookie?
<cookie>.getName();
<cookie>.getValue();
<cookie>.getMaxAge();
<cookie>.getPath();
<cookie>.getDomain();
<cookie>.getComment();

What is Session Hijacking?

Attacker compromising the session by stealing the valid session token [session token are cookies] to gain the unauthorized access to the web server. This stealing can be done by 2 ways.


  1. Session Sniffing - Attacker gain the session ID by capturing the traffic. If a session token transmitted from the server to the client browser by using not secure communication [http] then it can be easily captures and used by the attackers.

    Solution : by enabling the secure communication between the server and client browser. [secure flag]
  2. Cross - Site Script Attack - Attacker use some code/script from the client side to get the session ID. If the website is vulnerable for this kind of attack attacker can execute some malicious codes/scripts/payloads into the website by using the client side. The user/victim might visit the website send the relevant session ID to the attacker.

    Solution : by disabling the script function when the server and the client communication. [httponly flag]

Comments

Post a Comment

Popular posts from this blog

Bandit Wargame – Documentation

Basically wargames are providing the basic knowledge on the security concepts. It is a game that contain many tricks to break the borders to gain the access especially passwords (commands are mostly on the Linux CLI). You can find many wargames through the Internet and they are very interest and fun full too. “Bandit” is also a wargame which is for the beginners. You all can access that through the link given bellow. And this article is an document for this game. I have used Ubuntu as the operating system. Bandit – Clickhere . Level 0: Case study → Clickhere Here we have need to connect the host through the SSH (secure socket shell) server. The informations are provided as follows. Host name: bandit.labs.overthewire.org Port No: 2220 User name: bandit0 Password: bandti0 There are many ways to connect through the SSH server. Method 1: Download and run the “PuTTY SSH client”. ( https://the.earth.li/~...
Post a Comment
Read more

How OIDC run on top of OAuth - Demo by a maven web application

As I said in the previous blog about OIDC, OIDC is running on top of OAuth in-order to provide authentication and authorization. When it comes to real scenario, we have need to clearly understand the flows between authorization server, and resource server. For OAuth it needs token introspection endpoint in-order to validate the token. But, in OIDC it doesn't need to have this introspection endpoint because OIDC response token (JWT) it contains the idtoken which contains information about the token to validate by the resource server. OIDC is running as authorization grant type is pretty much safe way for the web applications. Let's see how a real world application using this OIDC on top of OAuth. Note: I have created an sample application to provide the graphical interface for this explanation. When you are trying to login a online web application account you may see another login options also available. For example, login with Google, login with Facebook,etc. Those ...
Post a Comment
Read more

Introduction to OAuth

What is OAuth? OAuth is a protocol that allows distinct parties to share information and resources in a secure and reliable manner. OAuth needs to consider the 2 concept to provide the informations in secure and reliable manner. They are authentication and authorization. Authentication -> Validating the person/system who need the information Authorization -> After authentication what action can be performed by the person/system. By maintaining this 2 concept OAuth is providing federated identity and delegated identity. Federated identity -> User can use his/her one application account to login another application. [Example: If a user having Facebook account then he can login Instagram with the same login as Facebook] Delegated identity -> One service can access another service resources. [Example: When creating a Facebook account with eMail address that will suggest the contacts in the eMail to add as friends] Without OAuth With OAuth User ...
Post a Comment
Read more