Skip to main content

Cookie Protection for Avoiding Session Hijacking Attacks - Introduction

When we are developing a web application/web page, session and cookies are the most important factors to handle the user operations as well as provide enough security to the application/page. Attackers are using many ways to attack the web based applications. But most of the time they are using session hijacking to hack the network. Because session hijacking is very easy to do and attacker no need to put his effort to hack that system [permission to the system provided by the session]. So, session/cookie implementation is not only a thing but proper [secure/httponly] cookie/session implementation is needed.

This blog is written to “how to create cookie/session?”, “how to read cookie?”, “what is session hijacking?” and “how to protect the session hijacking?”

What is cookie?

Cookie is a file created by the web servers[here tomcat] to store some data specific to the website [here login app] to track the usage of the website by the user. Specific data/ anatomy of cookie as follows.
  1. Name - Name of the cookie
  2. Value - Value of the cookie
  3. Expiration - how long the cookie can survive?
  4. Path - which path the cookie can be use. [Example facebook cookies can be used only for facebook not for google]
  5. Domain - domain for the cookie. [google/facebook]
  6. Secure flag - ensure the cookie is transmitted over a secure server connection
  7. HTTPOnly - ensure the cookie cannot be accessed by the client side script
These above mentioned attributes are need to implemented properly to avoid the session hijacking.

What is session?

It is a server side storage of information which let the user to do what in their website based on the cookie in the user’s browsers.

How to create cookie?
Cookie <cookie> = new Cookie(<cookie name>, <cookie value>);
<cookie>.setMaxAge(<time in second>);
<cookie>.setPath(<path>);
<cookie>.setDomain(<domain>);
<cookie>.setComment(<comments>);
<cookie>.setSecure(<true/false>);
<cookie>.setHttpOnly(<true/false>);
response.addCookie(<cookie>);

How to read cookie?
<cookie>.getName();
<cookie>.getValue();
<cookie>.getMaxAge();
<cookie>.getPath();
<cookie>.getDomain();
<cookie>.getComment();

What is Session Hijacking?

Attacker compromising the session by stealing the valid session token [session token are cookies] to gain the unauthorized access to the web server. This stealing can be done by 2 ways.


  1. Session Sniffing - Attacker gain the session ID by capturing the traffic. If a session token transmitted from the server to the client browser by using not secure communication [http] then it can be easily captures and used by the attackers.

    Solution : by enabling the secure communication between the server and client browser. [secure flag]
  2. Cross - Site Script Attack - Attacker use some code/script from the client side to get the session ID. If the website is vulnerable for this kind of attack attacker can execute some malicious codes/scripts/payloads into the website by using the client side. The user/victim might visit the website send the relevant session ID to the attacker.

    Solution : by disabling the script function when the server and the client communication. [httponly flag]

Comments

Post a Comment

Popular posts from this blog

What is Google Hacking?

As an ethical hacker we have need to follow some general steps to be a good ethical hacker. Such that steps/stages can be listed as follows. But these steps are not a defined one. We can change them according to our needs. 1    . Reconnaissance – Gathering the information which are having the security vulnerability. 2   . Scanning - Examine/explore a target machine/network for the vulnerability that can be make use to go inside. 3    .Gaining Access – After scanning process make use of the vulnerability and attempt to move inside to the system to exploit. 4    . Maintaining Access – After moved into the machine/network hacker needs to make some backdoor to gain the access again. 5    . Clearing Tracks (unethical) – Clearing the traces of all the activities what they done in their hacking process. 6    . Reporting – End of the ethical hacking process in order to make some notes on the findings, things done in the hacking...
Post a Comment
Read more

Hack Windows 2000 by Kali Linux through the Metasploit Framwork

It is a sample documentations to record what I have did to hack Windows 2000 by Kali Linux. ©IT Today
Post a Comment
Read more

1st Program in Maven @ Ubuntu

Maven What is Maven? It is a Build tool – building a code in a development environment Project management tool – it helps to generate reports, helps in the dependency management, etc. Maven as a Build tool. Why we are using Maven? To reduce the common problems and activities which are needed, when we are developing applications. 1. Multiple jars – Program may contain one/many frameworks and frameworks are need to include it all the required “jar”. “jar” are need to available in compile time, need to bundle them in the distribution. (We can miss something/ we don’t know what is jar?) 2. Dependencies and versions – a jar can depend on another jar, so we have need to make sure that all my dependencies are closed and make sure that I have supplied all the dependencies. Dependencies could differ bases on the versions. 3. Project structure – Proper structure for the application. (E.g. Directories, libraries , etc.) 4. Building, publis...
Post a Comment
Read more