Browser Hijack Attacks

How Browser Authentication functions

The pitfalls of passwords:

Passwords have been in use for a long time on the internet, and are generally accepted practice for authenticating users and services. Navigating a website involves many different TCP connections to a server, which all must be authenticated to a valid user. HTTP is a stateless protocol, so a developer must implement and manage user authentication state. The three parts of this process include user authentication, session management, and access control.

This browsing activity will all be authenticated to a single user by the use of a session token. After a user sucessfully authenticates once, the web server will send the user a session token which is equivalent to the authenticaion. Each successsive TCP connection will send over this session token, which utilizes public key infrastructure.

Session hijacking involves an attacker gaining access to this token, either through a MITM attack, a pre existing trojan, or a cross site scripting attack.

Prevention

1. Use HTTP-Only in cookies.
   • This an attribute that can be set in the Set-Cookie HTTP Response header.
   • This keeps the cookie values from being read by javascipt running in the browser.
   • This effectively defeats javascript based attacks utilitzing XSS.
2. Generate strong session IDs, with at least 64 bits of entropy.
3. Use RASP Run Time Application Self Protection.
   • RASP hooks into the application’s runtime environment to monitor critical function calls.
   • When an attack is detected, RASP can terminate the connection quickly.
   • Some examples of tools which accomplish this: Contrast Security, Imperva, Promon.
4. Set short timeouts on session IDs.
5. Monitor for sudden IP changes using the same session ID, which might indicate a session hijack attempt.
6. Use the Secure element to ensure that session cookies are sent only over a TLS protected connection.

Tips

1. Dont allow information about the technologies involved by using an overly detailed session token name.
   • Use a generic [id] field, names such as PHPSESSID (PHP), JSESSIONID (J2EE) can allow fingerprinting of the technologies in //use on the backend.
2. After a user successfully authenticates, generate a new session id.
   • When this fails to happen, session fixation occurs which allows an attacker to use a previously generated token.