Session hijacking is a common form of attack against websites. Hackers using this attack are able to take advantage
of poorly configured websites to literally hijack a user's session and take over their identity. In this tip, we take a brief look at a how session hijacking attack works, how a tool called Firesheep automates the attack, the risk this poses to the midsized business and how to prevent session hijacking to protect your organization and users.
Background: Session hijacking attack
At this point, you might be wondering: "How does a session hijacking attack work? Aren't websites today designed with HTTPS/SSL encryption to protect usernames and passwords in transit over the Internet?" The short answer is, yes, most website administrators do take this basic precaution. However, the use of SSL encryption on a website is computationally expensive and chews up CPU cycles. Encrypting every page of a website requires a significant upgrade in computing power. Many website administrators compromise by only encrypting the login traffic where usernames and passwords are sent and then switch over to plain old unencrypted HTTP.
Enter the session hijacker. If a user is accessing the website over an unencrypted wireless network, his or her traffic is vulnerable to eavesdropping. While the attacker might not be able to see the HTTPS-protected username and password, he can grab something almost as valuable: the authentication cookie sent with each subsequent request made by the user over the HTTP connection. The user's Web browser uses the cookie to remind the website that the user is already authenticated and, therefore, that reauthentication is not required.
Once the hijacker has his hands on the cookie, he can easily use it to impersonate the end user by simply sending requests. This allows the hijacker to assume the user's identity on the website and perform any action the user can perform with the stolen cookie. In the case of a social networking site like Facebook, the hijacker could update the user's status, friend/unfriend people, add snooping applications to the user's profile or perform many other nefarious actions.
Session hijacking attacks are nothing new. Security professionals have dealt with them for years and warned against the design of websites vulnerable to session hijacking. The only saving grace was that it was tedious to hijack sessions. The hijacker would have to have solid understanding of how the protocols involved worked, sniffed a network and pieced together a user's cookie and then written code that used that cookie to gain access to the user's account. That's not tremendously difficult, but it is time consuming.
Eric Butler, an independent information security researcher, recently eliminated this barrier with the release of Firesheep. Butler co-developed Firesheep to draw attention to the security vulnerabilities of Web sessions, especially on social networking sites. Firesheep is a Firefox extension that automates session hijacking attacks. An aspiring hijacker can simply download the free Firesheep extension, connect to an unencrypted wireless network, and see a list of users with sessions available for hijacking. Firesheep can automate attacks against Facebook, Twitter and other sites. It even goes so far as to display the user's picture from their social networking profile so you can look around the room and see who you're impersonating!
Session hijacking attack: A threat to the midsized business
Session hijacking and the release of Firesheep affects you, as an IT professional, and you need to take steps to prevent session hijacking within your business. There are four immediate questions that should come to mind:
- Do we run a Web application that is vulnerable to session hijacking attacks?
If your business runs any type of application that requires authentication and allows any unencrypted connections, it might be vulnerable. The easy way to protect against this is to require the use of SSL encryption for all pages on the website. While this blunt-force solution is simple to implement, it requires the use of extensive computing power to encrypt all requests. If your website is low volume, this may not be a problem. If you support a large number of simultaneous connections, supporting full SSL encryption may require expensive hardware upgrades. The alternative is to work with the developers of your Web application to encrypt only those pages that are used to transmit cookies. (This approach, however, requires intimate knowledge of your Web applications and a careful attention to detail. Even one missed page will make you vulnerable.)
- Do we run an unencrypted wireless network that might facilitate session hijacking?
Firesheep depends upon the use of unencrypted wireless networks to run successfully. If you encrypt your wireless network using WPA technology, users of that network will be safe from use of the tool.
- Are we protecting our users against this type of attack when they are away from the office?
While it would be ideal to require that users only connect to encrypted networks, this is often not practical. Many public locations, such as coffee shops, airports and hotels, run unencrypted networks and business needs often dictate their use by travelers. In these cases, the best thing you can do is to provide users with a virtual private network (VPN) they can use to safely connect back to your home office over an encrypted connection before performing any other activity.
- Do we use any vulnerable sites to conduct business?
If your organization has a Facebook page, Twitter account, or other social networking presence, you need to take special precautions. Now, if a user's session is hijacked, not only does the attacker gain access to your profile, but also may gain access to edit your organization's data. Imagine if a competitor were able to send out messages to your customers that appeared to come from you! To protect against this type of attack, be sure to carefully limit the number of users who have access to update your social networking sites and provide them with clear, concise training on the security requirements for accessing your organization's accounts.
How to prevent session hijacking
Firesheep caused quite a stir when it was released on Oct. 26, 2010. A counterattack tool, called Fireshepherd, has been developed, but it does not fix the underlying problem. Fireshepherd merely causes Firesheep to crash. Additionally, it is entirely possible that Firesheep will be rewritten to prevent Fireshepherd from working.
Instead of relying on a counterattack, it's best to operate under the assumption that session hijacking is an attack that is not going to go away. This is an excellent time to make sure your organization is protected against this specific threat by following the these four steps:
- Require the use of SSL encryption on all pages of your website, or at least those pages that are used to transmit cookies.
- Ensure your wireless network uses WPA encryption.
- Provide a VPN to your users when they are away from the office.
- Be very careful with your organization's social networking accounts; only grant access to a small number of well-trained personnel.
At the same time, it's a good idea to think more generally about the risk of session hijacking and take steps to secure websites that might be vulnerable, even if Firesheep does not yet support an attack against them.
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.