Types of Session attacks

Posted: October 7, 2010 in PHP, Technology

1. Session fixation: – Session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate another person’s session identifier (SID). Most session fixation rely on session identifiers being accepted from URLs (query string) or POST data.

For example, this type of attack can come from a link like this:

<a href=http://www.xyz.com/test.php?PHPSESSID=1234> Press here </a>

A user clicks on this link and goes to your site. The attacker waits for the user to login and this is the moment where he puts his hands on the valid session ID of the user.

Way of protection:-

A.  PHP comes with a really easy solution: the use of session_regenerate_id() function which will change the user session ID. Important is to use this function in critical moments like: after a user logs in, after a user change his password, etc.

B.  PHP does allow for a “referrer check”. Sessions will only be considered if the referrer contains the string defined using the “referer_check” configuration parameter. By default, this parameter is empty. This is a very powerful way to block many session fixation attacks.

C. Do not accept session identifiers from GET / POST variables

2. Session hijacking: – This is the most common type of session attack. This refers to any method that an attacker can use to access another user’s session. The first step for any attacker is to obtain a valid session identifier, and therefore the secrecy of the session identifier is paramount. With other words, this attack comes after a session fixation attack.

Way of protection:-

A) User agent verification is a very basic way of verifying the user’s identity. When you create the session ID, you could grab the HTTP_USER_AGENT variable. Then you could verify it on each new page view. Unfortunately, if the session has been hijacked, the malicious agent could have grabbed the user agent info and spoofed it. A better method would be to store the hash of the user agent string. Better yet would be to store the hash plus a seed and verify that.

B) IP address verification is very similar to user agent verification. In some cases it is more secure. You store the users’ IP when you first generate their session, and then on every page load you verify that IP address. There are two major drawbacks to this method. A lot of locations are behind a NAT proxy, so it is possible that the attacker and the user both have the same IP address. The other issue comes from large. This is a method that is not really used, because of its drawbacks.

C) Through this method can set up two points of verification. You create a token for the users utilizing a different method from the session ID. When they first log in, create a hash of that token and store it in their session. You can then verify it on every page load. You can also regenerate this token frequently, allowing only a very short window for the attacker to guess it.

3. Session injection: – This type of attack appears when you allow user input into session without validating it.

Way of protection:-
By filtering and validating the user input.

  1. anonymous says:

    As an programmer or the lead, while doing the code review , the practice is always maintained that the session id must not passed in the query string….and if any circumstances raised like that then encoded string to be passed….

  2. rajeshrolen says:

    Your blog is really cool and knowledgeable.
    have a look of mine: http://www.DotNetAcademy.blogspot.com

  3. ashok says:

    This is very good ariticle for security for php website

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s