Saturday, November 13, 2010

Session Hijacking


Session Hijacking

Welcome to another edition of Security Corner. This month's topic is session hijacking, often referred to as an impersonation attack. Session hijacking describes all methods by which an attacker can access another user's session. A successful session hijack attack exploits a flaw in the application; as PHP developers, the safeguard is our responsibility.
In an earlier column, I discussed session fixation, a method by which an attacker can gain a valid session identifier. The purpose of such an attack is to use this identifier to attempt to hijack a session. Thus, defending against session fixation helps to defend against session hijacking, but it only addresses a small part of the problem.

Capturing a Session Identifier

A more popular method of obtaining a valid session identifier is to capture it. There are many methods of capture, and these can be categorized according to the method used to propagate the session identifier. For example, if the session identifier is propagated as GET data, attacks focus on obtaining GET data, not specifically the session identifier.
This type of propagation is less secure than using a cookie, because GET data is more exposed. When possible, use a cookie to store the session identifier. Of course, this is just a defense in depth mechanism and should not be considered the primary safeguard.
It's a good practice to anticipate the worst case scenario. Thus, in this article, I demonstrate how to complicate impersonation under the assumption that the session identifier has already been captured. Of course, this is not a desirable situation, but every bit of complication for an attacker increases the security of the application.

Complicating Impersonation

If your session implementation consists of nothing but session_start(), it is very susceptible to session hijacking. In order to discover a method that can help to prevent simple exploits, first consider a typical HTTP request:
  1. GET / HTTP/1.1
  2. Host: example.org
  3. User-Agent: Mozilla/5.0
  4. Accept: text/xml, image/png, image/jpeg, image/gif, */*
  5. Cookie: PHPSESSID=1234
A cookie named PHPSESSID is used to propagate the session identifier in this example.
Of the HTTP headers given in this example, only Host is required, and it certainly isn't very unique. So, it may seem at first glance that nothing within the request can help to identify the user with any more assurance than with the session identifier alone. While this isn't entirely false, any consistency that can be found in each request from the same client can be used to complicate impersonation, and there are steps that can be taken to provide some of this consistency. To further illustrate this concept, consider the following request sent soon after the previous one:
  1. GET /profile.php HTTP/1.1
  2. Host: example.org
  3. User-Agent: Mozilla/5.0 (compatible; MSIE)
  4. Accept: text/xml, image/jpeg, image/png, image/gif, */*
  5. Cookie: PHPSESSID=1234
If every previous request from client 1234 used a different User-Agent header, should this request not be treated with some suspicion? It's possible that this request is an impersonation attempt, and asking the user to verify the password is a good safeguard. The legitimate user will be able to provide the correct password and continue, but an attacker cannot.
The following example shows how you can add a simple check for this:
<?php
 
session_start();
 
if (isset($_SESSION['HTTP_USER_AGENT']) &&
    $_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])) {
    /* Prompt for Password */
    exit;
} else {
  $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}
 
?>
Does this provide enough protection against impersonation? Not really. If the session identifier is being propagated in a cookie, consider that most cookie exploits involve the victim visiting the attacker's site. Thus, if the session identifier has been captured, it is reasonable to assume that the attacker also has access to the HTTP headers that the victim's client includes in a typical request. An impersonation attack simply has to reproduce all of these headers, and then any extra check that relies on any of these is rendered useless.
What if the MD5 of the User-Agent header is used as a browser fingerprint that is propagated with every request, just like the session identifier? In order to bypass this extra safeguard, an attacker would not only have to reproduce the correct session identifier and User-Agent header, but also the correct browser fingerprint. This requires an extra step, so it is more secure.
The weakness with this approach is that guessing the value of the browser fingerprint is not difficult. An MD5 is easily recognizable, and an attacker can use the application itself to get a sample one. With this, figuring out that it's the MD5 of theUser-Agent header isn't too terribly difficult. However, consider a browser fingerprint that is generated with the following code:
  1. <?php
  2.  
  3. $string = $_SERVER['HTTP_USER_AGENT'];
  4. $string .= 'SHIFLETT';
  5.  
  6. $fingerprint = md5($string);
  7.  
  8. ?>
With the addition of some secret padding (SHIFLETT in this example), generating a valid browser fingerprint for someone else is more difficult. In fact, prediction becomes so difficult at this point that capturing a valid browser fingerprint is more likely to be the easiest route for an attacker to take.
To complicate the process of capturing the browser fingerprint, a different method of propagation should be used for the session identifier and browser fingerprint. If both are propagated as cookies, it is reasonable to assume that the same attack can capture both. The same is true if both are propagated as GET data. I recommend propagating the session identifier as a cookie and the browser fingerprint as GET data. If you rely on session.use_trans_sid, then you can simply focus on including the browser fingerprint in each URL. Users who disable cookies will have both the session identifier and browser fingerprint propagated as GET data, but this cannot be avoided. Those who enable cookies will automatically have a bit more protection against impersonation.
Some experts warn against relying on the consistency of the User-Agent header. The argument is that an HTTP proxy in a cluster can modify the User-Agent header inconsistently with other proxies in the same cluster. While I have never observed this myself, it is definitely worth noting.
have observed that the Accept header can change for Internet Explorer users depending upon whether they refresh the browser to request a page, so this should not be relied upon for consistency.
If you are skeptical about relying on any consistency in the HTTP headers, you can opt to use a unique token rather than a browser fingerprint. More often than note, this is the approach I choose. To generate this token, use code similar to the following:
<?php
 
$token = md5(uniqid(rand(),TRUE));
 
$_SESSION['token'] = $token;
 
?>
This token should then be propagated with each request, using a different method than used to propagate the session identifier (just like the browser fingerprint). This token can also be frequently regenerated to tighten the window of opportunity for an attacker.

Until Next Time...

The purpose of this article, like many others here at Security Corner, is to give you enough information to develop solutions that fit you best. Hopefully you now have a clearer understanding of the types of session-based attacks that you must defend against and have a few ideas to get you started protecting your applications. Until next month, be safe.

Saturday, October 16, 2010

hacker website WHOIS information for media-sat.org



WHOIS information for media-sat.org :

[Querying whois.publicinterestregistry.net]
[whois.publicinterestregistry.net]
NOTICE: Access to .ORG WHOIS information is provided to assist persons in 
determining the contents of a domain name registration record in the Public Interest Registry
registry database. The data in this record is provided by Public Interest Registry
for informational purposes only, and Public Interest Registry does not guarantee its 
accuracy.  This service is intended only for query-based access.  You agree 
that you will use this data only for lawful purposes and that, under no 
circumstances will you use this data to: (a) allow, enable, or otherwise 
support the transmission by e-mail, telephone, or facsimile of mass 
unsolicited, commercial advertising or solicitations to entities other than 
the data recipient's own existing customers; or (b) enable high volume, 
automated, electronic processes that send queries or data to the systems of 
Registry Operator or any ICANN-Accredited Registrar, except as reasonably 
necessary to register domain names or modify existing registrations.  All 
rights reserved. Public Interest Registry reserves the right to modify these terms at any 
time. By submitting this query, you agree to abide by this policy. 

Domain ID:D159858748-LROR
Domain Name:MEDIA-SAT.ORG
Created On:09-Aug-2010 21:11:58 UTC
Last Updated On:12-Oct-2010 19:35:02 UTC
Expiration Date:09-Aug-2011 21:11:58 UTC
Sponsoring Registrar:Name.com, LLC (R1288-LROR)
Status:OK
Registrant ID:ncr-8629775-64b9
Registrant Name:Montassar Lajnaf
Registrant Organization:MONTAENJOY
Registrant Street1:ayen km 1
Registrant Street2:
Registrant Street3:
Registrant City:sfax
Registrant State/Province:sfax
Registrant Postal Code:3000
Registrant Country:TN
Registrant Phone:+216.23624962
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:montaenjoy@gmail.com
Admin ID:nca-8629776-998b
Admin Name:Montassar Lajnaf
Admin Organization:MONTAENJOY
Admin Street1:ayen km 1
Admin Street2:
Admin Street3:
Admin City:sfax
Admin State/Province:sfax
Admin Postal Code:3000
Admin Country:TN
Admin Phone:+216.23624962
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:montaenjoy@gmail.com
Tech ID:nct-8629777-fd42
Tech Name:Montassar Lajnaf
Tech Organization:MONTAENJOY
Tech Street1:ayen km 1
Tech Street2:
Tech Street3:
Tech City:sfax
Tech State/Province:sfax
Tech Postal Code:3000
Tech Country:TN
Tech Phone:+216.23624962
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:montaenjoy@gmail.com
Name Server:S1.HOST-CLIC.COM
Name Server:S2.HOST-CLIC.COM
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
DNSSEC:Unsigned

Thursday, October 14, 2010

XSS Cross-Site Scripting: Are You Web Applications Vulnerable?


what is XSS


An abbreviation of cross-site scripting. XSS is a security breach that takes advantage of dynamically generated Web pages. In an XSS attack, a Webapplication is sent with a script that activates when it is read by an unsuspecting user??s browser or by an application that has not protected itself against cross-site scripting. Because dynamic Web sites rely on user input, a malicious user can input malicious script into the page by hiding it within legitimate requests. Common exploitations include search engineboxes, online forums and public-accessed blogs. Once XSS has been launched, the attacker can change user settings, hijack accounts, poisoncookies with malicious code, expose SSL connections, access restricted sites and even launch false advertisements. The simplest way to avoid XSS is to add code to a Web application that causes the dynamic input to ignore certain command tags.
Scripting tags that take advantage of XSS include <SCRIPT>, <OBJECT>, <APPLET>, <EMBED> and <FORM>. Common languages used for XSS include JavaScriptVBScriptHTMLPerlC++ActiveX and Flash.
Cross-site scripting also is referred to as malicious tagging and sometimes abbreviated as CSS, though CSS is more commonly used as an abbreviation for cascading style sheets.