Search This Blog

Monday, December 25, 2006

What is Session ID and session hi-jacking?

Peace be upon you
My Dear Friend Mohamed Shehata asks about the session ID, now I am explaining it,
First have a look for this figure

When the user hit the web site name, what is happening?
actually there is a lot of hidden things happen and even some developers don't know what is happening or how is it happen, here we start
User hit the site name: The server do inital things to connect you to the excution of script (ASP,PHP,...)
Server creates a cookie in the client machin, this cookie called Session ID,
for sure any developer know and uses the Session Object, but do anyone think how the session id works, and how the session ID get to you the right information, it is simple, Script Engine(ASP Engine, PHP engine,...) do this for you, the engine creates the session ID which is the Key for the whole data row, the data row is the data you save in the session object, which is filtered by the session id which is save in the Client machin
did you got it ?:D
who the Hacker uses all of this, simply there is technique called session hi-jacking, this is depending on stealing the session from the client machin,this way when the engine tries to get the session id from the hacker machin the engine will not say anything it will give the web application the information depending on the session id,
this is way the hacker appear to the web site as the normal user,
how can the user get out of this trick, NO WAY FOR THE USER TO PROTECT HIM SELF
because as long as the hacker got your session id, then he is you :D, it's like passport without photo, as long as u carry it then anyone carry it will be the one,
How can developer protect his application from such attacks?
the beloved MSDN give us a little solution check this link out
it really gives the key to protect your application and user from such attacks,

How do this thing used in hacking hotmail account?
when you login, someone send you link, you open it
the page redirect you to infected page of MSN ( infected with XSS Exploit ), the script is passed in the query string, but I grantee you will never see it, the encode it to HexaDecimel,
the script simply get all cookies in your session and pass it to other site, that save your data,
as long as you don't sign out, your session is a life, so u have to kill it by "SIGN-OUT", after that you are disappear for the site, if the hacker take your session ID and tries to use it, he will find that you are not signed in, simply he will be asked to enter the user name and the password, this way protect you but not so much, as I said before , you have to open any link came to you in other browser, WHY
because when you click on the link and when new window open, it inherit all of it's cookies with it, which means
when you open link, it will popup new window, this window contine the link that will still your information, when the hacker redirect you to MSN again (to steal your session id) he will get your data,
I wish it is useful

thanks for your time
Ahmed Essam

Kick it Please
kick it on

1 comment:

Anonymous said...

Hi. this post is very useful. but sorry can i know about the software about hacking or do sth on this sessionID?
both for Linux and windows. Thq a lot