Channels ▼

Session Hijacking

Session Hijacking

As many observers and analysts report, applications are more often under attack than the network and host environment. The reason is pretty obvious: Applications wrap data, sometimes sensitive data, and can become the vehicle of infections and malicious attacks against other applications or critical parts of the system.

There are many ways a developer can leave the door of his system open to an attacker. And, likewise, there are many ways an attacker can slipstream his potentially injurious code in a poor and innocent application. One of the most common attacks is session hijacking. This attack is subtle and annoying, not so much because of the damage incurred with it-it depends on the application data deployment-but because there's not much you can do about it if you're not raising the bar (and the costs of the attack).

If you judiciously place the virtual bar of security, session hijacking can be defeated; in doing so, though, and unlike for other common types of attacks, you can't rely much on the ASP.NET infrastructure and programming model.

Session hijacking is when an attacker gains access to the session state of a particular user. Basically, the attacker steals a valid session ID (i.e., stealing a valid session cookie) and uses that to get into the system and snoop into the data.

We all agree this is a reprehensible action from an ethical point of view. Is this injurious as well? That depends on what is actually stored in the session state. Stealing a bunch of IDs pointing to database records is not a big deal per se. This information is scarcely useful because it doesn't represent an action and cannot be used to perform an action. Or, at least, not necessarily. Stealing credit-card or account information is another story. If you know all credit-card details you can go to another site and use that information to buy anything you want.

What is the security hole that leaves room for this attack? Nothing in your application. You can only program defensively (and reasonably) and avoid placing sensitive data to session. ASP.NET associates session data to incoming requests based on the session ID. ASP.NET simply ensures that the submitted session ID is valid, no matter how the request got to get it. If the attacker can either guess a valid session ID or steal a valid one, he can get in and use that (maybe yours) session state.

From an ASP.NET perspective, guessing a valid ID is virtually impossible because of the employed algorithm. (Look carefully before you take the leap and replace the session ID generator in ASP.NET 2.0.) Stealing a valid session ID is, instead, possible and under certain conditions even likely!

The session cookie can be stolen from the browser or as the result of a prior code injection attack. The session cookie contains only the session ID, but this is just what is needed to have the session state associated with the request!

ASP.NET implements no special barrier to filter stolen session IDs. You can do that by writing an additional HTTP module or, in ASP.NET 2.0, by extending the existing one to support a verification of the IP address of the requestor.

Simply put, the idea is to embed the IP address of the requestor in the cookie after the regular session module has done and the request is close to its end. On the way back, when the request comes in, the same module will check the current IP address against the stored one, and allow the request to pass in case of a successful match. To preserve compatibility, the module must also remove any extra information the regular module doesn't handle from the cookie.

Jeff Prosise has written a great article about this technique in his "Wicked Code column in MSDN Magazine, August 2004. One more warning: Cookieless sessions are of great help to attackers. If you're sensitive to security, avoid them.

Dino Esposito is Wintellect's ADO.NET and XML expert, and a trainer and consultant based in Rome, Italy. Dino is a contributing editor to Windows Developer Network and MSDN Magazine, and the author of several books for Microsoft Press including Building Web Solutions with ASP.NET and ADO.NET and Applied XML Programming for .NET. Contact Dino at [email protected].

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.