SlideShare a Scribd company logo

Session Hijacking

Download as PPTX, PDF
Dilan Warnakulasooriya
Dilan Warnakulasooriya

Myself and Asanka Fernandopulle conducted corporate level workshop on Application Security. This workshop covered areas such as application security treats, secure cording practices, application penetration testing and web application exploitations. Workshop mainly consisted with practical sessions and demonstrations. You can find all the presentations here.

Technology
1 of 8
SESSION Hijacking HOW VULNERABLE IS MY WEB APPLICATION FROM A DEVELOPER’S ANGLE… Dilan Warnakulasooriya Asanka Fernandopulle Information Security Engineer Senior Software Engineer 99X Technology 99X Technology
Overview  Many Details about the session including  Session.Id lifecycle  Session.Abandon  The session cookie  Attacking the session  Fixes January 1, 2013 99X Technology(c) 2
ASP.NET Session Background  Session.Id is established when?  If ASP.Net receives any session Id, it will USE IT.  Does Session.Abandon remove this cookie?  NO – Why? ○ This session could be shared across sites. Why?  Session.IsNewSession is true when  When asp.net has no record of the current session  First new reques to a web server generally means IsNewSession=true  If a session Id is provided by client, IsNewSession = true first request, false for subsequent requests.  Session cookies are HttpOnly  Which means JavaScript cannot read the session cookies but it can still SET the cookie January 1, 2013 99X Technology(c) 3
ASP.NET Session Background DEMO January 1, 2013 99X Technology(c) 4
The client wants a NEW Session Id of 12345678? No Problem Cookie sent to server SessionId = 12345678 January 1, 2013 99X Technology(c) 5
How can sessions be attacked?  Session Ids can be attacked  Network traffic can be sniffed  Man in the middle attack(easy to test via proxy configuration)  Session Fixation Demo January 1, 2013 99X Technology(c) 6
Preventing session attacks  Force SSL for the entire site  Ensure authentication and session timeouts are in sync!  Session could timeout before forms auth timeout, thus allowing takeover of session  Remove the session cookie and kill the session upon logout AND page load  Session.Abandon(); //Expires the session  Response.Cookies[“ASP.NET_SessionId”].Expires = DateTime.Now.AddYears(- 30);  Avoid cookieless sessions (where Id is on the url)  EXTRA EXTRA secure… (Kind of Advanced Topic )  Create your own Session Id Provider to generate and validate ids.  Note these are called for EVERY request (images,etc…) in Integrated Pipeline Mode  Store Session Id in Auth cookie January 1, 2013 99X Technology(c) 7
Session timeouts/Forms Auth timeouts  Scenario  Session timeout 20 minutes, forms auth timeout 20 minutes  Also session can expire when app pool reset. Forms auth token still valid Minutes Session timeout Forms Auth Token Expires 12:02 12:22 Still 12:20 12:04 12:24 Still 12:20 12:06 12:26 Still 12:20 12:15 12:35 12:35 12:30 App pool shuts NO SESSION 12:35 down, reset, etc January 1, 2013 99X Technology(c) 8

Recommended

Returnil 2010
Returnil 2010Returnil 2010
Returnil 2010Rose Banioki
 
Secure remote access in solaris 9
Secure remote access in solaris 9Secure remote access in solaris 9
Secure remote access in solaris 9Tintus Ardi
 
Positive Technologies WinCC Security Hardening Guide
Positive Technologies WinCC Security Hardening GuidePositive Technologies WinCC Security Hardening Guide
Positive Technologies WinCC Security Hardening Guideqqlan
 
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...Spiffy
 
Documentation
DocumentationDocumentation
DocumentationDaniel Taylor
 
Cassandra Security Configuration
Cassandra Security ConfigurationCassandra Security Configuration
Cassandra Security ConfigurationBraja Krishna Das
 
Microsoft OCSP LUNA SA PCI Integration Guide
Microsoft OCSP LUNA SA PCI Integration GuideMicrosoft OCSP LUNA SA PCI Integration Guide
Microsoft OCSP LUNA SA PCI Integration GuideChris x-MS
 
Secure coding
Secure codingSecure coding
Secure codingDilan Warnakulasooriya
 

Recommended

Returnil 2010
Returnil 2010Returnil 2010
Returnil 2010Rose Banioki
 
Secure remote access in solaris 9
Secure remote access in solaris 9Secure remote access in solaris 9
Secure remote access in solaris 9Tintus Ardi
 
Positive Technologies WinCC Security Hardening Guide
Positive Technologies WinCC Security Hardening GuidePositive Technologies WinCC Security Hardening Guide
Positive Technologies WinCC Security Hardening Guideqqlan
 
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...Spiffy
 
Documentation
DocumentationDocumentation
DocumentationDaniel Taylor
 
Cassandra Security Configuration
Cassandra Security ConfigurationCassandra Security Configuration
Cassandra Security ConfigurationBraja Krishna Das
 
Microsoft OCSP LUNA SA PCI Integration Guide
Microsoft OCSP LUNA SA PCI Integration GuideMicrosoft OCSP LUNA SA PCI Integration Guide
Microsoft OCSP LUNA SA PCI Integration GuideChris x-MS
 
Secure coding
Secure codingSecure coding
Secure codingDilan Warnakulasooriya
 
The license associated with the Belarc Advisor product allows
The license associated with the Belarc Advisor product allows The license associated with the Belarc Advisor product allows
The license associated with the Belarc Advisor product allowsMikeEly930
 
Zerto in azure technical deep dive
Zerto in azure technical deep diveZerto in azure technical deep dive
Zerto in azure technical deep diveDatabarracks
 
Sql injection
Sql injectionSql injection
Sql injectionDilan Warnakulasooriya
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
CA Infrastructure Management 2.0 vs. Solarwinds Orion: Speed and ease of mana...
CA Infrastructure Management 2.0 vs. Solarwinds Orion: Speed and ease of mana...CA Infrastructure Management 2.0 vs. Solarwinds Orion: Speed and ease of mana...
CA Infrastructure Management 2.0 vs. Solarwinds Orion: Speed and ease of mana...Principled Technologies
 
CCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny RachitskyCCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny RachitskyCloud Congress
 
Java User Group Erfurt 2018: Zeebe.io - Event-driven Microservice Orchestration
Java User Group Erfurt 2018: Zeebe.io - Event-driven Microservice OrchestrationJava User Group Erfurt 2018: Zeebe.io - Event-driven Microservice Orchestration
Java User Group Erfurt 2018: Zeebe.io - Event-driven Microservice OrchestrationBernd Ruecker
 
Hacking Web Aplications using Cookie Poisoning
Hacking Web Aplications using Cookie PoisoningHacking Web Aplications using Cookie Poisoning
Hacking Web Aplications using Cookie PoisoningSumutiu Marius
 
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud Thuan Ng
 
Barracuda in Microsoft Azure
Barracuda in Microsoft AzureBarracuda in Microsoft Azure
Barracuda in Microsoft AzureresponsiveX
 
Microsoft az-303 Dumps
Microsoft az-303 DumpsMicrosoft az-303 Dumps
Microsoft az-303 DumpsArmstrongsmith
 
KoprowskiT_SQLSat152_Bulgaria_HighAvailabilityOfSQLintheContextOfSLA
KoprowskiT_SQLSat152_Bulgaria_HighAvailabilityOfSQLintheContextOfSLAKoprowskiT_SQLSat152_Bulgaria_HighAvailabilityOfSQLintheContextOfSLA
KoprowskiT_SQLSat152_Bulgaria_HighAvailabilityOfSQLintheContextOfSLATobias Koprowski
 
Windows azure overview for SharePoint Pros
Windows azure overview for SharePoint Pros Windows azure overview for SharePoint Pros
Windows azure overview for SharePoint Pros Usama Wahab Khan Cloud, Data and AI
 
What is Windows Azure Platform
What is Windows Azure PlatformWhat is Windows Azure Platform
What is Windows Azure PlatformDavid Chou
 
Final pres(0704043)
Final pres(0704043)Final pres(0704043)
Final pres(0704043)Md. Al-Hasan
 
Introducing rubrik a new approach to data protection
Introducing rubrik a new approach to data protectionIntroducing rubrik a new approach to data protection
Introducing rubrik a new approach to data protectionDatabarracks
 
From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
From 0 to Secure in 1 Minute - Securing laaS - Nir ValtmanFrom 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
From 0 to Secure in 1 Minute - Securing laaS - Nir ValtmanEC-Council
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summaryKarun Chennuri
 
How to move to the cloud, get it right, stay secure and not cost a fortune
How to move to the cloud, get it right, stay secure and not cost a fortuneHow to move to the cloud, get it right, stay secure and not cost a fortune
How to move to the cloud, get it right, stay secure and not cost a fortuneCorecom Consulting
 
CloudStack UI
CloudStack UICloudStack UI
CloudStack UIShapeBlue
 
Parameter tampering
Parameter tamperingParameter tampering
Parameter tamperingDilan Warnakulasooriya
 
CSRF
CSRFCSRF
CSRFDilan Warnakulasooriya
 

More Related Content

Similar to Session Hijacking

The license associated with the Belarc Advisor product allows
The license associated with the Belarc Advisor product allows The license associated with the Belarc Advisor product allows
The license associated with the Belarc Advisor product allowsMikeEly930
 
Zerto in azure technical deep dive
Zerto in azure technical deep diveZerto in azure technical deep dive
Zerto in azure technical deep diveDatabarracks
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
CA Infrastructure Management 2.0 vs. Solarwinds Orion: Speed and ease of mana...
CA Infrastructure Management 2.0 vs. Solarwinds Orion: Speed and ease of mana...CA Infrastructure Management 2.0 vs. Solarwinds Orion: Speed and ease of mana...
CA Infrastructure Management 2.0 vs. Solarwinds Orion: Speed and ease of mana...Principled Technologies
 
CCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny RachitskyCCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny RachitskyCloud Congress
 
Java User Group Erfurt 2018: Zeebe.io - Event-driven Microservice Orchestration
Java User Group Erfurt 2018: Zeebe.io - Event-driven Microservice OrchestrationJava User Group Erfurt 2018: Zeebe.io - Event-driven Microservice Orchestration
Java User Group Erfurt 2018: Zeebe.io - Event-driven Microservice OrchestrationBernd Ruecker
 
Hacking Web Aplications using Cookie Poisoning
Hacking Web Aplications using Cookie PoisoningHacking Web Aplications using Cookie Poisoning
Hacking Web Aplications using Cookie PoisoningSumutiu Marius
 
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud Thuan Ng
 
Barracuda in Microsoft Azure
Barracuda in Microsoft AzureBarracuda in Microsoft Azure
Barracuda in Microsoft AzureresponsiveX
 
Microsoft az-303 Dumps
Microsoft az-303 DumpsMicrosoft az-303 Dumps
Microsoft az-303 DumpsArmstrongsmith
 
KoprowskiT_SQLSat152_Bulgaria_HighAvailabilityOfSQLintheContextOfSLA
KoprowskiT_SQLSat152_Bulgaria_HighAvailabilityOfSQLintheContextOfSLAKoprowskiT_SQLSat152_Bulgaria_HighAvailabilityOfSQLintheContextOfSLA
KoprowskiT_SQLSat152_Bulgaria_HighAvailabilityOfSQLintheContextOfSLATobias Koprowski
 
What is Windows Azure Platform
What is Windows Azure PlatformWhat is Windows Azure Platform
What is Windows Azure PlatformDavid Chou
 
Final pres(0704043)
Final pres(0704043)Final pres(0704043)
Final pres(0704043)Md. Al-Hasan
 
Introducing rubrik a new approach to data protection
Introducing rubrik a new approach to data protectionIntroducing rubrik a new approach to data protection
Introducing rubrik a new approach to data protectionDatabarracks
 
From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
From 0 to Secure in 1 Minute - Securing laaS - Nir ValtmanFrom 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
From 0 to Secure in 1 Minute - Securing laaS - Nir ValtmanEC-Council
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summaryKarun Chennuri
 
How to move to the cloud, get it right, stay secure and not cost a fortune
How to move to the cloud, get it right, stay secure and not cost a fortuneHow to move to the cloud, get it right, stay secure and not cost a fortune
How to move to the cloud, get it right, stay secure and not cost a fortuneCorecom Consulting
 
CloudStack UI
CloudStack UICloudStack UI
CloudStack UIShapeBlue
 

Similar to Session Hijacking (20)

The license associated with the Belarc Advisor product allows
The license associated with the Belarc Advisor product allows The license associated with the Belarc Advisor product allows
The license associated with the Belarc Advisor product allows
 
Zerto in azure technical deep dive
Zerto in azure technical deep diveZerto in azure technical deep dive
Zerto in azure technical deep dive
 
Sql injection
Sql injectionSql injection
Sql injection
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
CA Infrastructure Management 2.0 vs. Solarwinds Orion: Speed and ease of mana...
CA Infrastructure Management 2.0 vs. Solarwinds Orion: Speed and ease of mana...CA Infrastructure Management 2.0 vs. Solarwinds Orion: Speed and ease of mana...
CA Infrastructure Management 2.0 vs. Solarwinds Orion: Speed and ease of mana...
 
CCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny RachitskyCCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny Rachitsky
 
Java User Group Erfurt 2018: Zeebe.io - Event-driven Microservice Orchestration
Java User Group Erfurt 2018: Zeebe.io - Event-driven Microservice OrchestrationJava User Group Erfurt 2018: Zeebe.io - Event-driven Microservice Orchestration
Java User Group Erfurt 2018: Zeebe.io - Event-driven Microservice Orchestration
 
Hacking Web Aplications using Cookie Poisoning
Hacking Web Aplications using Cookie PoisoningHacking Web Aplications using Cookie Poisoning
Hacking Web Aplications using Cookie Poisoning
 
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
 
Barracuda in Microsoft Azure
Barracuda in Microsoft AzureBarracuda in Microsoft Azure
Barracuda in Microsoft Azure
 
Microsoft az-303 Dumps
Microsoft az-303 DumpsMicrosoft az-303 Dumps
Microsoft az-303 Dumps
 
KoprowskiT_SQLSat152_Bulgaria_HighAvailabilityOfSQLintheContextOfSLA
KoprowskiT_SQLSat152_Bulgaria_HighAvailabilityOfSQLintheContextOfSLAKoprowskiT_SQLSat152_Bulgaria_HighAvailabilityOfSQLintheContextOfSLA
KoprowskiT_SQLSat152_Bulgaria_HighAvailabilityOfSQLintheContextOfSLA
 
Windows azure overview for SharePoint Pros
Windows azure overview for SharePoint Pros Windows azure overview for SharePoint Pros
Windows azure overview for SharePoint Pros
 
What is Windows Azure Platform
What is Windows Azure PlatformWhat is Windows Azure Platform
What is Windows Azure Platform
 
Final pres(0704043)
Final pres(0704043)Final pres(0704043)
Final pres(0704043)
 
Introducing rubrik a new approach to data protection
Introducing rubrik a new approach to data protectionIntroducing rubrik a new approach to data protection
Introducing rubrik a new approach to data protection
 
From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
From 0 to Secure in 1 Minute - Securing laaS - Nir ValtmanFrom 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
How to move to the cloud, get it right, stay secure and not cost a fortune
How to move to the cloud, get it right, stay secure and not cost a fortuneHow to move to the cloud, get it right, stay secure and not cost a fortune
How to move to the cloud, get it right, stay secure and not cost a fortune
 
CloudStack UI
CloudStack UICloudStack UI
CloudStack UI
 

More from Dilan Warnakulasooriya

More from Dilan Warnakulasooriya (6)

Parameter tampering
Parameter tamperingParameter tampering
Parameter tampering
 
CSRF
CSRFCSRF
CSRF
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Application security overview
Application security overviewApplication security overview
Application security overview
 
Application security overview
Application security overviewApplication security overview
Application security overview
 
webscarab
webscarabwebscarab
webscarab
 

Recently uploaded

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 

Recently uploaded (20)

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 

Session Hijacking

  • 1. SESSION Hijacking HOW VULNERABLE IS MY WEB APPLICATION FROM A DEVELOPER’S ANGLE… Dilan Warnakulasooriya Asanka Fernandopulle Information Security Engineer Senior Software Engineer 99X Technology 99X Technology
  • 2. Overview  Many Details about the session including  Session.Id lifecycle  Session.Abandon  The session cookie  Attacking the session  Fixes January 1, 2013 99X Technology(c) 2
  • 3. ASP.NET Session Background  Session.Id is established when?  If ASP.Net receives any session Id, it will USE IT.  Does Session.Abandon remove this cookie?  NO – Why? ○ This session could be shared across sites. Why?  Session.IsNewSession is true when  When asp.net has no record of the current session  First new reques to a web server generally means IsNewSession=true  If a session Id is provided by client, IsNewSession = true first request, false for subsequent requests.  Session cookies are HttpOnly  Which means JavaScript cannot read the session cookies but it can still SET the cookie January 1, 2013 99X Technology(c) 3
  • 4. ASP.NET Session Background DEMO January 1, 2013 99X Technology(c) 4
  • 5. The client wants a NEW Session Id of 12345678? No Problem Cookie sent to server SessionId = 12345678 January 1, 2013 99X Technology(c) 5
  • 6. How can sessions be attacked?  Session Ids can be attacked  Network traffic can be sniffed  Man in the middle attack(easy to test via proxy configuration)  Session Fixation Demo January 1, 2013 99X Technology(c) 6
  • 7. Preventing session attacks  Force SSL for the entire site  Ensure authentication and session timeouts are in sync!  Session could timeout before forms auth timeout, thus allowing takeover of session  Remove the session cookie and kill the session upon logout AND page load  Session.Abandon(); //Expires the session  Response.Cookies[“ASP.NET_SessionId”].Expires = DateTime.Now.AddYears(- 30);  Avoid cookieless sessions (where Id is on the url)  EXTRA EXTRA secure… (Kind of Advanced Topic )  Create your own Session Id Provider to generate and validate ids.  Note these are called for EVERY request (images,etc…) in Integrated Pipeline Mode  Store Session Id in Auth cookie January 1, 2013 99X Technology(c) 7
  • 8. Session timeouts/Forms Auth timeouts  Scenario  Session timeout 20 minutes, forms auth timeout 20 minutes  Also session can expire when app pool reset. Forms auth token still valid Minutes Session timeout Forms Auth Token Expires 12:02 12:22 Still 12:20 12:04 12:24 Still 12:20 12:06 12:26 Still 12:20 12:15 12:35 12:35 12:30 App pool shuts NO SESSION 12:35 down, reset, etc January 1, 2013 99X Technology(c) 8