RedTeam Labs

Information Security Vulnerablities, Exploit Code and News

CATEGORIES:      Company News General Industry News Research List View

Simple Anti Session Hijacking

Category: Research Tags: session, hijack, php, md5
Posted by: labs@redteamsecure.com (Jeremiah Talamantes) on 2009-12-30 11:41:40

Protecting your web application from session hijacking, even for experienced developers, can be quite a learning process in application security. If your session mechanism only consists of session_start(), chances are favorable that you are vulnerable, although the exploit isn't as simple as session fixation.

Instead of focusing on how to keep the session identifier from being captured, perhaps try focusing on how to make such a capture less problematic. Our goal would be to complicate impersonation, since in theory, every complication would increase security.

Taking a tiny step further, we can use the code below to force a would-be attacker to not only present a valid session identifier, but also the correct User-Agent associated with the session. Its premise complicates thing a bit as user agent is not likely to change on the fly.

See code below...



	/*

	 * Simple Anti-Session Hijacking

	 * 

	 * DESCRIPTION:

	 * This example uses the user's browser agent setting which 

	 * has been run through an MD5 one-way hash to determine if 

	 * the session has been hijacked. This should be used in 

	 * conjunction with other steps to prevent hijacking and not

	 * as a sole mitigating control against session hijacking.

	 *  

	 * 

	 * Jeremiah Talamantes

	 * RedTeam Security

	 * http://redteamsecure.com/labs

	 * 

	 */



session_start();



if (isset($_SESSION['HTTP_USER_AGENT']))

{

	if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))

	{

		// This could be a hijacked session

		// Log event?

		// Redirect to login page?		

		exit;

	}

} else {

	// Not likely to be a hijacked session; looks good

	$_SESSION['HTTP_USER_AGENT'] = md5($_SESSION['HTTP_USER_AGENT']);

}
This is not entirely fail-safe and certainly not bullet proof but it does add some complexity. With that, you could make some improvements quite easily. Consider MD5 hashing the User-Agent and adding some additional randomness. Consider passing something like the code below in a URL variable in order for the session to be continued. If the check fails, log the event, redirect the user to a login prompt. The options are yours. See below... 
	/*
	 * Simple Anti-Session Hijacking
	 * 
	 * DESCRIPTION:
	 * This example uses the user's agent with the
	 * use of a salted MD5 hash to add a bit more
	 * complexity.
	 * 
	 * 
	 * Jeremiah Talamantes
	 * RedTeam Security
	 * http://redteamsecure.com/labs
	 * 
	 */

$string = $_SERVER['HTTP_USER_AGENT'];

// salt the MD5 hash
$string .= 'thisisjustSOMErandomtext';

/* add other stuff here */

$accesscode = md5($string);


Again, these steps should be implemented in conjunction with other steps to prevent session hijacking; it is not meant to be a single, sole solution. Happy coding!



Share |



Follow Our Twitter

Follow Our RSS

Share this: |


Categories



DISCLAIMER
    The content, tools, methodologies and proof of concept code contained in these articles are in no way intended to be used for malicious intent. This information is to be used for educational purposes only. RedTeam Security does not condone the malicious use nor does it warranty the use of any of the content contained herein.


Contact Us

Phone number:
1-612-234-7848

E-mail:

info@redteamsecure.com