Next week, I will present my project about web security with my advisor. I have many question with session hijack
1. If I login in some website and url is http://www.somewebsite.com/staff.ph...345678910abcdef
if someone use sniffer to sniff this url and enter this url. So he can use my session and act as me in this session. Is this call Session hijack?
2. if 1 is session hijack. If http://www.somewebsite.com/staff.php not pass session ID in url but keep Session ID in cookie on client (Which keep in memory not text file). In this situation, If intruder want to hijack session. Is intruder must have session ID in his computer's memory. Is it possible to do?
3. in 1. someone use sniffer to sniff url and get http://www.somewebsite.com/staff.ph...345678910abcdef but if this site use ssl , Is intruder can sniff and get url http://www.somewebsite.com/staff.ph...345678910abcdef and act as me?
4. I test by login into hotmail and yahoo mail. when I already login and click to inbox. I copy url in inbox page
http://us.f144.mail.yahoo.com/ym/lo...d=4pr0eksnhfbc4
and
http://lw15fd.law15.hotmail.msn.com...56ff083f01ad68f
I sent this url to my frient and ask he to open it. but when he open this url. he get login form not inbox page.
How these site make session secure?
Now I'm no php expert, but I think I may be able to help you. The trick is to use sessions to register some variable other than the session_id, and then check for this variable when the user tries to access a page requiring said variable. For example if you ask someone to enter a username before accessing a page, you would do something like this:
This way the registered variable is not passed in the URL, and so it cannot just be copied and pasted by someone else.
To verify that the variable $username is set, you could just use an if statement near the head of any page that you want made secure:
<?php
if(!isset($username)) {
?>
Page with login form
<?php
} else {
?>
Whatever page you are protecting
<?php
} ?>
There are more eloquent ways of doing this but I think this gives you the basic idea of what is going on.
1. Yes
2. Yes. Cookies can be spoofed. You have no control over what's on the client's computer. He could have hacked his browser or written his own (fairly simple with the open source browsers out there).
3. No. SSL would prevent hijacking. Of course it would have to be used exclusively on pages that use sessions.
4. There are way too many possibilities here. The most obvious is time. Was the session still active when your friend went there? Another is that the server looked at the user agent strings. Unfortunately, this can be spoofed as well, but your friend probably didn't do that. Less likely, they looked at the IP, but again that can be spoofed AND would block some legitimate users. There are several others, but the ONLY secure way is to use SSL. This is true for ALL server side technologies trying to maintain state, NOT just PHP.
Thanks very much. :) I have more question from question 2.
1. If browser is Netscape and IE (not opensource), Is intruder can hack it. Do you know how to? because it keep in memory.
2. If some website keep cookie in text file, which contain username and password.so when I visit website. I don't need login everytime. It automatic login. If intruder sniff cookie and copy in his computer. Can he automatic login with me?
3. If my computer have about 30 cookies in text file. If I visit amazon website, and this website read it's cookie. How it know that this cookie is it's cookie.
4. Can amazon website read cookie from other website on my computer? Is anyway to do it?
If you have more information about this topic, please let me know? especially how to do it?
Thanks again.
1) Huh? A cracker isn't going to go after the cookie in the client software. He'll sniff it as the packet is in transport.
2) Yes.
3) You don't need to know. The browser handles this, but the spec is on Netscape's site, or at least it used to be. MS may have it as well. No standard has to be followed by the browser since only that browser will look at it's cookies. Just as long as it can find the cookie based on the domain name...
4) Not supposed to be able to. Of course, MS has been infamous for allowing security holes...
Why would I tell you how to do it? You want to crack some site?
Why would I tell you how to do it? You want to crack some site?
No, I don't want hack website. I only want to know how to do it. as I tell you, Next week, I will present my project. I'm 4 years student major computer engineering.
My project is about Web Security.
So I want to know
I must present how to hack it and how to protect it.
In my project I'm research about
Openbsd Security
Apache Security
MySQL Security
PHP Security
I know these problem can solve with SSL. But I want to present, if not SSL. What happen!!
See from your questions I can see that you don't have much idea about how cookie works and how in general sessions are being utilised by websites.
I wonder in that situation how you would learn , how to hack/crack it.