Sunday, January 1, 2012

Authorization Attacks using Session hijacking

Most of authorization methods are based on the user, password pair, provided by the user. The stateless nature of the Internet requires the server to remember every user that has logged in. Web applications create a unique session for every user. This session is stored somewhere on the server, usually in the database and on users' box via cookies or GET/POST variables. How possible is, for a malicious user, to use these cookies for impersonation? In this article we will try to explore some methods that used very often by malicious people in order to impersonate users. We are not trying to find a totally new world, but to uncover, or better, to formulate, the most recent methods used against current web applications that allow malicious attackers to believe that they are successful. Cookie attacks formulation, Session Prediction, Cross Site Request Forgery and
Session Fixation are methods that will be described with real examples.