Open In App

Session Fixation Software Attack in Session Hijacking

Last Updated : 08 Sep, 2022
Improve
Improve
Like Article
Like
Save
Share
Report

Session fixation software attack is a type of session hijacking that involves a persistent entity on the computer using the software. Session fixation has been observed in real-world use by various entities, including nation-states. Session fixation is done by acquiring or modifying the TCP/IP stack to make it appear as if a user’s connection was initiated from its own local system, and then responding with connections from that system to remote systems, typically without their knowledge. This enables the attacker to eavesdrop on any traffic between remote computers and their own machine. The most common types of attacks are password guessing and Internet connectivity spoofing, leading to a denial of service.

Session Fixation Attack

 

Session Fixation Software Attack:

  • Session fixation attack is mainly carried out by persistent malicious software, some common examples are:
  • The details of the session fixation software attack in session hijacking are as follows:
    • The attacker will find a way to write a Trojan on the user’s system, which can be the client or server-side application. This Trojan is placed in the directory of the local user, but it may be also placed in any other place that its owner wants like an Internet Browser, FTP server, etc.
    • The malicious software is injected into the TCP/IP stack to make it appear as if the packets originated from its own system.
    • If a remote client connects to a local server or vice versa, then the attacker will reply with his local IP address, but he should never forward any packet to a remote host.
    • At this point, it’s for the TCP/IP stack to detect the spoofed packets and return an ICMP error message.
    • If a response packet is not returned, then the attacker manually intervenes by sending UDP reply packets. This is quite a tricky part, how the attacker should forward the packet to the remote system without the knowledge of the remote host. Tcpdump can be used to intercept ICMP packets.
    • Once ICMP error messages are forwarded back to the TCP/IP stack and are sent to the client system again, then this attack is successful.
    • If there was no response packet back to ICMP, then the attack fails because of replying to its own address in a new connection using another IP header. In this case, the attacker should manually intervene by sending a UDP reply packet or restarting the TCP/IP stack. This type of session fixation software attack can be achieved only if the local login script is also vulnerable.

Countermeasures:

The best security measure against a session fixation attack is to change the default login password. This is one of the main reasons behind this attack, when a user logs in to a particular system, he should use a password that is known only to the local machine. It’s easier for an attacker to detect an outgoing packet using ping or traceroute. In some cases, using tcpdump can be helpful as well.

Vulnerability:

The most common reason behind this type of attack is that if local scripts are not protected from unauthorized access, then it’s probable that the local account i) has a weak password ii) its password contains already known words and has been stored somewhere like web pages iii) is stored in an application log file. Some common attack targets are web pages, email connections, online file transfers, etc.

Defenses: 

  • The best way to defend against a session fixation software attack is to keep secret all the passwords for all of your local systems. The other way is to change the login password with properly encrypted random text.
  • It’s always recommended to use Secure HTTP (HTTPS) or Secure FTP (SFTP) whenever possible because they encrypt the transmitted data.
  • If you suspect any malicious bot on your system, it’s better to use the command “Sudo /etc/init.d/iptables stop” to stop the internet traffic for that system.
  • Users can also log out from the remote host and login again using another secure session that is not vulnerable to IP spoofing.
  • Another way is by using a VPN (Virtual Private Network), it’s like connecting a private network to a public network where only authorized clients are allowed to connect using only one IP address of that network, so IP spoofing is not possible through a such a VPN connection.
  • Using intrusion detection systems like Snort or GFI Languard.

Conclusion:

Session fixation software attack in session hijacking is quite common nowadays, because of its low cost and high success rate. User should keep in mind that to avoid such attacks it’s better to change the default login password so that every time a user logs in to a system, he doesn’t use any known password for that particular system.


Like Article
Suggest improvement
Next
Session Prediction Software Attack
Share your thoughts in the comments

Similar Reads

Session Fixation Attack
What are Types of Session Hijacking ?
UDP Session Hijacking
Session Side Hijacking Vulnerability in Ethical Hacking
Session Prediction Software Attack
What is Browser Hijacking Software?
Email Hijacking
What is Cookie Hijacking?
TCP/IP Hijacking
What is DLL Hijacking?
author
tejaswipkle
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox