View Full Version : Session Hijacing Theory
Moonbat
11-06-2007, 09:53 PM
I was thinking to myself what a wonderful world, then I woke up. Afterwards I thought this up.
Okay, suppose you have a social networking site called http://www.friends.com. Now suppose this site, when you login, stores your PHP session ID as a get variable, i.e.
http://www.friends.com/profile.php?SESSID=aaaea***0fa*bc00**df6cedb*7b*cb0
Now, (yes another hypothetical) suppose I posted a link on my profile to my external site http://www.mysitezor.com. When the other users of the site click it they will be taken to my site. I will have a nice little log file showing refferer information. So, later, shouldn't I be able to go to my log file and see their refferer information, right? It should look like this (psuedo).
IP - 6*.***.66.***
Hostname - <insert random hostname here>
Refferer - http://www.friends.com/profile.php?SESSID=aaaea***0fa*bc00**df6cedb*7b*cb0
Since the SESSID was stored as a GET var, it shows up right? So shouldn't I be able to login to my Friends.com account and change my cookie's SESSID value to the one that I got from the refferer information, thereby hijacking the victim's session?
Just a theory, feedback would be nice.
Noodles
11-07-2007, 05:41 AM
did you try it moonbat? supposing alone wont get you anywhere. try it and tell us/:D
Ezekiel
11-07-2007, 02:39 PM
Websites mostly use cookies to authenticate users, and PHP sessions simply to ***** users' actions on the site regardless of their login status.
Of course all sites are different, but it would be very dangerous to use PHP sessions as a basis for authentication when the referrer can be logged by any site they click a link to, thus compromising their account.
You'd need a user's cookie(s) to hijack their account, as far as I've seen.
By the way, I moved this to Internet Privacy.
Moonbat
11-07-2007, 08:05 PM
I have yet to find any site that is vulnerable to this sort of attack, so until further notice this theory is busted. :(
Noodles
11-08-2007, 12:50 AM
i thought you pro guys, like make websites for experimentation. :confused:
no body will care if you deface / hack your website....i guess.
make a web which is vulnerable and ..... or is it difficult too compose a vulnerable website? :)
Ezekiel
11-08-2007, 04:22 PM
make a web which is vulnerable and ..... or is it difficult too compose a vulnerable website? :)
Not difficult really, but I don't have the time at the moment for any more projects.
Moonbat
11-08-2007, 05:42 PM
i thought you pro guys, like make websites for experimentation. :confused:
no body will care if you deface / hack your website....i guess.
make a web which is vulnerable and ..... or is it difficult too compose a vulnerable website? :)
Well, I was thinking up this theory based on the assumption that after normal user/passwrod authentication, the server only authenticated you based on the SESSID.
I have some other things on my e-plate I need to start and/or finish, so this theory will have to take a backseat to them.
Ezekiel
11-09-2007, 03:57 AM
I have some other things on my e-plate I need to start and/or finish, so this theory will have to take a backseat to them.
I'm gonna have to steal the phrase "e-plate" from you.
kthx.
Moonbat
11-09-2007, 04:01 PM
You're welcome :D
dandi10110
11-10-2007, 12:53 AM
Hi guys - I know your probably already rolling your eyes as soon as you seen the title of this message. I was searching the internet for ways to hack a users myspace page - when I mean hack - I mean I want to see who the no-good bastard is cheating on me with. I know a tad about code - went to school for programming over 7 years ago - switched major to design (don't hate me) so I'm:eek: a little rusty. Anyway when I did a search - it brought me to you - so here I am. I read a few of your posts on the subject - did you ever figure out if it is doable?
Moonbat
11-10-2007, 10:36 AM
As of now MySpace has no security vulnerabilities that we know of.
Ezekiel
11-10-2007, 09:19 PM
Hi guys - I know your probably already rolling your eyes as soon as you seen the title of this message.
:rolleyes:
:rolleyes:
:rolleyes:
Yeah.
Usually, the easiest (and most effort-free) way to gain access to any web account is phishing, but this isn't really relevant to the current thread.
Moonbat
11-10-2007, 09:39 PM
Usually, the easiest (and most effort-free) way to gain access to any web account is phishing, but this isn't really relevant to the current thread.
Is anything ever relavent to the current thread? :rolleyes:
Ezekiel
11-12-2007, 05:24 AM
Is anything ever relavent to the current thread? :rolleyes:
Not usually, but we allow thread-hijackings if they turn a boring thread into an interesting one.
Otherwise, we enforce the rules like the hypocrites we are.
dandi10110
11-13-2007, 10:37 PM
pretty much a no-go. And either I did not pay attention in school or I just forgot everything I learned because half of what you posted was over my head. :o
So I guess my next question is. I recently put spyware on my page to see who is checking my profile out - problem is it can only give me an IP address. Is there a way to somehow do a reverse look-up on an IP address to get either a name or an email address?
Moonbat
11-13-2007, 11:05 PM
Most IP's assigned by ISPs are dynamic, i.e. they will change. For privacy and managability reasons, no records (that I know of) are kept of what IP addresses match up to who and where they live.
I'm sure the proper authorities (FBI, CIA, etc.) have some kind of leet hax that let them ***** Internet vandals so easily, but such technology has yet to fall into my hands.
Ezekiel
11-14-2007, 04:34 PM
I'm sure the proper authorities (FBI, CIA, etc.) have some kind of leet hax that let them ***** Internet vandals so easily, but such technology has yet to fall into my hands.
Yeah; it goes like this:
FBI: *Calls ISP.*
ISP: "Hello, can I help you?"
FBI: "FBI here, lol. Give me all the subscriber info of X person; identified by their IP address (xxx.xxx.xxx.xxx) being used at hh:mm:ss dd/mm/yy."
ISP: "Sure; you absolutely don't need a warrant for things like this. Their address is..."
FBI: "Thanks."
ISP: *Hangs up.*
Moonbat
11-14-2007, 08:05 PM
I'm gonna try that soon :D
I dunno if my ISP is insecure like that, but it probably is.
Ezekiel
11-15-2007, 04:04 PM
Uh, the "you absolutely don't need a warrant for things like this" part was kind of sarcastic ;)...
Moonbat
11-15-2007, 05:37 PM
Well, it didn't work anyway, they kept asking me to meet them in person. :(
Ezekiel
11-15-2007, 07:35 PM
Well, it didn't work anyway, they kept asking me to meet them in person. :(
What, it's that simple? All they need to release subscriber info is a bullshit meeting with fake FBI-agents?
All you'd need is some fake clothing from an online-store like this, for example:
http://www.army-surplus.co.uk/
WIth that, you'd need a very basic fake-ID.
It's very possible -- people usually obey those in authoritative clothing.
I'm only *6, but in a couple of years I imagine I could pull this off (or ask an older person to do this for me now).
Moonbat
11-15-2007, 08:59 PM
What, it's that simple? All they need to release subscriber info is a bullshit meeting with fake FBI-agents?
All you'd need is some fake clothing from an online-store like this, for example:
http://www.army-surplus.co.uk/
WIth that, you'd need a very basic fake-ID.
It's very possible -- people usually obey those in authoritative clothing.
I'm only *6, but in a couple of years I imagine I could pull this off (or ask an older person to do this for me now).
I doubt it'd be that simple. After them saying the whole "lets meet in person" thing, I just said some stuff about having the get authorization from my supervisors to meet with them.
I'm sure though, that they would ask me to give documents and crap, which I can't fake, because I don't know what they look like :p
Ezekiel
11-16-2007, 03:32 PM
I doubt it'd be that simple. After them saying the whole "lets meet in person" thing, I just said some stuff about having the get authorization from my supervisors to meet with them.
I'm sure though, that they would ask me to give documents and crap, which I can't fake, because I don't know what they look like :p
Hmm...
I'm not sure on this, but I think when dressed in authoritative clothing and when dealing with corporate-robots, it is definitely a possibility.
Moonbat
11-16-2007, 05:19 PM
Never underestimate the power of human curiosity. They will poke and pry until all of their internal security checks are met. Only then will they spill the beans.
Often times with senior citizens, taking the authoritative approach makes them apprehensive and can ruin a SE opprotunity.
Powered by vBulletin® Version 4.1.8 Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.