Session Hijacing Theory

**Moonbat** · 11-06-2007, 08:53 PM

I was thinking to myself what a wonderful world, then I woke up. Afterwards I thought this up.

Okay, suppose you have a social networking site called [url]http://www.friends.com[/url]. Now suppose this site, when you login, stores your PHP session ID as a get variable, i.e.

Code:

http://www.friends.com/profile.php?SESSID=aaaea***0fa*bc00**df6cedb*7b*cb0

Now, (yes another hypothetical) suppose I posted a link on my profile to my external site [url]http://www.mysitezor.com[/url]. When the other users of the site click it they will be taken to my site. I will have a nice little log file showing refferer information. So, later, shouldn't I be able to go to my log file and see their refferer information, right? It should look like this (psuedo).

Code:

IP - 6*.***.66.***
Hostname - <insert random hostname here>
Refferer - http://www.friends.com/profile.php?SESSID=aaaea***0fa*bc00**df6cedb*7b*cb0

Since the SESSID was stored as a GET var, it shows up right? So shouldn't I be able to login to my Friends.com account and change my cookie's SESSID value to the one that I got from the refferer information, thereby hijacking the victim's session?

Just a theory, feedback would be nice.

**Noodles** · 11-07-2007, 04:41 AM

did you try it moonbat? supposing alone wont get you anywhere. try it and tell us/

**Ezekiel** · 11-07-2007, 01:39 PM

Websites mostly use cookies to authenticate users, and PHP sessions simply to ***** users' actions on the site regardless of their login status.

Of course all sites are different, but it would be very dangerous to use PHP sessions as a basis for authentication when the referrer can be logged by any site they click a link to, thus compromising their account.

You'd need a user's cookie(s) to hijack their account, as far as I've seen.

By the way, I moved this to Internet Privacy.

**Moonbat** · 11-07-2007, 07:05 PM

I have yet to find any site that is vulnerable to this sort of attack, so until further notice this theory is busted.

**Noodles** · 11-07-2007, 11:50 PM

i thought you pro guys, like make websites for experimentation.

no body will care if you deface / hack your website....i guess.

make a web which is vulnerable and ..... or is it difficult too compose a vulnerable website?

**Ezekiel** · 11-08-2007, 03:22 PM

Originally Posted by Noodles

make a web which is vulnerable and ..... or is it difficult too compose a vulnerable website?

Not difficult really, but I don't have the time at the moment for any more projects.

**Moonbat** · 11-08-2007, 04:42 PM

Originally Posted by Noodles

i thought you pro guys, like make websites for experimentation.

no body will care if you deface / hack your website....i guess.

make a web which is vulnerable and ..... or is it difficult too compose a vulnerable website?

Well, I was thinking up this theory based on the assumption that after normal user/passwrod authentication, the server only authenticated you based on the SESSID.

I have some other things on my e-plate I need to start and/or finish, so this theory will have to take a backseat to them.

Thread: Session Hijacing Theory

Thread Tools

Search Thread

Display

Hybrid View

Session Hijacing Theory

Similar Threads

Secure Session Control

I'm so nasty. Trojan session

Question (A theory program)

Posting Permissions