file auditing
+ Reply to Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 24

Thread: Session Hijacing Theory

  1. #1
    Join Date
    Sep 2006
    Posts
    1,649

    Session Hijacing Theory

    I was thinking to myself what a wonderful world, then I woke up. Afterwards I thought this up.

    Okay, suppose you have a social networking site called [url]http://www.friends.com[/url]. Now suppose this site, when you login, stores your PHP session ID as a get variable, i.e.
    Code:
    http://www.friends.com/profile.php?SESSID=aaaea***0fa*bc00**df6cedb*7b*cb0
    Now, (yes another hypothetical) suppose I posted a link on my profile to my external site [url]http://www.mysitezor.com[/url]. When the other users of the site click it they will be taken to my site. I will have a nice little log file showing refferer information. So, later, shouldn't I be able to go to my log file and see their refferer information, right? It should look like this (psuedo).
    Code:
    IP - 6*.***.66.***
    Hostname - <insert random hostname here>
    Refferer - http://www.friends.com/profile.php?SESSID=aaaea***0fa*bc00**df6cedb*7b*cb0
    Since the SESSID was stored as a GET var, it shows up right? So shouldn't I be able to login to my Friends.com account and change my cookie's SESSID value to the one that I got from the refferer information, thereby hijacking the victim's session?

    Just a theory, feedback would be nice.
    "Workers of the world unite; you have nothing to lose but your chains." -Karl Marx

  2. #2
    Join Date
    Nov 2007
    Posts
    23
    did you try it moonbat? supposing alone wont get you anywhere. try it and tell us/

  3. #3
    Join Date
    Sep 2005
    Posts
    2,050
    Websites mostly use cookies to authenticate users, and PHP sessions simply to ***** users' actions on the site regardless of their login status.

    Of course all sites are different, but it would be very dangerous to use PHP sessions as a basis for authentication when the referrer can be logged by any site they click a link to, thus compromising their account.

    You'd need a user's cookie(s) to hijack their account, as far as I've seen.

    By the way, I moved this to Internet Privacy.
    Who needs drugs when you have electrons?

  4. #4
    Join Date
    Sep 2006
    Posts
    1,649
    I have yet to find any site that is vulnerable to this sort of attack, so until further notice this theory is busted.
    "Workers of the world unite; you have nothing to lose but your chains." -Karl Marx

  5. #5
    Join Date
    Nov 2007
    Posts
    23
    i thought you pro guys, like make websites for experimentation.

    no body will care if you deface / hack your website....i guess.

    make a web which is vulnerable and ..... or is it difficult too compose a vulnerable website?

  6. #6
    Join Date
    Sep 2005
    Posts
    2,050
    Quote Originally Posted by Noodles View Post
    make a web which is vulnerable and ..... or is it difficult too compose a vulnerable website?
    Not difficult really, but I don't have the time at the moment for any more projects.
    Who needs drugs when you have electrons?

  7. #7
    Join Date
    Sep 2006
    Posts
    1,649
    Quote Originally Posted by Noodles View Post
    i thought you pro guys, like make websites for experimentation.

    no body will care if you deface / hack your website....i guess.

    make a web which is vulnerable and ..... or is it difficult too compose a vulnerable website?
    Well, I was thinking up this theory based on the assumption that after normal user/passwrod authentication, the server only authenticated you based on the SESSID.

    I have some other things on my e-plate I need to start and/or finish, so this theory will have to take a backseat to them.
    "Workers of the world unite; you have nothing to lose but your chains." -Karl Marx

  8. #8
    Join Date
    Sep 2005
    Posts
    2,050
    Quote Originally Posted by Moonbat View Post
    I have some other things on my e-plate I need to start and/or finish, so this theory will have to take a backseat to them.
    I'm gonna have to steal the phrase "e-plate" from you.

    kthx.
    Who needs drugs when you have electrons?

  9. #9
    Join Date
    Sep 2006
    Posts
    1,649
    You're welcome
    "Workers of the world unite; you have nothing to lose but your chains." -Karl Marx

  10. #10
    Join Date
    Nov 2007
    Posts
    2

    Red face MySpace

    Hi guys - I know your probably already rolling your eyes as soon as you seen the title of this message. I was searching the internet for ways to hack a users myspace page - when I mean hack - I mean I want to see who the no-good bastard is cheating on me with. I know a tad about code - went to school for programming over 7 years ago - switched major to design (don't hate me) so I'm a little rusty. Anyway when I did a search - it brought me to you - so here I am. I read a few of your posts on the subject - did you ever figure out if it is doable?

  11. #11
    Join Date
    Sep 2006
    Posts
    1,649
    As of now MySpace has no security vulnerabilities that we know of.
    "Workers of the world unite; you have nothing to lose but your chains." -Karl Marx

  12. #12
    Join Date
    Sep 2005
    Posts
    2,050
    Quote Originally Posted by dandi*0**0 View Post
    Hi guys - I know your probably already rolling your eyes as soon as you seen the title of this message.




    Yeah.

    Usually, the easiest (and most effort-free) way to gain access to any web account is phishing, but this isn't really relevant to the current thread.
    Who needs drugs when you have electrons?

  13. #13
    Join Date
    Sep 2006
    Posts
    1,649
    Quote Originally Posted by mike*5* View Post
    Usually, the easiest (and most effort-free) way to gain access to any web account is phishing, but this isn't really relevant to the current thread.
    Is anything ever relavent to the current thread?
    "Workers of the world unite; you have nothing to lose but your chains." -Karl Marx

  14. #14
    Join Date
    Sep 2005
    Posts
    2,050
    Quote Originally Posted by Moonbat View Post
    Is anything ever relavent to the current thread?
    Not usually, but we allow thread-hijackings if they turn a boring thread into an interesting one.

    Otherwise, we enforce the rules like the hypocrites we are.
    Who needs drugs when you have electrons?

  15. #15
    Join Date
    Nov 2007
    Posts
    2

    So I take your responses as....

    pretty much a no-go. And either I did not pay attention in school or I just forgot everything I learned because half of what you posted was over my head.
    So I guess my next question is. I recently put spyware on my page to see who is checking my profile out - problem is it can only give me an IP address. Is there a way to somehow do a reverse look-up on an IP address to get either a name or an email address?

+ Reply to Thread

Similar Threads

  1. Secure Session Control
    By SyntaXmasteR in forum Tutorials
    Replies: 4
    Last Post: 09-03-2007, 09:36 PM
  2. I'm so nasty. Trojan session
    By stevef22 in forum Viruses and Trojans
    Replies: 1
    Last Post: 09-13-2006, 07:21 AM
  3. Question (A theory program)
    By Sprato in forum Internet Privacy
    Replies: 5
    Last Post: 10-01-2005, 12:43 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts