November 12, 2010

Web Session Hijacking

FireSheep

A few weeks ago a clever fellow named Eric Butler released a firefox plugin that, when active, sniffs the network for common web services so that it may hijack web sessions. That sounds like a bad thing, but his intentions are good. Session hijacking isn't a new exploit just cooked up a month ago. In fact information security professionals have been talking about it for years. The problem is the proof of concepts and pleas with web service providers for more secure web practices seems to have fallen on def ears. Firesheep makes executing this sort of attack beautifully simple. Load the plugin, click a button, and wait. As soon as an already authenticated user within your collision domain browses to an insecure web service the user, the website, and often times an avatar will appear in the Firesheep console. Depending on the service, facebook for example, clicking on one of these stolen sessions will take you to the victims homapage. Congratulations, you've successfully completed a man-in-the-middle attack with out even having to type.


FireShepherd

In response to Firesheep, a student at the University of Iceland, Gunnar Sigurdsson, wrote a small app called FireShepherd. The app is pretty basic; once every couple of seconds the app makes a connection to Facebook and sends a fake HTTP request containing a forged session cookie. This cookie causes Firesheep to error out and stop sniffing, preventing a would be attacker from stealing your session data. There's been some reviews on the web pointing out some flaws with the app. By definition, Gunnar's app is a DoS against facebook. Do I believe that FireShepherd will DoS Facebook? Probably not. There's potential, but I doubt ii will get the number of users required to successfully DoS anybody. Regardless, it's completely unnecessary to ever make a full connection to break firesheep's sniffing session.


CamelSpit

My first thought when I saw the reviews for FireShepherd was, why make a full connection anyway? I like Facebook. I use it all the time. Why would I want to DoS them? So I took Gunnar's forged cookie and set out to write a quick perl script to spoof the sniff-session-ending packet onto the wire.All one needs is perl, the RawIP module, and the will to run the app. The spoofed packet has a low ttl value which causes the packet to be dropped long before it reaches any webservice, but not before a would be attacker sniffs it off the wire ending their snoop session. I haven't tested it on a windows box, but it should work just fine on *nix systems. If anything it's at least a proof of concept demonstrating how to achieve Gunnar's goal with out negatively impacting a webservice.