\documentclass[11pt,twoside]{article}\makeatletter \IfFileExists{xcolor.sty}% {\RequirePackage{xcolor}}% {\RequirePackage{color}} \usepackage{colortbl} \usepackage{wrapfig} \usepackage{ifxetex} \ifxetex \usepackage{fontspec} \usepackage{xunicode} \catcode`⃥=\active \def⃥{\textbackslash} \catcode`❴=\active \def❴{\{} \catcode`❵=\active \def❵{\}} \def\textJapanese{\fontspec{Noto Sans CJK JP}} \def\textChinese{\fontspec{Noto Sans CJK SC}} \def\textKorean{\fontspec{Noto Sans CJK KR}} \setmonofont{DejaVu Sans Mono} \else \IfFileExists{utf8x.def}% {\usepackage[utf8x]{inputenc} \PrerenderUnicode{–} }% {\usepackage[utf8]{inputenc}} \usepackage[english]{babel} \usepackage[T1]{fontenc} \usepackage{float} \usepackage[]{ucs} \uc@dclc{8421}{default}{\textbackslash } \uc@dclc{10100}{default}{\{} \uc@dclc{10101}{default}{\}} \uc@dclc{8491}{default}{\AA{}} \uc@dclc{8239}{default}{\,} \uc@dclc{20154}{default}{ } \uc@dclc{10148}{default}{>} \def\textschwa{\rotatebox{-90}{e}} \def\textJapanese{} \def\textChinese{} \IfFileExists{tipa.sty}{\usepackage{tipa}}{} \fi \def\exampleFont{\ttfamily\small} \DeclareTextSymbol{\textpi}{OML}{25} \usepackage{relsize} \RequirePackage{array} \def\@testpach{\@chclass \ifnum \@lastchclass=6 \@ne \@chnum \@ne \else \ifnum \@lastchclass=7 5 \else \ifnum \@lastchclass=8 \tw@ \else \ifnum \@lastchclass=9 \thr@@ \else \z@ \ifnum \@lastchclass = 10 \else \edef\@nextchar{\expandafter\string\@nextchar}% \@chnum \if \@nextchar c\z@ \else \if \@nextchar l\@ne \else \if \@nextchar r\tw@ \else \z@ \@chclass \if\@nextchar |\@ne \else \if \@nextchar !6 \else \if \@nextchar @7 \else \if \@nextchar (8 \else \if \@nextchar )9 \else 10 \@chnum \if \@nextchar m\thr@@\else \if \@nextchar p4 \else \if \@nextchar b5 \else \z@ \@chclass \z@ \@preamerr \z@ \fi \fi \fi \fi \fi \fi \fi \fi \fi \fi \fi \fi \fi \fi \fi \fi} \gdef\arraybackslash{\let\\=\@arraycr} \def\@textsubscript#1{{\m@th\ensuremath{_{\mbox{\fontsize\sf@size\z@#1}}}}} \def\Panel#1#2#3#4{\multicolumn{#3}{){\columncolor{#2}}#4}{#1}} \def\abbr{} \def\corr{} \def\expan{} \def\gap{} \def\orig{} \def\reg{} \def\ref{} \def\sic{} \def\persName{}\def\name{} \def\placeName{} \def\orgName{} \def\textcal#1{{\fontspec{Lucida Calligraphy}#1}} \def\textgothic#1{{\fontspec{Lucida Blackletter}#1}} \def\textlarge#1{{\large #1}} \def\textoverbar#1{\ensuremath{\overline{#1}}} \def\textquoted#1{‘#1’} \def\textsmall#1{{\small #1}} \def\textsubscript#1{\@textsubscript{\selectfont#1}} \def\textxi{\ensuremath{\xi}} \def\titlem{\itshape} \newenvironment{biblfree}{}{\ifvmode\par\fi } \newenvironment{bibl}{}{} \newenvironment{byline}{\vskip6pt\itshape\fontsize{16pt}{18pt}\selectfont}{\par } \newenvironment{citbibl}{}{\ifvmode\par\fi } \newenvironment{docAuthor}{\ifvmode\vskip4pt\fontsize{16pt}{18pt}\selectfont\fi\itshape}{\ifvmode\par\fi } \newenvironment{docDate}{}{\ifvmode\par\fi } \newenvironment{docImprint}{\vskip 6pt}{\ifvmode\par\fi } \newenvironment{docTitle}{\vskip6pt\bfseries\fontsize{22pt}{25pt}\selectfont}{\par } \newenvironment{msHead}{\vskip 6pt}{\par} \newenvironment{msItem}{\vskip 6pt}{\par} \newenvironment{rubric}{}{} \newenvironment{titlePart}{}{\par } \newcolumntype{L}[1]{){\raggedright\arraybackslash}p{#1}} \newcolumntype{C}[1]{){\centering\arraybackslash}p{#1}} \newcolumntype{R}[1]{){\raggedleft\arraybackslash}p{#1}} \newcolumntype{P}[1]{){\arraybackslash}p{#1}} \newcolumntype{B}[1]{){\arraybackslash}b{#1}} \newcolumntype{M}[1]{){\arraybackslash}m{#1}} \definecolor{label}{gray}{0.75} \def\unusedattribute#1{\sout{\textcolor{label}{#1}}} \DeclareRobustCommand*{\xref}{\hyper@normalise\xref@} \def\xref@#1#2{\hyper@linkurl{#2}{#1}} \begingroup \catcode`\_=\active \gdef_#1{\ensuremath{\sb{\mathrm{#1}}}} \endgroup \mathcode`\_=\string"8000 \catcode`\_=12\relax \usepackage[a4paper,twoside,lmargin=1in,rmargin=1in,tmargin=1in,bmargin=1in,marginparwidth=0.75in]{geometry} \usepackage{framed} \definecolor{shadecolor}{gray}{0.95} \usepackage{longtable} \usepackage[normalem]{ulem} \usepackage{fancyvrb} \usepackage{fancyhdr} \usepackage{graphicx} \usepackage{marginnote} \renewcommand{\@cite}[1]{#1} \renewcommand*{\marginfont}{\itshape\footnotesize} \def\Gin@extensions{.pdf,.png,.jpg,.mps,.tif} \pagestyle{fancy} \usepackage[pdftitle={State of the Art Survey on Session Hijacking}, pdfauthor={}]{hyperref} \hyperbaseurl{} \paperwidth210mm \paperheight297mm \def\@pnumwidth{1.55em} \def\@tocrmarg {2.55em} \def\@dotsep{4.5} \setcounter{tocdepth}{3} \clubpenalty=8000 \emergencystretch 3em \hbadness=4000 \hyphenpenalty=400 \pretolerance=750 \tolerance=2000 \vbadness=4000 \widowpenalty=10000 \renewcommand\section{\@startsection {section}{1}{\z@}% {-1.75ex \@plus -0.5ex \@minus -.2ex}% {0.5ex \@plus .2ex}% {\reset@font\Large\bfseries}} \renewcommand\subsection{\@startsection{subsection}{2}{\z@}% {-1.75ex\@plus -0.5ex \@minus- .2ex}% {0.5ex \@plus .2ex}% {\reset@font\Large}} \renewcommand\subsubsection{\@startsection{subsubsection}{3}{\z@}% {-1.5ex\@plus -0.35ex \@minus -.2ex}% {0.5ex \@plus .2ex}% {\reset@font\large}} \renewcommand\paragraph{\@startsection{paragraph}{4}{\z@}% {-1ex \@plus-0.35ex \@minus -0.2ex}% {0.5ex \@plus .2ex}% {\reset@font\normalsize}} \renewcommand\subparagraph{\@startsection{subparagraph}{5}{\parindent}% {1.5ex \@plus1ex \@minus .2ex}% {-1em}% {\reset@font\normalsize\bfseries}} \def\l@section#1#2{\addpenalty{\@secpenalty} \addvspace{1.0em plus 1pt} \@tempdima 1.5em \begingroup \parindent \z@ \rightskip \@pnumwidth \parfillskip -\@pnumwidth \bfseries \leavevmode #1\hfil \hbox to\@pnumwidth{\hss #2}\par \endgroup} \def\l@subsection{\@dottedtocline{2}{1.5em}{2.3em}} \def\l@subsubsection{\@dottedtocline{3}{3.8em}{3.2em}} \def\l@paragraph{\@dottedtocline{4}{7.0em}{4.1em}} \def\l@subparagraph{\@dottedtocline{5}{10em}{5em}} \@ifundefined{c@section}{\newcounter{section}}{} \@ifundefined{c@chapter}{\newcounter{chapter}}{} \newif\if@mainmatter \@mainmattertrue \def\chaptername{Chapter} \def\frontmatter{% \pagenumbering{roman} \def\thechapter{\@roman\c@chapter} \def\theHchapter{\roman{chapter}} \def\thesection{\@roman\c@section} \def\theHsection{\roman{section}} \def\@chapapp{}% } \def\mainmatter{% \cleardoublepage \def\thechapter{\@arabic\c@chapter} \setcounter{chapter}{0} \setcounter{section}{0} \pagenumbering{arabic} \setcounter{secnumdepth}{6} \def\@chapapp{\chaptername}% \def\theHchapter{\arabic{chapter}} \def\thesection{\@arabic\c@section} \def\theHsection{\arabic{section}} } \def\backmatter{% \cleardoublepage \setcounter{chapter}{0} \setcounter{section}{0} \setcounter{secnumdepth}{2} \def\@chapapp{\appendixname}% \def\thechapter{\@Alph\c@chapter} \def\theHchapter{\Alph{chapter}} \appendix } \newenvironment{bibitemlist}[1]{% \list{\@biblabel{\@arabic\c@enumiv}}% {\settowidth\labelwidth{\@biblabel{#1}}% \leftmargin\labelwidth \advance\leftmargin\labelsep \@openbib@code \usecounter{enumiv}% \let\p@enumiv\@empty \renewcommand\theenumiv{\@arabic\c@enumiv}% }% \sloppy \clubpenalty4000 \@clubpenalty \clubpenalty \widowpenalty4000% \sfcode`\.\@m}% {\def\@noitemerr {\@latex@warning{Empty `bibitemlist' environment}}% \endlist} \def\tableofcontents{\section*{\contentsname}\@starttoc{toc}} \parskip0pt \parindent1em \def\Panel#1#2#3#4{\multicolumn{#3}{){\columncolor{#2}}#4}{#1}} \newenvironment{reflist}{% \begin{raggedright}\begin{list}{} {% \setlength{\topsep}{0pt}% \setlength{\rightmargin}{0.25in}% \setlength{\itemsep}{0pt}% \setlength{\itemindent}{0pt}% \setlength{\parskip}{0pt}% \setlength{\parsep}{2pt}% \def\makelabel##1{\itshape ##1}}% } {\end{list}\end{raggedright}} \newenvironment{sansreflist}{% \begin{raggedright}\begin{list}{} {% \setlength{\topsep}{0pt}% \setlength{\rightmargin}{0.25in}% \setlength{\itemindent}{0pt}% \setlength{\parskip}{0pt}% \setlength{\itemsep}{0pt}% \setlength{\parsep}{2pt}% \def\makelabel##1{\upshape ##1}}% } {\end{list}\end{raggedright}} \newenvironment{specHead}[2]% {\vspace{20pt}\hrule\vspace{10pt}% \phantomsection\label{#1}\markright{#2}% \pdfbookmark[2]{#2}{#1}% \hspace{-0.75in}{\bfseries\fontsize{16pt}{18pt}\selectfont#2}% }{} \def\TheFullDate{2016-01-15 (revised: 15 January 2016)} \def\TheID{\makeatother } \def\TheDate{2016-01-15} \title{State of the Art Survey on Session Hijacking} \author{}\makeatletter \makeatletter \newcommand*{\cleartoleftpage}{% \clearpage \if@twoside \ifodd\c@page \hbox{}\newpage \if@twocolumn \hbox{}\newpage \fi \fi \fi } \makeatother \makeatletter \thispagestyle{empty} \markright{\@title}\markboth{\@title}{\@author} \renewcommand\small{\@setfontsize\small{9pt}{11pt}\abovedisplayskip 8.5\p@ plus3\p@ minus4\p@ \belowdisplayskip \abovedisplayskip \abovedisplayshortskip \z@ plus2\p@ \belowdisplayshortskip 4\p@ plus2\p@ minus2\p@ \def\@listi{\leftmargin\leftmargini \topsep 2\p@ plus1\p@ minus1\p@ \parsep 2\p@ plus\p@ minus\p@ \itemsep 1pt} } \makeatother \fvset{frame=single,numberblanklines=false,xleftmargin=5mm,xrightmargin=5mm} \fancyhf{} \setlength{\headheight}{14pt} \fancyhead[LE]{\bfseries\leftmark} \fancyhead[RO]{\bfseries\rightmark} \fancyfoot[RO]{} \fancyfoot[CO]{\thepage} \fancyfoot[LO]{\TheID} \fancyfoot[LE]{} \fancyfoot[CE]{\thepage} \fancyfoot[RE]{\TheID} \hypersetup{citebordercolor=0.75 0.75 0.75,linkbordercolor=0.75 0.75 0.75,urlbordercolor=0.75 0.75 0.75,bookmarksnumbered=true} \fancypagestyle{plain}{\fancyhead{}\renewcommand{\headrulewidth}{0pt}} \date{} \usepackage{authblk} \providecommand{\keywords}[1] { \footnotesize \textbf{\textit{Index terms---}} #1 } \usepackage{graphicx,xcolor} \definecolor{GJBlue}{HTML}{273B81} \definecolor{GJLightBlue}{HTML}{0A9DD9} \definecolor{GJMediumGrey}{HTML}{6D6E70} \definecolor{GJLightGrey}{HTML}{929497} \renewenvironment{abstract}{% \setlength{\parindent}{0pt}\raggedright \textcolor{GJMediumGrey}{\rule{\textwidth}{2pt}} \vskip16pt \textcolor{GJBlue}{\large\bfseries\abstractname\space} }{% \vskip8pt \textcolor{GJMediumGrey}{\rule{\textwidth}{2pt}} \vskip16pt } \usepackage[absolute,overlay]{textpos} \makeatother \usepackage{lineno} \linenumbers \begin{document} \author[1]{Parves Kamal} \author[2]{Parves Kamal} \affil[1]{ Saint Cloud State university} \renewcommand\Authands{ and } \date{\small \em Received: 7 December 2015 Accepted: 3 January 2016 Published: 15 January 2016} \maketitle \begin{abstract} With the advent of online banking more and more users are willing to make purchases online and doing so flourishes the online E-Business sector ever so more. Attackers are ever so vigilant and active now on web than ever to leverage the insecure web application and database that is out there on the internet to exploit. Today?s internet as we see are heavily integrated with sophisticated network whether it?s wired or wireless network. But the inherent compliancy to not integrating security while developing application leave it vulnerable to many attacks. One of the attack that has been prevalent now-a-days is: session hijacking. \end{abstract} \keywords{session-hijacking, CIA, spoof attack, CSS, SSL, captcha etc.} \begin{textblock*}{18cm}(1cm,1cm) % {block width} (coords) \textcolor{GJBlue}{\LARGE Global Journals \LaTeX\ JournalKaleidoscope\texttrademark} \end{textblock*} \begin{textblock*}{18cm}(1.4cm,1.5cm) % {block width} (coords) \textcolor{GJBlue}{\footnotesize \\ Artificial Intelligence formulated this projection for compatibility purposes from the original article published at Global Journals. However, this technology is currently in beta. \emph{Therefore, kindly ignore odd layouts, missed formulae, text, tables, or figures.}} \end{textblock*} \let\tabcellsep& \section[{Introduction}]{Introduction}\par here is various security threats that lurks around the internet. Especially in this age of Internet everything is connected to internet. Online E-Commerce heavily rely on online transaction for example bank provides users easy way of managing their account online. As the sensitive information passes around the internet the confidentiality, integrity and availability of such information become increasingly hard to protect. One needs to develop capable defensive mechanism to keep all the threats that poses threats to the CIA (Confidentiality, Integrity, and availability) of the information. Security threats like manin-the-middle attack, sniffing, Denial-of-service attack, ARP spoofing, session hijacking are some of the most prevalent attack performed daily by numerous attackers around the world on the internet.\par A recent study performed by company Stake (Owned by Symantec) shown that 31\% of e-commerce applications are vulnerable to session hijacking {\ref [Morana, Marco]}. In the paper below I will go details on the session hijacking attack by giving the literature review of this attack. Also I will simulate the attack methodology to understand the mechanism better and finally will provide the general protection strategies for mitigating such attack. \section[{II.}]{II.} \section[{Literature Review}]{Literature Review}\par As we will be looking into the session hijacking let's get bit of background on what is session hijacking and how it works.\par Session hijacking or Session Sidejacking both means taking over unauthorized already created trusted session in order to steal or compromise user's data. It's a well-known man-in-the-middle attack. A valid user who successfully logged into the webserver creates a session between him and the server. In session hijacking technique the attacker takes the control of the valid session from the user and replay packets to the server pretending to be the real user \hyperref[b1]{[Whitaker, A., \& Newman, D. (2006)}]. The advantage of such attack is that the attacker do not have to break into the defense of any firewalls, Intrusion detection system instead he/she can just listen to the network and take over any valid session.\par One of the reason behind successful rake over such session is because of the way the server and the user authenticate themselves initially. In many cases only the server authenticate itself to the client in secure channel over HTTPS during the initial authentication phase and after the authentication the rest of the communication is done in clear plaintext. Session hijacking are of three types:\par ? Active session Hijacking ? Passive session Hijacking ? Hybrid Session Hijacking \section[{a) Active session hijacking}]{a) Active session hijacking}\par In active session hijacking the attacker tries take over active session between the user and the server by either putting off the valid user from the connection and start making connection to the server masquerading as the valid user. The way attacker put off the valid user is by putting the active user out of the connection via Denial of service attack. Before making the valid user out of the valid active session he/she captures data that is sent back and forth between the user and the server by putting himself in between the connection between the connections and sniffing the data by packet capturing tool like Wireshark. In the figure below we see the three packets highlighted which is TCP three way handshake packet that are used to authenticate client to the server during the initial authentication session as shown below: In passive session hijacking the attacker captures all the packet between the user and the server and it send out valid packet to the user masquerading as server and same way sending packet to server masquerading as user. It's also referred as sessionreplay attack where the attacker basically replaying packets captured from the user and sending it to the server. The disadvantage of such attack is that the attack is valid until there is valid session still in continuation. If for some reason the server resets the connection or user logs off from the server the session will be terminated.\par As shown in the figure above the attacker is replaying packet between user and the server and it modifies the packet as it goes from user to the server.\par ? Blind Spoofing attack ? Non-Blind spoofing attack \section[{d) Blind Spoofing attack}]{d) Blind Spoofing attack}\par In blind spoofing attack the attacker attacks the target machine without tempering with the connection. It simply captures all the packets between the client and the server and it tries to guess the TCP packet sequence number so that it can authenticate with the server. The problem with this type of attack is it's very hard to guess the TCP sequence number as it can be very random number which makes it harder to guess. Also its time consuming and the attacker might need to wait long time to get success with this type of the attack. \section[{e) Non-Blind spoofing attack}]{e) Non-Blind spoofing attack}\par In non-blind spoofing attack the attacker can actually monitor the traffic between the user and the target server. This way it's easy for the attacker to guess the next packet in case if it wants to guess the TCP sequence number of the next packet. It's hard to implement in today's network as the administrator now turns off the broadcast packet transmission around the network so unless the attacker can make the networking devices like switch and router to restart itself so it can capture the broadcast packet or by poising the CAM table of the switch it can place itself in the routing table and reroutes packet to itself for packet capturing.\par In application level the attacker hijack the session as well as tries to create new session with newly constructed session ID's which can be stolen or guessed or crafted in a such way that it validates the attacker with the target machine to take over existing session or create new session \hyperref[b2]{[Sans.org,. (2015)}].\par The session ID's can be found in place like: [Ollman, Gunter] ? In the HTTP GET request that is made when clicking on the embedded link on the web page. ? When any HTTP post command issued typically with form that post data from client to the server. The session ID is hidden inside the form in the hidden field.\par ? Also the cookies are used to hold session ID's. \section[{f) Obtaining Session ID's g) Sniffing}]{f) Obtaining Session ID's g) Sniffing}\par One of the way the hijacker can steal session ID'S are by sniffing out the network traffic just like taking over TCP session. This way the attacker monitors traffic to see if there is any unencrypted packets traversing and by finding so it can redirect the traffic through a host that it can monitor. Unencrypted traffic often has session ID inside and attacker can easily get the session ID and use it to take over already established session or create new session. \section[{Fig. 3 : Passive Session Hijacking c) Hybrid Session Hijacking}]{Fig. 3 : Passive Session Hijacking c) Hybrid Session Hijacking}\par In hybrid session hijacking the attacker uses both passive and active mode to complete the attack.\par The attacker monitors the traffic pattern between the user and the server and wait for the right session to take over.\par This type of session hijacking relies on spoofing and it can be further categorized to two types:\par There are number of ways anattacker can steal session ID'S. Some of the ways are described below: \section[{h) Brute Forcing}]{h) Brute Forcing}\par Another way the attacker can get the session ID is either guessing the session ID's or by attempting different session ID until it gets the right one. It can be automatic attack where attacker sets up certain pattern and it looks through all the patterns until it finishes. This type of attack is particularly successful if the session ID number generation is not Random number and there is high chances the attacker will guess the session ID correct. \section[{i) Misdirected Trust}]{i) Misdirected Trust}\par Another form of attack where what attacker does is HTML injection or CSS (Cross Site Scripting) attack to misdirect valid traffic to the attacker. This way it can steal the session ID as the data is sent back from server to the host. This sort of attack relies heavily on the vulnerability of the web application on which this attack is performed since the success of the HTML injection and the CSS attack depends on the defensive mechanism of the web application it is attacking to. j) Tools Used For Session Hijacking Some of the tools used to steal session Hijacking are:? Hunt ? T-Sight ? Juggernaut ? TTY Watcher ? Hamster and Ferret ? Wireshark ? Ethereal III. \section[{Attack Methodology}]{Attack Methodology}\par Session attack methodology can be shown in following steps as shown below in the figure \section[{Fig. 4 : Session Hijacking Steps}]{Fig. 4 : Session Hijacking Steps}\par We will be showing a session hijacking in a simulated environment in Virtual Environment where the set up will be as follows:? Victim Machine (Windows 7 VM) ? Attacking Machine (Kali Linux VM) ? Sniffed Router/Switch\par The Tool we will be using for carrying out the attack are as follows:? Kali Linux ? Ettercap ? Hamster And Ferret\par The kali Linux tool will be used as attacking machine to sniff out the traffic from victim machine which is windows 7 VM and Router. Our simulated Attack looks like following below: We will be stealing HTTPS connection from The VICTIM to get the USER Login and Password he/she put in.\par For our demonstration purposes the IP network configuration is as follows:\par The \section[{b) Setting up Attacker Machine}]{b) Setting up Attacker Machine}\par We need to at first set up Attacker machine Kali Linux the Men in the middle between the router and the victim machine Windows 7.\par We at first check our connectivity from Attacker machine to the Victim machine by pinging our victim machine as shown below: Now in order to crack HTTPS connection we need to have SSL strip in the attacker machine. So we type in the following command in our attacker machine and Press Enter after each command above: SSLstrip Download Code: cdcurl http://www.thoughtcrime.org/software/sslstrip/ssl strip-0.9.tar.gz > sslstrip-0.9.tar.gz tarxzf sslstrip-0.9.tar.gz cd sslstrip-0.9\par Now we need to forward the Traffic generated in HTTP by forwarding the IP traffic by NAT forwarding in our Attacker Machine.\par We do that by uncommenting the net.ipv4. ip\textunderscore forward=1line inside the/etc/sysctl. conf file.\par We do that by following command cp /etc/sysctl.conf /etc/sysctl.conf.bak vi /etc/sysctl.conf We find thenet.ipv4.ip\textunderscore forward=1 line and uncomment it. Then we save the file CONTROL+X and save it. Now we need to set up IP tables Rule in the command prompt of the attacker machine as follows: iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 iptables -t nat-L We see from following figure the output of the iptables we configured above Fig. {\ref 7}: IP forwarding Now we need to set up SSLtrip to act as sniffing between victim and the attacker machine to strip any HTTP connections from the victim machine.\par On the attacker machine we type in the following command to install the ssstrip Cd sslstrip-0.9 python sslstrip.py -p -l 8080\par We need to keep the windows open as it will generates traffic as the victim machine browse to any webpages with its browser: Fig. {\ref 8} : sslstripsetup Now the sslstrip will generate its traffic captured from the victim's machine and save it to its logfile. So we need to monitor its logfile in order to capture information.\par On the attacker machine we type in following command to open the log file and keep it open to monitor capture traffic from the victim's machine as shown below: cd cd sslstrip-0.9 tail -f sslstrip.log The victim did not see the login page of his online banking been strip down from HTTPS to HTTP as shown above. \section[{Fig.12 : Login ID and Password Stealing by HTTP Session Hijacking}]{Fig.12 : Login ID and Password Stealing by HTTP Session Hijacking}\par Now the attacker is inside the session as long as the victim's will be and do any further attack as he/she might find it useful. \section[{IV.}]{IV.} \section[{Survey Analysis}]{Survey Analysis}\par A survey was done about the awareness of the Session hijacking. Between researchers, common users and the administrator. As expected the common users have very less knowledge about the session hijacking followed by the Administrator. Surprisingly the administrator though they knew about the session hijacking had very little knowledge on how to prevent it. For successful mitigation of session hijacking one needs to have awareness as well as secure operation policies implemented in the organizations. The graph below shows the session hijacking awareness between common user, administrator and the researchers. \section[{Counter Measure to Session Hijacking}]{Counter Measure to Session Hijacking}\par There are number of ways session hijacking can be prevented. The countermeasure against session hijacking discussed below provided are based on recommended session hijacking techniques [CEHv8. Ethical Hacking and Counter Measures].We will be dividing the session hijacking in two layer of OSI layer as:? Network layer ? Application layer VI. \section[{Network Layer a) Use of SSL at all time}]{Network Layer a) Use of SSL at all time}\par Use SSL connection whenever it's possible. SSL (Secure Socket layer) Provide end to end encryption which make it really hard for attacker to look into any data passing over this encrypted SSL channels uses public key and symmetric key which are of 128/256 bits. Since it provides the integrity as well as the confidentiality sniffing and loss of information is protected while using SSL connection. \section[{b) Use SSH for Remote Connection:}]{b) Use SSH for Remote Connection:}\par Often the remote connection to network devices or web server is required for the administrator for remote administration. SSH can protect the network as it guards against the IP spoofing as well as the data is encrypted. An attacker if has access to the target network can force the connected SSH user out of the connection but he/she cannot replay the packet as the data will be encrypted {\ref [Webopedia]}. \section[{c) HTTPS Connection Only}]{c) HTTPS Connection Only}\par It is very important to use HTTPS connection while login to your webserver, or any E-commerce site like Online banking, shopping sites as it encrypts the data with SSL as mentioned earlier to encrypt the authentication data back and forth. Attacker even if is successful to capture data will not be able to make any sense out of the data. \section[{d) Implementing IPSec Protocol in Network Layer}]{d) Implementing IPSec Protocol in Network Layer}\par IPSec protocol ensures the secure exchange of the IP packet and it provides two protection service. In transport mode it encrypts the data of the packet while in tunnel mode it encrypts the data as well as the header of the packet making the attacker hard to guess where the packet is going and coming from. \section[{e) IDS/IPS Implementation}]{e) IDS/IPS Implementation}\par Implementing IDS/IPS along with firewall with proper rules can detect IP spoofing, packet sniffing which is the key to the session hijacking at the network layer. For example the rule can be set up as ignoring source routed packets or even blocking the sourcerouting completely. ARP poisoning as shown above in the simulated attack can be prevented by implementing static ARP table or by monitoring ARP table with tool like ''arpwatch''. Other techniques like ICMP redirection disabling can make it even harder for attacker to perform the MITM (Men in the Middle Attack). \section[{Global Journal of Computer Science and Technology}]{Global Journal of Computer Science and Technology}\par Volume XVI Issue I Version I 10 Year 2016 \section[{( ) f) Application Layer}]{( ) f) Application Layer}\par Application layer deals with attacks on Web as our attack involved in URL session ID hijacking we will see below the countermeasure that can prevent such attacks. \section[{g) Strong Session ID}]{g) Strong Session ID}\par Session ID is key to authenticate, create, reestablish connection with server. Session ID key must be strong nor predictable and it needs to be truly random. The session ID management system both in the client side and the server side needs to implement strong session management system. Following are some of the steps that can be taken to generate strong Session IDs\par ? Making the Session ID Random -As mentioned earlier the more random the session ID is more it's harder for attacker to guess or brute force the session ID. For making robust random session ID one can put the session number generation to a statistical analysis test.\par ? Making The Cookie or the session ID longer -The longer the session ID is harder it will be to brute force against. It will be very difficult to brute forcing against session ID of 50 characters in given time.\par ? Use Server generated Session IDs -Often the client side use its own session ID's which is less vulnerable to session hijacking. ? Forced Log Out -There should be a mechanism to log out user and prompt for re-authentication for new connection that way the attacker cannot use the same session ID to take control of the session. So every new connection there should be new authentication and log out of the current authenticated user.\par ? Generate ID after the authentication -Often before the authentication is performed the session ID is generated and shared that way the session ID is exposed to the attacker and they can carry out session fixation attack. So for security reason the session ID should be generated after the authentication is done.\par ? Token Regeneration-Once in a while if the session token is regenerated it becomes hard for the hacker to remain in valid session as after certain time the session token becomes useless. Webserver can be implemented in a way to regenerate session tokens giving the attacker less time to be on a session [Martin Eizner, and Roy McNamara "A Guide to Building Secure Web Applications].\par ? Time-Out-Time out should be implemented after certain period of inactive time period so that the attacker cannot exploit any idle session.\par ? Proper Input Validation Checking -Proper form input validation checking needs to be implemented from the server side. Often the Cross site scripting, HTML injection vulnerability allows the attacker to take over the web application and thus exploiting the session.\par ? Detecting Session ID Brute Forcing attacks -OWASP suggest using booby traps session tokens to detect any brute forcing on session ID token.\par [Search Software Quality. ( {\ref 2015})]. It's a token which is attached to the actual session token to detect any brute force on tokens. User should be aware of why using encrypted connection always, when to use proxy, VPN connection or to have strong password set up for their online account etc. All these will add up to the better safe environment against session hijacking. \section[{VII. Observations \& Recommen Dations}]{VII. Observations \& Recommen Dations}\par In this paper the simulated attack on CITY bank session hijacking was analyzed from literature and practical point of view and also the countermeasure to such attack was explored in the end. The actual attack though did not yield in catastrophic effects but the researcher was startled to see how attacker was able to easily get into the victim's session just by modifying Cookie or session ID changes. Such attack can further exploits vulnerable system inside the bank's infrastructure which can enable the further severe exploitation to be successful. The hacker can get the users data and email ID. Nonetheless it's been projected that the user data loss will prosper further scamming and fishing attacks. The general recommendation to prevent such further attack encrypted and longer session ID with time out and effective IDS/IPS with Brute forcing detection mechanism to deter any attacker in carrying out such attacks in future. \section[{VIII.}]{VIII.} \section[{Conclusion}]{Conclusion}\par In this short survey paper we tried to have look at the session hijacking attack and its implementation with demo Attack. The attack carried out by the attacker though was not known in terms of details that much but the security expert stated it was due to session hijacking attack. Session hijacking has been on the rise on recent past mainly due to the users/developers/administrators lack of awareness and poor session management of some of the web application and servers on the internet. By putting the effective countermeasure mentioned in the countermeasure section of this paper one cannot fully prevent such attacks but can at least make attacker to come harder and use some other tricks rather than the usual attack performed in this paper. Also it's recommended to test the defensive mechanism that are in place and also monitor to deter, prevent and counter attack on such attacks if ever take place.\begin{figure}[htbp] \noindent\textbf{12}\includegraphics[]{image-2.png} \caption{\label{fig_0}Fig. 1 :Fig. 2 :E}\end{figure} \begin{figure}[htbp] \noindent\textbf{5}\includegraphics[]{image-3.png} \caption{\label{fig_1}Fig. 5 :}\end{figure} \begin{figure}[htbp] \noindent\textbf{}\includegraphics[]{image-4.png} \caption{\label{fig_2}}\end{figure} \begin{figure}[htbp] \noindent\textbf{6}\includegraphics[]{image-5.png} \caption{\label{fig_3}Fig. 6 :}\end{figure} \begin{figure}[htbp] \noindent\textbf{91011}\includegraphics[]{image-6.png} \caption{\label{fig_4}Fig. 9 :Fig. 10 :Fig. 11 :}\end{figure} \begin{figure}[htbp] \noindent\textbf{13}\includegraphics[]{image-7.png} \caption{\label{fig_5}Fig. 13 :}\end{figure} \begin{figure}[htbp] \noindent\textbf{}\includegraphics[]{image-8.png} \caption{\label{figure8}}\end{figure} \begin{figure}[htbp] \noindent\textbf{}\includegraphics[]{image-9.png} \caption{\label{figure9}}\end{figure} \begin{figure}[htbp] \noindent\textbf{}\includegraphics[]{image-10.png} \caption{\label{figure10}}\end{figure} \begin{figure}[htbp] \noindent\textbf{}\includegraphics[]{image-11.png} \caption{\label{figure11}}\end{figure} \begin{figure}[htbp] \noindent\textbf{}\includegraphics[]{image-12.png} \caption{\label{figure12}}\end{figure} \footnote{© 2016 Global Journals Inc. (US) 1} \footnote{© 2016 Global Journals Inc. (US)} \footnote{Year 2016 ( )} \backmatter \begin{bibitemlist}{1} \bibitem[Sans and Org (2015)]{b2}\label{b2} \textit{}, Sans , Org . \url{https://www.sans.org/reading-room/whitepapers/ecommerce/overview-session-hijacking-network-application-levels-1565} 2015. 30 October 2015. \bibitem[Louis (2011)]{b4}\label{b4} \textit{\# References Références Referencias 6. CEHv8. Ethical Hacking and Counter Measures}, J Louis . Accessed: 10-. \url{https://www.wiziq.com/tutorial/714466-CEHv8-Module-11-SessionHijacking} 2011. Oct-2014. University Of Bedfordshire (Session Hijacking Module 11) \bibitem[Curphey et al. ()]{b7}\label{b7} \textit{A Guide to Building Secure Web Applications}, Mark Curphey , David Endler , William Hau , Steve Taylor , Tim Smith , Alex Russell , Gene Mckenna , Richard Parke , Kevin Mclaughlin , Nigel Tranter , Amit Klien , Dennis Groves , Izhar By-Gad , Sverre Huseby , Martin Eizner , Martin Eizner , Roy Mcnamara . 11 Sept. 2002. 20 Dec. 2004. (The Open Web Application Security Project) \bibitem[Do you need to encrypt session data Security.stackexchange.com. Retrieved (2015)]{b6}\label{b6} ‘Do you need to encrypt session data’. \url{http://security.stackexchange.com/questions/18880/do-you-need-to-encrypt-session-data} \textit{Security.stackexchange.com. Retrieved}, 2015. 1 November 2015. \bibitem[Zarei ()]{b9}\label{b9} \textit{IMPROVE CAPTCHA'S SECURITY USING GAUSSIAN BLUR FILTER}, Ariyan Zarei . \url{http://arxiv.org/ftp/arxiv/papers/1410/1410.4441.pdf} 2014. (Accessed: 15-Dec-2014) \bibitem[Morana (2004)]{b0}\label{b0} \textit{Make It and Break It: Preventing Session Hijacking And Cookie Manipulation}, Marco Morana . \url{http://nwc.securitypipeline.com/howto/53701241} 23 Nov. 2004. 20 Dec. 2004. (Secure Enterprise) \bibitem[Webopedia ()]{b5}\label{b5} \textit{Online Computer Dictionary for Computer and Internet Terms and Definitions}, Webopedia . 2004. \bibitem[OWASP Guide to Building Secure Web Applications and Web Services Session Management (2015)]{b8}\label{b8} ‘OWASP Guide to Building Secure Web Applications and Web Services’. \url{http://searchsoftwarequality.techtarget} \textit{Session Management}, 1156684/OA SP-Guide-to-Building-Secure-Web-Applications-nd-Web-Services-Chapter 2015. 1 November 2015. Search Software Quality (11-Session-Managem ent) \bibitem[Whitaker and Newman ()]{b1}\label{b1} \textit{Penetration testing and network defense}, A Whitaker , D Newman . 2006. Indianapolis, IN: Cisco Press. \bibitem[Ollman (2004)]{b3}\label{b3} \textit{Web Session Management: Best Practices in Managing HTTP Based Client Sessions}, Gunter Ollman . \url{http://www.technicalinfo.net/papers/WebBasedSessionManagement.html} 20 Dec. 2004. (Technical Info: Making Sense of Security) \end{bibitemlist} \end{document}