WEBVTT

0:00:03.280000 --> 0:00:06.040000
 Hello everyone and welcome.

0:00:06.040000 --> 0:00:10.320000
 In this video we're going to be taking
 a look at session hijacking and

0:00:10.320000 --> 0:00:16.280000
 session fixation in terms of what they
 are speaking from a vulnerability

0:00:16.280000 --> 0:00:21.940000
 perspective as well as how they are
 typically exploited by attackers and

0:00:21.940000 --> 0:00:27.940000
 how they relate to session management
 and or session security.

0:00:27.940000 --> 0:00:33.480000
 So to begin with let's start off with
 my favorite session hijacking.

0:00:33.480000 --> 0:00:39.140000
 Alright so session hijacking also known
 as session theft is a security

0:00:39.140000 --> 0:00:44.840000
 attack or vulnerability where an attacker
 legitimately or illegitimately

0:00:44.840000 --> 0:00:50.260000
 takes over a user's active session
 on a web application.

0:00:50.260000 --> 0:00:54.540000
 And again remember that in the last
 two videos we've described what a

0:00:54.540000 --> 0:00:58.600000
 session is in terms of how it's also
 implemented so think of a cookie

0:00:58.600000 --> 0:01:00.800000
 right and a session ID.

0:01:00.800000 --> 0:01:05.700000
 So in this type of attack the attacker
 gains unauthorized access to the

0:01:05.700000 --> 0:01:10.940000
 user's session token or identifier
 allowing them to impersonate that's

0:01:10.940000 --> 0:01:15.700000
 the key word the victim and perform
 actions on their behalf.

0:01:15.700000 --> 0:01:20.360000
 Session hijacking is a severe security threat
 because it can lead to unauthorized

0:01:20.360000 --> 0:01:26.540000
 access to user accounts sensitive data
 and potential misuse of the hijacked

0:01:26.540000 --> 0:01:32.560000
 session. Now in terms of how the attacker
 gets the token there's multiple

0:01:32.560000 --> 0:01:36.800000
 techniques that are out there but in
 my opinion these are the ones that

0:01:36.800000 --> 0:01:39.380000
 you need to be aware of right now.

0:01:39.380000 --> 0:01:43.380000
 Okay so firstly you have session prediction
 session prediction or guessing

0:01:43.380000 --> 0:01:48.820000
 the session token especially if it's predictable
 or lacks sufficient randomness

0:01:48.820000 --> 0:01:53.360000
 the point is firstly it needs to be
 in a format that cannot be decoded

0:01:53.360000 --> 0:01:57.720000
 or at least you know it needs to be
 encoded or hashed in a format that

0:01:57.720000 --> 0:02:03.080000
 you know only the web server is aware
 of in terms of being able to decrypt

0:02:03.080000 --> 0:02:07.700000
 it or pretty much create the identify
 in the first place but the other

0:02:07.700000 --> 0:02:12.620000
 point is that you know you can't have
 any formal sequencing behind the

0:02:12.620000 --> 0:02:15.400000
 generation of the session
 ID or the session token.

0:02:15.400000 --> 0:02:20.200000
 The point is that you can't have a session
 token for the admin user being

0:02:20.200000 --> 0:02:26.460000
 you know admin 001 and then the next
 use after that is user 002 because

0:02:26.460000 --> 0:02:28.580000
 that becomes predictable.

0:02:28.580000 --> 0:02:32.240000
 We then have session sniffing right
 so this involves intercepting the

0:02:32.240000 --> 0:02:37.040000
 session token as it's transmitted over
 an unsecured network like an open

0:02:37.040000 --> 0:02:41.420000
 Wi-Fi hotspot that's not that common
 anymore but think of it on a local

0:02:41.420000 --> 0:02:45.180000
 network where you're performing a pen
 test maybe not even a web app pen

0:02:45.180000 --> 0:02:50.120000
 test and you're performing some traffic
 sniffing and maybe in a certain

0:02:50.120000 --> 0:02:54.520000
 case you know the you're able to intercept
 a request in that particular

0:02:54.520000 --> 0:02:57.680000
 case you know that can be very useful.

0:02:57.680000 --> 0:03:00.720000
 You then have cross-site scripting
 right so exploiting a vulnerability

0:03:00.720000 --> 0:03:05.580000
 in the web application to inject malicious
 JavaScript into a victim's

0:03:05.580000 --> 0:03:08.680000
 browser which can steal
 the session token.

0:03:08.680000 --> 0:03:12.820000
 This is very common especially with stored
 cross-site scripting on a particular

0:03:12.820000 --> 0:03:15.400000
 page that has a cookie stealer.

0:03:15.400000 --> 0:03:18.820000
 In fact I actually showed you how to
 create a cookie stealer in the cross

0:03:18.820000 --> 0:03:24.500000
-site scripting attacks course and that
 is what you know the cookie or

0:03:24.500000 --> 0:03:28.120000
 the session can then be used for it
 can be used for session hijacking

0:03:28.120000 --> 0:03:33.300000
 right and the technique through which
 you do it is typically called cookie

0:03:33.300000 --> 0:03:35.700000
 manipulation or cookie tampering.

0:03:35.700000 --> 0:03:39.980000
 So then you have the impersonation phase
 right so once the attacker has

0:03:39.980000 --> 0:03:44.300000
 the session token they can impersonate
 the victim by presenting this token

0:03:44.300000 --> 0:03:48.940000
 during requests to the web application
 and remember if there isn't additional

0:03:48.940000 --> 0:03:54.900000
 authorization like two-factor authentication
 or anything like that the

0:03:54.900000 --> 0:03:59.520000
 web application will think that it's
 you or the individual that you know

0:03:59.520000 --> 0:04:02.920000
 had their session IT stolen it will
 think it's them that is trying to

0:04:02.920000 --> 0:04:07.600000
 access the web page so the application
 unaware of the hijacking treats

0:04:07.600000 --> 0:04:12.220000
 the attacker as the authenticated user
 which is you know not something

0:04:12.220000 --> 0:04:16.720000
 that you want and then of course what
 are the potential impacts of session

0:04:16.720000 --> 0:04:22.240000
 hijacking well firstly we have data theft
 so access and steal the victim's

0:04:22.240000 --> 0:04:27.440000
 sensitive data such as the personal information
 financial details or whatever

0:04:27.440000 --> 0:04:29.880000
 you have on your account on that website.


0:04:29.880000 --> 0:04:34.080000
 You then have an account takeover which
 is again very common as many of

0:04:34.080000 --> 0:04:38.360000
 you know where you change the victim's
 account settings passwords or email

0:04:38.360000 --> 0:04:42.600000
 addresses effectively locking them out
 of their account and then of course

0:04:42.600000 --> 0:04:47.540000
 if it is a financial related account
 or web application in question you

0:04:47.540000 --> 0:04:51.660000
 have malicious transactions so conduct
 unauthorized transactions make

0:04:51.660000 --> 0:04:55.680000
 purchases or manipulate the victim's
 data and then of course you have

0:04:55.680000 --> 0:04:59.920000
 the standard data manipulation where
 you modify or delete the victim's

0:04:59.920000 --> 0:05:03.640000
 data or settings again this will all
 come down to the web application

0:05:03.640000 --> 0:05:08.500000
 that has the vulnerability or the the
 actual nature of the web application

0:05:08.500000 --> 0:05:14.220000
 itself so that is session hijacking
 now that begs the question what is

0:05:14.220000 --> 0:05:19.360000
 session fixation well session fixation
 is a little bit more complex in

0:05:19.360000 --> 0:05:23.740000
 terms of even highlighting what exactly
 is going on but to put things

0:05:23.740000 --> 0:05:28.660000
 simply session fixation is a web application
 security attack or vulnerability

0:05:28.660000 --> 0:05:34.900000
 where an attacker sets or fixes a user's
 session identifier or the session

0:05:34.900000 --> 0:05:38.860000
 token to a known value of
 the attacker's choice.

0:05:38.860000 --> 0:05:43.360000
 Subsequently the attacker tricks the
 victim into using this fixed session

0:05:43.360000 --> 0:05:48.900000
 identifier to log in thereby granting
 the attacker unauthorized access

0:05:48.900000 --> 0:05:50.800000
 to the victim's session.

0:05:50.800000 --> 0:05:54.580000
 Now you may be a little bit confused
 here don't worry this section will

0:05:54.580000 --> 0:05:58.700000
 help clarify that so when we talk about
 the actual token acquisition with

0:05:58.700000 --> 0:06:03.900000
 session fixation attacks the attacker
 obtains a session token issued by

0:06:03.900000 --> 0:06:08.820000
 the target web application firstly
 okay so a legitimate session token

0:06:08.820000 --> 0:06:12.760000
 and this can be done in several ways such
 as you know predicting or guessing

0:06:12.760000 --> 0:06:18.120000
 the session token which goes now into
 session hijacking but for a different

0:06:18.120000 --> 0:06:22.500000
 cause now so some web applications generate
 session tokens that are easy

0:06:22.500000 --> 0:06:26.940000
 to predict or lack sufficient randomness
 or they can choose to intercept

0:06:26.940000 --> 0:06:31.120000
 the session token so if the application
 does not use secure channels like

0:06:31.120000 --> 0:06:35.760000
 HTTPS to transmit session tokens an
 attacker may intercept them as they

0:06:35.760000 --> 0:06:40.400000
 travel over an insecure network like
 an open Wi-Fi hotspot so very similar

0:06:40.400000 --> 0:06:47.300000
 to session hijacking but the the actual
 impersonation and impact is slightly

0:06:47.300000 --> 0:06:53.760000
 different so when in or with session fixation
 when we move to the impersonation

0:06:53.760000 --> 0:06:59.820000
 phase with the session token in hand the
 attacker sets or fixes the victim's

0:06:59.820000 --> 0:07:04.980000
 session token to a known value that the
 attacker controls this value could

0:07:04.980000 --> 0:07:10.580000
 be one generated by the attacker or
 an existing valid session token so

0:07:10.580000 --> 0:07:14.220000
 the attacker then lowers the victim
 into using the fixed session token

0:07:14.220000 --> 0:07:18.840000
 to log into the web application and this
 can be accomplished through various

0:07:18.840000 --> 0:07:23.140000
 means all right sending the victim a
 link that includes the fixed session

0:07:23.140000 --> 0:07:28.140000
 token secondly manipulating the victim
 into clicking on a specially crafted

0:07:28.140000 --> 0:07:33.940000
 URL so think social engineering and furthermore
 in addition to that social

0:07:33.940000 --> 0:07:38.940000
 engineering tactics to convince the victim
 to log in under specific circumstances

0:07:38.940000 --> 0:07:44.260000
 all right so now we get to the hijacking
 phase because session fixation

0:07:44.260000 --> 0:07:48.320000
 can involve hijacking and that's why
 i know it's a little bit confusing

0:07:48.320000 --> 0:07:52.780000
 but once the victim logs in with the
 fixed session token the attacker

0:07:52.780000 --> 0:07:57.500000
 can now hijack the victim's session
 and the web application recognizes

0:07:57.500000 --> 0:08:02.160000
 the attacker as the legitimate user
 since the session token matches what

0:08:02.160000 --> 0:08:06.600000
 was expected with that being said that's
 going to be it for this video