{"id":75982,"date":"2020-01-20T12:46:31","date_gmt":"2020-01-20T07:16:31","guid":{"rendered":"https:\/\/www.vskills.in\/certification\/tutorial\/?p=75982"},"modified":"2024-04-12T14:17:43","modified_gmt":"2024-04-12T08:47:43","slug":"session-forging-hijacking","status":"publish","type":"page","link":"https:\/\/www.vskills.in\/certification\/tutorial\/session-forging-hijacking\/","title":{"rendered":"Session Forging\/Hijacking"},"content":{"rendered":"<p>This isn\u2019t a specific attack, but rather a general class of attacks on a user\u2019s session data. It can take a number of different forms:<\/p>\n<ul>\n<li>A <em>man-in-the-middle<\/em> attack, where an attacker snoops on session data as it travels over the wire (or wireless) network.<\/li>\n<li><em>Session forging<\/em>, where an attacker uses a session ID (perhaps obtained through a man-in-the-middle attack) to pretend to be another user.<\/li>\n<\/ul>\n<p>An example of these first two would be an attacker in a coffee shop using the shop\u2019s wireless network to capture a session cookie. She could then use that cookie to impersonate the original user.<\/p>\n<ul>\n<li>A <em>cookie-forging<\/em> attack, where an attacker overrides the supposedly read-only data stored in a cookie.<\/li>\n<\/ul>\n<p>There\u2019s a long history of Web sites that have stored a cookie like IsLoggedIn=1 or even LoggedInAsUser=jacob. It\u2019s dead simple to exploit these types of cookies. On a more subtle level, though, it\u2019s never a good idea to trust anything stored in cookies; you never know who\u2019s been poking at them.<\/p>\n<ul>\n<li><em>Session fixation<\/em>, where an attacker tricks a user into setting or reseting the user\u2019s session ID.<\/li>\n<\/ul>\n<p>For example, PHP allows session identifiers to be passed in the URL (e.g., http:\/\/example.com\/?PHPSESSID=fa90197ca25f6ab40bb1374c510d7a32). An attacker who tricks a user into clicking a link with a hard-coded session ID will cause the user to pick up that session. Session fixation has been used in phishing attacks to trick users into entering personal information into an account the attacker owns. He can later log into that account and retrieve the data.<\/p>\n<ul>\n<li><em>Session poisoning<\/em>, where an attacker injects potentially dangerous data into a user\u2019s session \u2014 usually through a Web form that the user submits to set session data.<\/li>\n<\/ul>\n<p>A canonical example is a site that stores a simple user preference (like a page\u2019s background color) in a cookie. An attacker could trick a user into clicking a link to submit a \u201ccolor\u201d that actually contains an XSS attack; if that color isn\u2019t escaped, the user could again inject malicious code into the user\u2019s environment.<\/p>\n<p><strong>The Solution<\/strong> &#8211; There are a number of general principles that can protect you from these attacks:<\/p>\n<ul>\n<li>Never allow session information to be contained in the URL. Django\u2019s session framework simply doesn\u2019t allow sessions to be contained in the URL.<\/li>\n<li>Don\u2019t store data in cookies directly; instead, store a session ID that maps to session data stored on the back-end. If you use Django\u2019s built-in session framework (i.e., session), this is handled automatically for you. The only cookie that the session framework uses is a single session ID; all the session data is stored in the database.<\/li>\n<li>Remember to escape session data if you display it in the template.<\/li>\n<li>Prevent attackers from spoofing session IDs whenever possible. Although it\u2019s nearly impossible to detect someone who\u2019s hijacked a session ID, Django does have built-in protection against a brute-force session attack. Session IDs are stored as hashes (instead of sequential numbers), which prevents a brute-force attack, and a user will always get a new session ID if she tries a nonexistent one, which prevents session fixation.<\/li>\n<\/ul>\n<p>Notice that none of those principles and tools prevents man-in-the-middle attacks. These types of attacks are nearly impossible to detect. If your site allows logged-in users to see any sort of sensitive data, you should <em>always<\/em> serve that site over HTTPS. Additionally, if you have an SSL-enabled site, you should set the SESSION_COOKIE_SECURE setting to True; this will make Django only send session cookies over HTTPS.<\/p>\n\n\n<p><a href=\"https:\/\/www.vskills.in\/certification\/tutorial\/certified-django-developer\/\" target=\"_blank\" rel=\"noreferrer noopener\">Back to Tutorial<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This isn\u2019t a specific attack, but rather a general class of attacks on a user\u2019s session data. It can take a number of different forms: A man-in-the-middle attack, where an attacker snoops on session data as it travels over the wire (or wireless) network. Session forging, where an attacker uses a session ID (perhaps obtained&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"categories":[8655],"tags":[8879],"class_list":["post-75982","page","type-page","status-publish","hentry","category-django-web-development","tag-session-forging-hijacking"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Session Forging\/Hijacking - Tutorial<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.vskills.in\/certification\/tutorial\/session-forging-hijacking\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Session Forging\/Hijacking - Tutorial\" \/>\n<meta property=\"og:description\" content=\"This isn\u2019t a specific attack, but rather a general class of attacks on a user\u2019s session data. It can take a number of different forms: A man-in-the-middle attack, where an attacker snoops on session data as it travels over the wire (or wireless) network. Session forging, where an attacker uses a session ID (perhaps obtained...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.vskills.in\/certification\/tutorial\/session-forging-hijacking\/\" \/>\n<meta property=\"og:site_name\" content=\"Tutorial\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/vskills.in\/\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-12T08:47:43+00:00\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/session-forging-hijacking\/\",\"url\":\"https:\/\/www.vskills.in\/certification\/tutorial\/session-forging-hijacking\/\",\"name\":\"Session Forging\/Hijacking - Tutorial\",\"isPartOf\":{\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#website\"},\"datePublished\":\"2020-01-20T07:16:31+00:00\",\"dateModified\":\"2024-04-12T08:47:43+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/session-forging-hijacking\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.vskills.in\/certification\/tutorial\/session-forging-hijacking\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/session-forging-hijacking\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.vskills.in\/certification\/tutorial\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session Forging\/Hijacking\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#website\",\"url\":\"https:\/\/www.vskills.in\/certification\/tutorial\/\",\"name\":\"Tutorial\",\"description\":\"Vskills - A initiative in elearning and certification\",\"publisher\":{\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.vskills.in\/certification\/tutorial\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#organization\",\"name\":\"Vskills\",\"url\":\"https:\/\/www.vskills.in\/certification\/tutorial\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.vskills.in\/certification\/tutorial\/wp-content\/uploads\/2017\/07\/vskills-min-logo.jpg\",\"contentUrl\":\"https:\/\/www.vskills.in\/certification\/tutorial\/wp-content\/uploads\/2017\/07\/vskills-min-logo.jpg\",\"width\":73,\"height\":55,\"caption\":\"Vskills\"},\"image\":{\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/vskills.in\/\",\"https:\/\/x.com\/vskills_in\",\"https:\/\/www.linkedin.com\/company-beta\/1371554\/\",\"https:\/\/www.youtube.com\/channel\/UCMWnscxPwRF_PqXo9B7q_Tw\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Session Forging\/Hijacking - Tutorial","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.vskills.in\/certification\/tutorial\/session-forging-hijacking\/","og_locale":"en_US","og_type":"article","og_title":"Session Forging\/Hijacking - Tutorial","og_description":"This isn\u2019t a specific attack, but rather a general class of attacks on a user\u2019s session data. It can take a number of different forms: A man-in-the-middle attack, where an attacker snoops on session data as it travels over the wire (or wireless) network. Session forging, where an attacker uses a session ID (perhaps obtained...","og_url":"https:\/\/www.vskills.in\/certification\/tutorial\/session-forging-hijacking\/","og_site_name":"Tutorial","article_publisher":"https:\/\/www.facebook.com\/vskills.in\/","article_modified_time":"2024-04-12T08:47:43+00:00","twitter_misc":{"Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/session-forging-hijacking\/","url":"https:\/\/www.vskills.in\/certification\/tutorial\/session-forging-hijacking\/","name":"Session Forging\/Hijacking - Tutorial","isPartOf":{"@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#website"},"datePublished":"2020-01-20T07:16:31+00:00","dateModified":"2024-04-12T08:47:43+00:00","breadcrumb":{"@id":"https:\/\/www.vskills.in\/certification\/tutorial\/session-forging-hijacking\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.vskills.in\/certification\/tutorial\/session-forging-hijacking\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/session-forging-hijacking\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.vskills.in\/certification\/tutorial\/"},{"@type":"ListItem","position":2,"name":"Session Forging\/Hijacking"}]},{"@type":"WebSite","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#website","url":"https:\/\/www.vskills.in\/certification\/tutorial\/","name":"Tutorial","description":"Vskills - A initiative in elearning and certification","publisher":{"@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.vskills.in\/certification\/tutorial\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#organization","name":"Vskills","url":"https:\/\/www.vskills.in\/certification\/tutorial\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#\/schema\/logo\/image\/","url":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-content\/uploads\/2017\/07\/vskills-min-logo.jpg","contentUrl":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-content\/uploads\/2017\/07\/vskills-min-logo.jpg","width":73,"height":55,"caption":"Vskills"},"image":{"@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/vskills.in\/","https:\/\/x.com\/vskills_in","https:\/\/www.linkedin.com\/company-beta\/1371554\/","https:\/\/www.youtube.com\/channel\/UCMWnscxPwRF_PqXo9B7q_Tw"]}]}},"_links":{"self":[{"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/pages\/75982","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/comments?post=75982"}],"version-history":[{"count":4,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/pages\/75982\/revisions"}],"predecessor-version":[{"id":83457,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/pages\/75982\/revisions\/83457"}],"wp:attachment":[{"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/media?parent=75982"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/categories?post=75982"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/tags?post=75982"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}