You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Jasbinder Singh Bali <js...@gmail.com> on 2007/04/04 16:42:11 UTC

Session Hijacking with Apache Tomcat

> Hi,
> I have to demonstrate Session Hijacking with Apache Tomcat to my advisor
> when some precautionary measures are not taken.
> I'm just wondering how can I do this.
> After a satisfactory demonstration, I need to demonstrate the steps I
> would take to get rid of this session hijacking.
>
> In short, i need to demonstrate session hijacking in apache tomcat and
> then show measures that would be
> taken to get rid of it.
>
> Any kind of help would be highly appreciated.
>
> Thanks in advance,
> ~Jas
>

Re: Session Hijacking with Apache Tomcat

Posted by David Smith <dn...@cornell.edu>.

Jasbinder Singh Bali wrote:

> And how should i get rid of session hijacking. Is there any feature is
> tomcat that takes care of it?
>
> On 4/4/07, Mikolaj Rydzewski <mi...@ceti.pl> wrote:
>
>>
>> Jasbinder Singh Bali wrote:
>> >> In short, i need to demonstrate session hijacking in apache tomcat 
>> and
>> >> then show measures that would be
>> >> taken to get rid of it.
>> >>
>> >> Any kind of help would be highly appreciated.
>> Turn off cookies, Tomcat should then rewrite URLs to include jsessionid.
>> Then it's trivial to hijack such session.
>>
>> -- 
>> Mikolaj Rydzewski <mi...@ceti.pl>
>>
>>
>>
>
Your only avenue in avoiding a session hijack is SSL.  IP checking is of 
limited success and still allows for the man-in-the-middle attack as 
well as hijacks from others that log-in behind the same cable router you 
are on.  If it's important enough that session hijacking is a concern, 
it needs to be encrypted.


--David

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Session Hijacking with Apache Tomcat

Posted by Peter Crowther <Pe...@melandra.com>.

> From: Jasbinder Singh Bali [mailto:jsbali@gmail.com] 
> Isn't there any feature in tomcat itself that would 
> automatically take care
> of session hijacking without doing something at web application level.

Not in all cases.  SSL deals with untrusted networks, but if you can't
trust the user's computer (common in Internet applications) not even SSL
will help you.

		- Peter

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Session Hijacking with Apache Tomcat

Posted by Jasbinder Singh Bali <js...@gmail.com>.

Isn't there any feature in tomcat itself that would automatically take care
of session hijacking without doing something at web application level.
something like the way BadInputFilering valve in Tomcat tries to escape
certain string patterns from the GET and POST parameter names and values so
that most XSS exploits fail to work, without modifying or disabling the web
applications.

On 4/4/07, Mikolaj Rydzewski <mi...@ceti.pl> wrote:
>
> Jasbinder Singh Bali wrote:
> > And how should i get rid of session hijacking. Is there any feature is
> > tomcat that takes care of it?
> Figure it out yourself, it's not so hard ;-)
>
> I.e. you can store client's IP address in a session, and compare it with
> every request. If they don't match, then session is probably hijacked.
> That's the easiest solution, which will break some clients.
>
> --
> Mikolaj Rydzewski <mi...@ceti.pl>
>
>
>

[OT] RE: Session Hijacking with Apache Tomcat

Posted by Peter Crowther <Pe...@melandra.com>.

> From: Mikolaj Rydzewski [mailto:miki@ceti.pl] 
> Jasbinder Singh Bali wrote:
> > And how should i get rid of session hijacking. Is there any 
> feature is
> > tomcat that takes care of it?
> Figure it out yourself, it's not so hard ;-)
> 
> I.e. you can store client's IP address in a session, and 
> compare it with 
> every request. If they don't match, then session is probably 
> hijacked. 
> That's the easiest solution, which will break some clients.

Yes.  It's possible to get round that if you can inject packets onto the
network, but it's getting harder to do so unless you can compromise one
end of the network or the other - more routers and ISPs are dropping
packets with faked source IPs, and more servers are implementing
well-randomised TCP sequence numbers so that you can't fake a TCP
connection "blind".  However, packet injection is generally relatively
simple if you can get hold of a machine on the same local network as the
target user or the target server - and if you're able to sniff traffic,
there's a good chance you already have this.

		- Peter

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Session Hijacking with Apache Tomcat

Posted by "Raghupathy, Gurumoorthy" <Gu...@nielsen.com>.

Hi,
	Client IP may not be right solution.

	This may fail if 2 users use the same proxy to access your
site... 
	This is normally the case in small and big business where every
user 	is using a proxy to access a website.... 


Regards
Guru


-----Original Message-----
From: Mikolaj Rydzewski [mailto:miki@ceti.pl] 
Sent: 04 April 2007 16:04
To: Tomcat Users List
Subject: Re: Session Hijacking with Apache Tomcat

Jasbinder Singh Bali wrote:
> And how should i get rid of session hijacking. Is there any feature is
> tomcat that takes care of it?
Figure it out yourself, it's not so hard ;-)

I.e. you can store client's IP address in a session, and compare it with

every request. If they don't match, then session is probably hijacked. 
That's the easiest solution, which will break some clients.

-- 
Mikolaj Rydzewski <mi...@ceti.pl>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Session Hijacking with Apache Tomcat

Posted by Mikolaj Rydzewski <mi...@ceti.pl>.

Jasbinder Singh Bali wrote:
> And how should i get rid of session hijacking. Is there any feature is
> tomcat that takes care of it?
Figure it out yourself, it's not so hard ;-)

I.e. you can store client's IP address in a session, and compare it with 
every request. If they don't match, then session is probably hijacked. 
That's the easiest solution, which will break some clients.

-- 
Mikolaj Rydzewski <mi...@ceti.pl>

RE: Session Hijacking with Apache Tomcat

Posted by Peter Crowther <Pe...@melandra.com>.

> From: Jasbinder Singh Bali [mailto:jsbali@gmail.com] 
> And how should i get rid of session hijacking. Is there any feature is
> tomcat that takes care of it?

I shouldn't do your work for you, but... just hope your supervisor
doesn't read tomcat-users :-).

Demonstrate: the simplest approach is to use a network sniffer on the
HTTP stream to get the session cookie, then fake that cookie in another
request to the server.  cURL will quite happily pass up faked cookie
files.

Fix: Use https and *never* pass sessions between cleartext and encrypted
sessions, despite it being a common requirement on this list.  Won't get
round all possible attacks if you can gain access to the user's
machine*, but it defeats eavesdropping unless the eavesdropper can break
your SSL key - and if they can do that routinely, the world has *much*
worse problems.

		- Peter

* Keyloggers, browser "helper" objects/plug-ins, XSS attacks if the user
is running an older browser or an exploit can be found in a newer one...

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Session Hijacking with Apache Tomcat

Posted by Jasbinder Singh Bali <js...@gmail.com>.

And how should i get rid of session hijacking. Is there any feature is
tomcat that takes care of it?

On 4/4/07, Mikolaj Rydzewski <mi...@ceti.pl> wrote:
>
> Jasbinder Singh Bali wrote:
> >> In short, i need to demonstrate session hijacking in apache tomcat and
> >> then show measures that would be
> >> taken to get rid of it.
> >>
> >> Any kind of help would be highly appreciated.
> Turn off cookies, Tomcat should then rewrite URLs to include jsessionid.
> Then it's trivial to hijack such session.
>
> --
> Mikolaj Rydzewski <mi...@ceti.pl>
>
>
>

Re: Session Hijacking with Apache Tomcat

Posted by Mikolaj Rydzewski <mi...@ceti.pl>.

Jasbinder Singh Bali wrote:
>> In short, i need to demonstrate session hijacking in apache tomcat and
>> then show measures that would be
>> taken to get rid of it.
>>
>> Any kind of help would be highly appreciated.
Turn off cookies, Tomcat should then rewrite URLs to include jsessionid. 
Then it's trivial to hijack such session.

-- 
Mikolaj Rydzewski <mi...@ceti.pl>

Re: Session Hijacking with Apache Tomcat

Posted by David Tonhofer <d....@m-plify.com>.

Jasbinder Singh Bali wrote:
>> Hi,
>> I have to demonstrate Session Hijacking with Apache Tomcat to my advisor
>> when some precautionary measures are not taken. 
>
Maybe securityfocus.com has some information on that?

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org