Today, the enterprise and Digital Business runs on the Web. It’s providing employees around the world with efficient access to information or offering customers products and services, more and more organizations are leveraging the power of online applications. New access points to the Internet are opened every day. Laptops, tablets, and smartphones enable users to log in from anywhere at any time. But this flexibility presents a dilemma. Successful organizations must balance the need for convenient user access with appropriate security techniques to keep hackers from exploiting access points for e-commerce fraud, identity theft, and other malicious activities.
Due to server-side convenience, HTTP is the predominant method for offering users access to web applications. And because HTTP is a stateless protocol, web applications primarily employ cookies to maintain a session state once the user has logged in. Maintaining a session state via cookies offers a simple experience for end users—they’ve proven their identities (and identities of their devices) via authentication and can move quickly to accessing desired information from an application. But this user-friendly experience comes at a cost. Cookies can be stolen, intercepted or replayed. HTTP cookies create vulnerabilities for hackers to steal authenticated sessions.
Session Hijacking Techniques
As risk-based authentication becomes a stronger hacking deterrent, session hijacking is gaining popularity. Strong authentication is emerging as the impenetrable front door, but there are still critical security weaknesses inherent in HTTP sessions. Some of the specific session hijacking techniques include:
- Spoofing attack - Unauthorized session access based on falsifying data.
- Man-in-the-middle attack - Stealing an in-transit HTTP cookie without the user’s knowledge.
- Man-in-the-browser attack - Installation of code on the browser itself to forward data to a third party.
Various Cross-site scripting (XSS) and Cross-Site request Frequency (CSRF) attacks are also common approaches used by hackers and fraudsters. And perhaps more concerning for enterprise security are the unknown types of attacks that are being continually developed and directed against web sessions with increasing frequency.
Approach to Session Hijacking Prevention
By limiting the scope and damage of attacks, traditional approaches to session hijacking have achieved some acceptable level of effectiveness. However, there are new techniques emerging—methods that work in concert with strong authentication—to make it extremely difficult for hackers to steal sessions.
- More Control - By adding an interim step between the client and the server, the enterprise can better control the security of a given session. This layer serves as an objective check against stolen cookies. This methodology typically re-checks the device’s identity on a periodic basis, preventing a fraudster from stealing the cookie and using it to log into an application.
- More Connection - In this approach is the connection between the SSO cookie and the cookie of any given application. By marrying these two tokens, hackers are unable to log into the web access management and steal a cookie being used by a Java session.
- An Active Approach to Session Security - Enhanced Session Assurance with Device DNA. This technique ‘remembers’ the device the user was initially authenticated on and then actively compares the settings and history of the user’s device against the initial device to further guarantee the identity of the user and legitimacy of the login attempt.
Authored By - Ajaykumar Goswami
TCS Enterprise Security and Risk Management
Rate this article: