Page 1 of 1
Packet Sniffer UID Question...
Posted: Fri Dec 11, 2009 2:35 pm
by 0perand
In theory if a client computer connects to a php site using sessions and the client has a virus that does packet sniffing... The virus can transmit the get header request with the session id as well as the rest of the header to an offiste machine. Then that offsite machine can access the same website without any issues as long as it keeps the same header right?
If I am correct then is there anyway to protect against this? Also this packet could be stolen via proxy use, correct? I mean if an IT guy has a grudge then he can in theory go steal all the get headers and access the websites by stealing the session right?
Thanks ahead of time,
OP
Re: Packet Sniffer UID Question...
Posted: Fri Dec 11, 2009 3:48 pm
by AbraCadaver
To protect the session ID use SSL, though it is still in the cookie and can be retrieved from there. You can also save the user's useragent string and IP in the session and check that each time. This does not eliminate the risk but helps to mitigate it some.
As for the proxy, SSL would be the best bet, however an intelligent/technical proxy admin could still get access to the unencrypted data.
Re: Packet Sniffer UID Question...
Posted: Fri Dec 11, 2009 4:00 pm
by flying_circus
0perand wrote:In theory if a client computer connects to a php site using sessions and the client has a virus that does packet sniffing... The virus can transmit the get header request with the session id as well as the rest of the header to an offiste machine. Then that offsite machine can access the same website without any issues as long as it keeps the same header right?
I believe this depends on how the website handles session authentication. In it's most basic form of just passing the session id through a cookie, then it would be trivial to forge through your scenario. I believe this is referred to as
Session Hijacking.
Perhaps someone with more experience can chime in here. If there is a packet sniffer installed as a filter driver, would it be possible to capture the data before it is encrypted in SSL? I was playing around with wireshark the other day, which raised this question.
0perand wrote:
If I am correct then is there anyway to protect against this? Also this packet could be stolen via proxy use, correct? I mean if an IT guy has a grudge then he can in theory go steal all the get headers and access the websites by stealing the session right?
Thanks ahead of time,
OP
With a proxy server, I believe you are referring to a
Man-In-The-Middle attack. Sending data over a secure connection should mitigate this risk.
Re: Packet Sniffer UID Question...
Posted: Sat Dec 12, 2009 3:04 pm
by kaisellgren
If the user's browser has been hijacked, there's nothing you as a web developer can do about it.
Re: Packet Sniffer UID Question...
Posted: Wed Dec 16, 2009 9:07 pm
by 0perand
Thanks for the info guys... I figured the best defense I could use is change the uid constantly. Its not perfect, but atleast the uid expires with every refresh or navigation on the site.
BTW SSL does break through a proxy. So an IT guy who is really <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span> could do some damage if he knows what to do.