Session Hijacking: A Stolen Identity and a Broken Date

Previous page
Table of content
Next page

Session Hijacking: A Stolen Identity and a Broken Date

Alice met Charles in an online chat room. They discovered that they lived quite close to each other and had a lot in common. Charles asked Alice out on a date. She was thrilled to get the invitation, and after exchanging a few e-mails, Alice found herself at an upscale Italian restaurant, waiting for Charles to show up. He never arrived. Disheartened, Alice went home and decided never to talk to Charles again. Although upset, she was quite surprised at being stood up. Charles didn't seem the type who would play games. What went wrong?

The mystery unfolds if we take a look at what Bob was doing a few hours before the big date. Bob was the security administrator at the company that Alice worked for and was intending to ask her out "one of these days." Another coworker told Bob that Alice was setting up a date with an "online friend." Bob decided to throw a curve to cupid. Here's how it went down.

March 5, 7:00 A.M. Alice's Residence

Alice logs on to her Web-based e-mail service at http://ewebmail.example.com/ and decides to write a note to Charles accepting his invitation for a dinner and a movie that night. She is thrilled that she is finally meeting Charles in person! A simple Web-based e-mail service, eWebMail is much like the more popular Hotmail and Yahoo! Mail. The login mechanism used by eWebMail involves accepting a username and password via an HTML form, as shown in Figure 13-1.

Figure 13-1. Login screen of http://ewebmail.example.com/

graphics/13fig01.gif

Alice then quickly uses eWebMail's e-mail Compose screen to send a note to Charles, setting up a time and place for the evening's date. Figure 13-2 shows eWebMail's e-mail Compose screen and Alice's note to Charles.

Figure 13-2. Alice's note to Charles

graphics/13fig02.gif

After sending the note, Alice realizes that she's going to be late for her morning meeting. She rushes to get dressed and ready to tackle the morning rush hour traffic.

8:30 A.M. Alice's Workplace

Alice walks into the lobby of her firm's office and is greeted by Nicole, the receptionist. Nicole and Alice are very good friends. Alice, in her excitement, tells Nicole that she is finally going to see Charles in person that evening. Just as Alice walks into the conference room, her coworker, Bob, walks into the lobby. After exchanging greetings, Nicole tells Bob about Alice's hot date for the evening. Bob slinks off to his office and tries to focus on the day's work. He is quite upset that someone is going to beat him to a date with Alice. After an hour, Bob finally decides to see if he can intercept Alice's e-mails and find out what's going on.

Bob knew that Alice used eWebMail's e-mail service for her personal e-mails. He decided that if he were to get access to Alice's e-mails, the first thing he would have to do is get an account set up at the same e-mail service that Alice uses. Last month, Bob had been to a security conference where two guys had talked about "Web hacking," and he was quite intrigued with that particular area of security. Signing up for eWebMail's free Web-based e-mail service was quite easy, and soon Bob was logging on to http://ewebmail.example.com/ for the first time to try out his new e-mail account: bob@ewebmail.example.com. The login mechanism is shown in Figure 13-3.

Figure 13-3. Bob logging onto http://ewebmail.example.com/

graphics/13fig03.gif

10:00 A.M. Bob's Office

Bob carefully studied how eWebMail worked. The application was written in Java Servlets and Java Server Pages. The features offered by eWebMail were the same as those offered most Web-based e-mail services.

When Bob logged onto eWebMail, a program called Cookie Pal was displayed in the pop-up box shown in Figure 13-4.

Figure 13-4. Cookie Pal pop-up box

graphics/13fig04.gif

Cookie Pal is a shareware application that is available at http://www.kburra.net/. Bob uses it to monitor and control cookies sent by Web sites to his browser. In this case, eWebMail seems to have sent him a fairly long cookie string, with the name "uid."The value of "uid" seems to be encoded in hexadecimal. This cookie intrigued Bob. He had heard that many times Web-based applications use cookies to pass session identifiers back and forth during a Web session. Perhaps this cookie is also some sort of a session identifier for eWebMail, thought Bob.

The next thing that Bob did was signed up for more user accounts on eWebMail. He created accounts called "bob1," "bob2," and "bob3." Each time he logged in, he received a similar cookie string. After logging in four times as four different users, Bob had gathered four cookie strings:

bob@ewebmail.example.com  C8C5C8EACFDDCFC8C7CBC3C684CFD2CBC7DAC6CF84C9C5C7:1
bob1@ewebmail.example.com  C8C5C89BEACFDDCFC8C7CBC3C684CFD2CBC7DAC6CF84C9C5C7:1
bob2@ewebmail.example.com  C8C5C898EACFDDCFC8C7CBC3C684CFD2CBC7DAC6CF84C9C5C7:1
bob3@ewebmail.example.com  C8C5C899EACFDDCFC8C7CBC3C684CFD2CBC7DAC6CF84C9C5C7:1

When he had laid out the cookie strings and e-mail addresses in a tabular fashion, two thoughts almost immediately crossed Bob's mind:

         The number of hexadecimal "bytes" was exactly the same as the number of characters in the e-mail address.

         In the last three e-mail addresses, all the cookie values differed by only one byte, which was the fourth byte from the beginning. This corresponded to the numbers "1," "2," and "3" in the e-mail addresses.

Bob couldn't yet explain what the ":1" was at the end of the cookie value string. For the time being, it didn't seem to matter.

It would be too easy if the e-mail address was directly encoded in hexadecimal, Bob thought. Indeed, that wasn't the case because, if it were, the hexadecimal bytes would match the ASCII values of the characters in the e-mail address strings. Bob concluded that a simple encryption scheme had been used to encrypt the e-mail address and derive the cookie string from it. Looking at the encoded string patterns, Bob decided that the developers at eWebMail had used a weak form of XOR encryption. Quickly, he threw together a little Perl script to try XORing the cookie strings with all 256 combinations of a byte to see if any of them returned the e-mail address in its original form. Sure enough, Bob struck gold when he reached the character 0xAA. The cookie strings were derived by XORing every character in the e-mail address string with 0xAA, whose bit pattern is 01010101.

Armed with this knowledge, Bob was ready to try to hack into Alice's e-mail account. Bob also noticed that eWebMail set the cookie's expiration date and time to be one hour from the time that the cookie was set. In other words, a typical eWebMail login session would last for an hour if no activity occurred. If the browser stayed idle for an hour and some activity then occurred, the cookie wouldn't be replayed and the eWebMail application would automatically log off the user. To hack into Alice's e-mail account, Bob created an XOR encrypted cookie string from her e-mail address alice@ewebmail.example.com. The XOR operation involved:

a  l  i  c  e  @  e  w  e  b  m  a  i  l  . e  x  a  m  p  l  e  . c  o  m
61 6C 69 63 65 40 65 77 65 62 6D 61 69 6C 2E 65 78 61 6D 70 6C 65 2E 63 6F 6D
AA AA AA . . . . . . . . (xor each byte)
CB C6 C3 C9 CF EA CF DD CF C8 C7 CB C3 C6 84 CF D2 CB C7 DA C6 CF 84 C9 C5 C7

11:00 A.M. Bob's Office

Bob stepped out for a drink of water. He noticed that Alice was still busy with her meeting in the conference room. He smiled slyly and went back to his office and closed the door. He cleared the browser of all cookies and signed onto eWebMail as bob@ewebmail.example.com. The "uid" cookie was set, and soon he was viewing his Inbox, as shown in Figure 13-5.

Figure 13-5. bob@ewebmail.example.com's Inbox

graphics/13fig05.gif

He had one e-mail message. A quick look showed that it was a welcome message from the eWebMail service, as shown in Figure 13-6.

Figure 13-6. Bob's e-mail message list

graphics/13fig06.gif

He went back to the Inbox and looked at it for a while and then closed his Netscape window. Next, he opened his Netscape cookies file, cookies.txt, and searched for the cookie set by ewebmail.example.com. The cookie contained his encrypted "uid" value:

ewebmail.example.com  FALSE / FALSE 1020114192 uid
  C8C5C8EACFDDCFC8C7CBC3C684CFD2CBC7DAC6CF84C9C5C7:1

He then replaced the cookie value with the XOR encrypted version of alice@ewebmail.example.com. He left the trailing ":1" as is:

ewebmail.example.com  FALSE / FALSE 1020114192 uid
  CBC6C3C9CFEACFDDCFC8C7CBC3C684CFD2CBC7DAC6CF84C9C5C7:1

He then opened Netscape and sent a request for http://ewebmail.example.com/. Voila! He now saw Alice's Inbox screen on his browser, as shown in Figure 13-7.

Figure 13-7. Bob impersonating Alice

graphics/13fig07.gif

Alice had received three new e-mail messages that day. Bob clicked on the Inbox link to view Alice's message list. Figure 13-8 shows Alice's e-mail message list as it appeared on Bob's browser.

Figure 13-8. Alice's e-mail list as viewed by Bob

graphics/13fig08.gif

The second e-mail message, from Charles Le Tan "Re: Dinner and Movie," caught his interest. He opened the message, shown in Figure 13-9, and read it.

Figure 13-9. Alice's e-mail message from Charles

graphics/13fig09.gif

Charles Le Tan's message had arrived at 10:16 A.M, and was sitting in Alice's Inbox. Alice hadn't had a chance to check her personal e-mail yet. In the message, Charles suggested a different restaurant. In a brief moment of anger and unhappiness, Bob deleted Charles' reply to Alice and logged off the e-mail application. Alice will never get Charles's note to meet at the other restaurant.

12:30 P.M. Alice's Office

The meeting lasted longer than usual. Alice got back to her office and decided to check her personal e-mail quickly before she left for lunch.

She logged onto her eWebMail account from her office computer and noticed that she had two messages waiting for her. Her Inbox screen is shown in Figure 13-10.

Figure 13-10. Alice checks her e-mail

graphics/13fig10.gif

The first was a message from her friend Tammy in Canada, who had sent her some pictures of her children. The other was a weekly newsletter from CNET, which she used to catch up on the latest developments in PC technology. She logged off and went to lunch.

9:30 P.M. Bertolini's Italian Cuisine

After waiting for two hours, Alice acknowledged to herself that she had been stood up by Charles. Charles gave up on Alice after waiting until 9:00 P.M. at Las Brisas. Neither knew why the other never showed up.

 


Previous page
Table of content
Next page
Web Hacking(c) Attacks and Defense
Web Hacking: Attacks and Defense
ISBN: 0201761769
EAN: 2147483647
Year: 2005
Pages: 156
Authors: Stuart McClure, Saumil Shah, Shreeraj Shah
BUY ON AMAZON
High-Speed Signal Propagation[c] Advanced Black Magic
VBScript Programmers Reference
C++ GUI Programming with Qt 3
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy