According to wikipedia, Mallory the attacker gets her own SID and then forces Alice to visit a site with the SID. Why wouldn't Mallory just take Alice's SID, if she could MITM Mallory? Also, is this attack without MITM only susceptible to SID in query string?
Asked
Active
Viewed 164 times
2
-
You assume that the forcing of Alice to visit a page requires MITM. – schroeder Jul 20 '16 at 20:53
2 Answers
3
Mallory doesn't want Alice's session id. Mallory wants Alice to perform actions as herself, but while the website thinks she's Mallory. Like use her credit card to buy something she thinks she'll get, but which will actually be credited to Mallory.
There are several vectors for this attack. The one you mention, cookie-less sessions with the session id in the URL is one. Mallory having control of a sub-domain and being able to write cookies for a parent domain is another.
Xander
- 35,525
- 27
- 113
- 141
-
Interesting. But maybe its stealth depends on the website, e.g. if the website did store Alice's name, which would be shown for example in a navbar, she wouldn't notice, but if the site was let's say purely in php and not much JavaScript, her name would change to Mallory, wouldn't it? – Adam Jul 21 '16 at 08:43
-
Also the sub-domain is interesting along with the MitM So you could set Mallory's cookie to Alice (by tampering) on a http subdomain and then see her actions on a https domain? – Adam Jul 21 '16 at 08:46
-
@Adam Yes, Alice might see a change depending on the website, given the website will think she's Mallory. It depends on the site and Alice to determine if that's an issue or not. – Xander Jul 21 '16 at 12:40
-
@Adam To your second question, Mallory stealing Alice's session token/cookie is not a session fixation attack. Given the correct configuration you are right that it may be possible, but it's a different kind of attack, and it wouldn't allow Mallory to see Alice's interactions, just to interact with the site as Alice, ala Firesheep. – Xander Jul 21 '16 at 12:42
2
Within the scope of the article, the point is that there are 2 different methods by which Mallory gains control over Alice's session. Where the methods differ is when you consider the larger world in which such an attack may occur.
- if Mallory can get Alices to click on a link and the target system allows session ids to be set from a URL, then Mallory can fixate the session id.
Here no MITM is required.
- a session id supplied to the client over a secure channel cannot be MITMed without breaking the secure channel. There are extensions to tbe http protocol that allow a cookie to be flagged to only be returned over HTTPS connections. But cookies set via HTTP are returned over both HTTP and HTTPS. Hence if Mallory can interfere with Alices HTTP communications, she can fixate the session value which will subsequently be used over a secure channel.
Here there is only a MITM of the unsecured channel.
- If Mallory can inject her javascript into any page served up by the target site, by XSS, then she can set the fixate the session id. While this would also allow her to read a cookie with the secure flag and therefore hijackthe session, HTTP has a further option HTTPonly, which hides cookies from javascript. This defeats in-the-browser session hijacking, but not session fixation.
Here the mitigation of using HTTPS, even if enforced with HSTS is inneffective.
Only the cookie name and its value are sent back to the server, not the options it was created with, its path, host, scheme or expiry time, nor anything else about the provenance of the data.
There are also scenarios where hijacking is a more effective attack than fixation.
symcbean
- 18,278
- 39
- 73