How Firesheep Can Hijack Web Sessions
Firesheep is a Firefox extension used to hijack web sessions, usually used over WiFi networks. Firesheep doesn't steal usernames and passwords, instead it copies session cookies used on authenticated websites. These are then used to impersonate the hijacked connection. Session hijacking, or sidejacking is a well known problem, ranking 3rd on OWASP's (Open Web Application Security Project) Top 10 Application Security Risk list. Attackers using Firesheep just need access to network traffic -- such
Lots of information is carried in HTTP headers -- more than enough to get attackers started. Unless you are using an encryption method like SSL/TLS end to end, this information is available to anyone with access to the media.
Owasp Top 10 Application Security Risk
SEE ALSO:
To use Firesheep, a network interface must be selected, In this case, the wireless adapter is selected. As a safety measure, most Windows wireless driver software won't allow the NIC to be put into promiscuous mode (which allows it to capture all packets seen by the NIC) including this IntelPRO/Wireless 8954ABG adapter. Linux OS's are often more flexible and drivers can put the NIC in promiscuous mode if the hardware supports it.
SEE ALSO:
Even when a wireless adaptor can't be set to capture all traffic, an attacker can use "Cain & Able" to perform a man-in-the-middle attack. In this case, a laptop transparently passes Ethernet traffic between the target and the router, allowing the laptop to capture all traffic. In this attack, the first job is to find the MAC addresses on the segment.
SEE ALSO:
Once the MAC addresses are found, the attacker sets up a man-in-the-middle connection between the targets, in this case 192.168.1.6 and 192.168.1.3 and the router 192.168.1.1. The word "Poisoning" in the shot above means the software is working. Neither the destination site or user is aware of the attack.
SEE ALSO:
Now with full access to all traffic, Firesheep can identify applications in use. The social networks that Firesheep sees are listed in the left hand column. There are multiple entries for Google services because more than one is in use on the target computer. The Twitter window in the right hand pane has been sidejacked. The attacker can do anything with the account except change the password.
SEE ALSO:
Out of the box, Firesheep can sidejack numerous site sessions. Notice that they are not all social media sites. The commonality is that they all do use session cookies.
SEE ALSO:
With a little Javascript and knowledge of HTTP, anyone can write a script for a new website and add it to the list.
SEE ALSO:
Using a VPN or wireless encryption like WPA/WPA2 can make capturing usable traffic difficult, if not impossible. However, end-to-end SSL encryption works even when VPNs and wireless encryption are not available. Many social media sites support SSL if you request it. Browser extensions like the NoScript Firefox add-on can be configured to redirect all HTTP requests to specific domains to HTTPS, or just replace "http:" with "https" in the website's address and bookmark that.
SEE ALSO:
After switching to SSL on Twitter.com, Firesheep no longer shows the Twitter account in the capture stream.
SEE ALSO:
Attackers have one more trick up their sleeves. Cain & Able will generate an SSL certificate on the fly trying to fool browser users into trusting it. Don't. If you see a message like this (browsers display certificate errors in their own way) stop what you are doing and walk away.
SEE ALSO:
Attackers have one more trick up their sleeves. Cain & Able will generate an SSL certificate on the fly trying to fool browser users into trusting it. Don't. If you see a message like this (browsers display certificate errors in their own way) stop what you are doing and walk away.
SEE ALSO:
Attackers have one more trick up their sleeves. Cain & Able will generate an SSL certificate on the fly trying to fool browser users into trusting it. Don't. If you see a message like this (browsers display certificate errors in their own way) stop what you are doing and walk away.
SEE ALSO: Firesheep Simplifies Stealing Logins Firesheep Exposes Need For Encryption
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024