complete info about cookie And session hijacking - Coupons

    • Breaking News

    our new topic will be on Bitcoin

    Recent

    Monday, 3 April 2017

    Home ethical hacking complete info about cookie And session hijacking

    complete info about cookie And session hijacking

    April 03, 2017

    complete info about cookie And session hijacking

    What Are Computer Cookies? 

    Also known as browser cookies or tracking cookies, cookies are small, often encrypted text files, located in browser directories. They are used by web developers to help users navigate their websites efficiently and perform certain functions. Due to their core role of enhancing/enabling usability or site processes, disabling cookies may prevent users from using certain websites.

    cookie attack

    Cookies are created when a user's browser loads a particular website. The website sends information to the browser which then creates a text file. Every time the user goes back to the same website, the browser retrieves and sends this file to the website's server. Computer Cookies are created not just by the website the user is browsing but also by other websites that run ads, widgets, or other elements on the page being loaded. These cookies regulate how the ads appear or how the widgets and other elements function on the page.

    Can I see/view the cookies I have on my computer?

    Most browsers have a configuration screen which allows the user to see what cookies have been stored on the computer, and optionally to delete them. For more information, see the viewing cookies page.
    Note that it is not possible for a webpage to view cookies set by other sites, as this would represent a privacy and security problem.

    What's in a Cookie?


    Each cookie is effectively a small lookup table containing pairs of (key, data) values - for example (first name, John) (last name, Smith). Once the cookie has been read by the code on the server or client computer, the data can be retrieved and used to customize the web page appropriately.

    When are Cookies Created?

    Writing data to a cookie is usually done when a new webpage is loaded - for example after a 'submit' button is pressed the data handling page would be responsible for storing the values in a cookie. If the user has elected to disable cookies then the write operation will fail, and subsequent sites which rely on the cookie will either have to take a default action, or prompt the user to re-enter the information that would have been stored in the cookie.

     Why are Cookies Used?

    Cookies are a convenient way to carry information from one session on a website to another, or between sessions on related websites, without having to burden a server machine with massive amounts of data storage. Storing the data on the server without using cookies would also be problematic because it would be difficult to retrieve a particular user's information without requiring a login on each visit to the website.

    If there is a large amount of information to store, then a cookie can simply be used as a means to identify a given user so that further related information can be looked up on a server-side database. For example the first time a user visits a site they may choose a username which is stored in the cookie, and then provide data such as password, name, address, preferred font size, page layout, etc. - this information would all be stored on the database using the username as a key. Subsequently when the site is revisited the server will read the cookie to find the username, and then retrieve all the user's information from the database without it having to be re-entered.

    Who Can Access Cookies?

    When a cookie is created it is possible to control its visibility by setting its 'root domain'. It will then be accessible to any URL belonging to that root. For example the root could be set to "whatarecookies.com" and the cookie would then be available to sites in "www.whatarecookies.com" or "xyz.whatarecookies.com" or "whatarecookies.com". This might be used to allow related pages to 'communicate' with each other. It is not possible to set the root domain to 'top level' domains such as '.com' or '.co.uk' since this would allow widespread access to the cookie.

    By default cookies are visible to all paths in their domains, but at the time of creation they can be retricted to a given subpath - for example "www.whatarecookies.com/images".

     Types of Cookies

     session cookie
    Also called a transient cookie, a cookie that is erased when you close the Web browser. The session cookie is stored in temporary memory and is not retained after the browser is closed. Session cookies do not collect information from your computer. They typically will store information in the form of a session identification that does not personally identify the user.

    persistent cookie 
    Also called a permanent cookie, or a stored cookie, a cookie that is stored on your hard drive until it expires (persistent cookies are set with expiration dates) or until you delete the cookie. Persistent cookies are used to collect identifying information about the user, such as Web surfing behavior or user preferences for a specific Web site.

    linux basics & Hacking Linux Systems

    Session hijacking
    In computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer (see HTTP cookie theft).
    Session hijacking

    A popular method is using source-routed IP packets. This allows an attacker at point B on the network to participate in a conversation between A and C by encouraging the IP packets to pass through B's machine.

    Methods for Session Hijacking 

     There are four main methods used to perpetrate a session hijack. These are:

     What is bitcoins?How do you use bitcoins?
    • Session fixation, where the attacker sets a user's session id to one known to him, for example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in.
    • Session side jacking, where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many web sites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client. Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised. Unsecured Wi-Fi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access point.
    • Cross-site scripting, where the attacker tricks the user's computer into running code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations.
    • Malware and unwanted programs can use browser hijacking to steal a browser's cookie files without a user's knowledge, and then perform actions (like installing Android apps) without the user's knowledge. An attacker with physical access can simply attempt to steal the session key by, for example, obtaining the file or memory contents of the appropriate part of either the user's computer or the server.


    How Secure are session hijacking?

    Methods to prevent session hijacking include:

    • Encryption of the data traffic passed between the parties by using SSL/TLS; in particular the session key (though ideally all traffic for the entire session. This technique is widely relied-upon by web-based banks and other e-commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack. In response, scientists from the Radboud University Nijmegen proposed in 2013 a way to prevent session hijacking by correlating the application session with the SSL/TLS credentials.
    • Use of a long random number or string as the session key. This reduces the risk that an attacker could simply guess a valid session key through trial and error or brute force attacks.
    • Regenerating the session id after a successful login. This prevents session fixation because the attacker does not know the session id of the user after s/he has logged in.
    • Some services make secondary checks against the identity of the user. For instance, a web server could check with each request made that the IP address of the user matched the one last used during that session. This does not prevent attacks by somebody who shares the same IP address, however, and could be frustrating for users whose IP address is liable to change during a browsing session.
    • Alternatively, some services will change the value of the cookie with each and every request. This dramatically reduces the window in which an attacker can operate and makes it easy to identify whether an attack has taken place, but can cause other technical problems (for example, two legitimate, closely timed requests from the same client can lead to a token check error on the server).
    • Users may also wish to log out of websites whenever they are finished using them. However this will not protect against attacks such as Firesheep.


     Cookie security and privacy issues

    Cookies are NOT viruses. Cookies use a plain text format. They are not compiled pieces of code so they cannot be executed nor are they self-executing. Accordingly, they cannot make copies of themselves and spread to other networks to execute and replicate again. Since they cannot perform these functions, they fall outside the standard virus definition.

    Cookies CAN be used for malicious purposes though. Since they store information about a user's browsing preferences and history, both on a specific site and browsing among several sites, cookies can be used to act as a form of spyware. Many anti-spyware products are well aware of this problem and routinely flag cookies as candidates for deletion after standard virus and/or spyware scans.See here for some privacy issues and concerns.

    The way responsible and ethical web developers deal with privacy issues caused by cookie tracking is by including clear descriptions of how cookies are deployed on their site. If you are a web developer and need advice on implementation of cookies and a privacy policy, you can contact us by the enquiry form at the bottom of the page. These privacy policies should explain what kind of information is collected and how the information is used.

    For mor information you can visit -: https://en.wikipedia.org/wiki/Packet_analyzer

     You can learn more by these video ....



    What are Cookies? Explained in Detail By Technical guru ji .




    What is Session Hijacking ? | Hacking Tips and Tricks (In Hindi) By Technical Sagar .

     For any question and any help comment bellow ... Thank You For coming in our Blog
    Read more
    By - Edit
    Labels:

    No comments:

    Post a Comment

    Fashion

    Beauty

    Travel