Background on Session Hijacking
All communication on the internet happens over a set of standards called TCP/IP (Transmission Control Protocol/Internet Protocol). They are the World Wide Web’s core communication system that enables Internet-connected devices to communicate simultaneously with each other. This system lays the groundwork over which higher level protocols such as HTTP and FTP operate and is necessary to transport data packets over the internet. ARPANET adopted TCP/IP on January 1, 1983. From there, researchers began to assemble the “network of networks” that became the modern internet.
While the protocols accelerated the growth of modern communication, they also offered certain characteristics that malicious attackers could take advantage of, such as their statelessness. Every time you type in a URL or log into a website, a session is established between you (the client) and the website (the server). To make this communication efficient, sessions are often maintained by servers until you log out or are inactive for a period of more than 30 minutes. This way, servers can handle requests originating from the same user efficiently. But this also leads to a type of attack called session hijacking, also known as cookie theft, in which an attacker takes control of a user’s session.
According to application vulnerability trends report 2014, 79% of web applications are susceptible to this session management vulnerability[1]. Even in the recent application vulnerability report from Trustwave[2], authentication bypass using session hijacking is at 5.1% of all the critical vulnerabilities, second only to unpatched Windows systems, which constituted 10.8% of critical vulnerabilities.
How Attackers Steal Session Identifiers
Session identifiers are often randomly created by the server using timestamp, IP address, and some predictable fields. If an attacker somehow gets access to a session ID, they can get complete access to the user’s session. What does this mean? It means they have opened Pandora’s box. They can escalate their privileges, exfiltrate data, sell the credentials on the dark web, and more.
This attack is possible because authentication is performed only at the beginning of a user session. Therefore, if an attacker gets access to the session identifier after the session is established, then the attacker can perform malicious actions. Attackers can gain access to the session identifiers in one of the following ways:
- Cross-site scripting : The attacker gets the victim to execute malicious client-side JavaScript on a vulnerable site which captures the session cookie/ID and sends it to the attacker.
- Man in the Middle (MitM) Packet sniffing: The attacker gains access to the session ID via a MitM attack between the client and the server if credentials are sent via an unencrypted or untrusted channel.
- Malware: Malware installed on client machines and can steal user’s browser cookies and make them available to adversaries without the user’s knowledge.
- Brute-force attack: The attackers can attempt to guess a valid session ID if it’s insecurely generated by trying different combinations for generated based on timestamp, IP address, etc, as they are aware that these fields are indeed used to create session identifiers.
How Salesforce Combats Session Hijacking
With an unrivaled customer success platform, protecting our customer’s data and maintaining Trust as our #1 value is paramount.
In order to detect session hijacking attempts, we need to identify the device from which a user has logged in. We use browser fingerprinting as a data point for identifying a device. If, within a session, we observe a significant deviation in the browser fingerprint, it is highly likely there is unauthorized activity from a different device using the stolen legitimate session ID. While we use browser fingerprints to identify a device, we do not use it to track a user. The data is used strictly for the purposes of detecting suspicious behavior.
The session hijacking risk score is computed for every pair of intra-session browser fingerprints and compared to an empirically determined threshold to detect anomalous user sessions in real-time. Upon this discovery by our detection engine, our response engine will follow by terminating the suspicious session and any child sessions.
By taking this action, Salesforce helps prevent the attacker from performing any subsequent malicious activity with that user’s session. This autonomous enforcement makes session hijacking costly for attackers and results in safer sessions for Salesforce customers.
What Can You Do To Protect Yourself
In general, it is imperative to ensure cyber hygiene[3]in your organization. When connecting from an insecure network, such as through a public Wi-Fi network, use a VPN tunnel to help prevent attackers sniffing traffic going over an unencrypted open network. In addition, at the end of every session, ensure you explicitly log out in order to terminate your session so that your session ID gets invalidated.
Salesforce provides its customers with a suite of secure authentication and account verification techniques to adapt and apply on their domains, and we recommend you take advantage of those. In the meantime, we will continue to build state-of-the-art detection and response techniques to help protect our customers from session hijacking attacks, among other threats.