Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Hijacked Session

  • 14-04-2011 10:29am
    #1
    Registered Users, Registered Users 2 Posts: 2,055 ✭✭✭


    This is a test to see if Boards.ie sessions can be hijacked on a LAN

    post here if it works.

    Blame Phractal for this :P its a test we are running

    (the account is logged in on the PC beside me, so I am borrowing it via a vuln. in the LAN)

    w00t! 700th post on his account!


Comments

  • Closed Accounts Posts: 452 ✭✭Phractal


    Thanks bro, it worked.

    Not a Boards vuln, just a test to see if LAN session hijackingh works at all.

    It does.

    Basically it is to do with the IP address - we both come from the same one despite different computers.

    We were also able to hijack each others Facebook, Twitter, and hotmail sessions.

    Its a Local prioblem, NO tools used, I only noticed it when i went to login to facebook and auto logged in on his user account.

    Fork() ing dodgy routers....


  • Registered Users, Registered Users 2 Posts: 2,055 ✭✭✭WallyGUFC


    All good!:D


    702 posts :p


  • Closed Accounts Posts: 452 ✭✭Phractal


    Wally, dont be a post whore :P

    Anyways, this is a bit like the wired network firesheep except... no firesheep needed.


  • Registered Users, Registered Users 2 Posts: 1,311 ✭✭✭Procasinator


    Well the server side can add in other checks besides IP to try and halt session hijacking (user agent, other tokens in the request, etc) but it won't stop someone who imitates the user properly.

    How would you suggest it be fixed LAN side?

    HTTPS for all traffic where session tokens exist (not just on initial login) seems to be the only way to really protect against this.

    Edit: Unless you are talking about stopping the listening for session cookies in the first place by static IP, static ARP tables, etc countermeasures.


  • Closed Accounts Posts: 452 ✭✭Phractal


    Looks to me to be an ARP tables problem.

    Masically the boxes all looked the same and I happened to be logging into everything at the same time as Wally, and somehow, the thing thought we were the same computer.

    I still am baffled at how THAT happened (we were in college when it happened)

    Though then again, it possibly was a big in the Novell crap they installed.... On the WiFi Firesheep is a bit scary - in fact it lags like hell 'cos of 1000 people on facebook :P

    I'd say it was LAN side


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,311 ✭✭✭Procasinator


    Phractal wrote: »
    Looks to me to be an ARP tables problem.

    Masically the boxes all looked the same and I happened to be logging into everything at the same time as Wally, and somehow, the thing thought we were the same computer.

    I still am baffled at how THAT happened (we were in college when it happened)

    Though then again, it possibly was a big in the Novell crap they installed.... On the WiFi Firesheep is a bit scary - in fact it lags like hell 'cos of 1000 people on facebook :P

    I'd say it was LAN side

    That is weird. Only reason I could see that maybe happening is if they cache responses and didn't use session cookie in the lookup.


  • Closed Accounts Posts: 452 ✭✭Phractal


    It is VERY wierd. Seems that maybe the cache doesnt differenciate between one users session and another, so I can pull another users FB login, etc, by just wanting to look at the site.

    Though another theory is that we did this using onl the browsers defaults and it automatically checks the 'remember me' type boxes, not to mention the thing is LAN booting so maybe something there?


  • Registered Users, Registered Users 2 Posts: 1,311 ✭✭✭Procasinator


    Phractal wrote: »
    Though another theory is that we did this using onl the browsers defaults and it automatically checks the 'remember me' type boxes

    So you might have had his session already in Facebook (he never logged out/has password saved).
    Phractal wrote: »
    not to mention the thing is LAN booting so maybe something there?

    Depending on how they do it, there could be something to that. Seems very silly, though.


  • Closed Accounts Posts: 452 ✭✭Phractal


    the issue is also that I was on a different actual computer to him.

    Same LAN segment, different box.

    So if stored sessions are being reproduced on EVERY box there... We canhas epic problem!


Advertisement