Saturday, October 30, 2010

Firesheep - New tool to hijack open wireless sessions

Ian Gallagher and Eric Butler’s Firesheep plugin for Firefox has made lot of news this week. They published this tool at the Toorcon conference.

More than anything it demonstrates security risks when you connect to open wireless networks. Wireless networks are broadcast in nature, which means that clients associated with a particular network have the ability to “see” or “capture” all the traffic passing over that broadcast network. Certain network interface cards and operating systems comes with that ability to capture and others don't.

This tool makes it easy to capture that traffic and shows all the users who are connected on that network and are accessing a pre-configured set of web sites (includes many of the well known social networking and public email sites). The tool, then gives an option to access those user's accounts by taking over or attaching to the session. The tool does this by a method called sidejacking or session hijacking, where the session IDs (contained in session cookies) exchanged between the web site and the user’s browser in an unencrypted channel gets stolen from the open wireless packet captures and using those session IDs, the tool establishes connection to the web sites.

Typically web servers generate these session IDs and is unique to a user for a particular session. Session IDs are sent by the server to the client either in a cookie or as a hidden variable. A person who happen to hijack the session ID gets the same privilege as the real user. The problem lies in encryption of the traffic throughout the session between the web server and the client. Many web sites do this only for the initial login to ensure that the login credentials do not get stolen. However, the post login traffic, which contains these sessions IDs and cookies are exchanged in an unencrypted channel. The session IDs and cookies ensure that the users do not have to login every time they use the web page, during a session.

For those in the web application security world, this is a well known attack and has been part of the OWASP top 10 vulnerabilities or risk for many years. It is not the first tool that performed this type of attack. Back in 2007, Robert Graham revolutionized sidejacking with the introduction of the Hamster and Ferret tools, which had the similar capabilities but Firesheep is more user friendly and even non-geeks could use this at an open wireless network.


The best preventive method is to force encryption during all stages of information exchange between the web server and the client. This is an effort from the web server side and many are moving towards that. Other options include, plugins such as HTTPS-everywhere, No-script and Force-TLS, which essentially forces encryption at all times for the web sites that gives this option.

The slides of their Toorcon talk and the tool is available here




No comments: