Session Hijacking made easy – Android
Session Hijacking also known as a Sidejacking, is an attack stealing someones web session to gain unauthorized access.
What is a web (HTTP) session
Each & every time a user log into Facebook, Twitter or your banking account… etc, the web server will give the user a session ID or a token while the web browser stores all the session ID in the browser’s cookies. Therefore, whenever you click on a link to explore in the site; the web browser will send a session ID to the web server and from the web server it checks with the active session, then allow you to proceed. When we click on logout we end the session with the web server and deletes the ID from browser. If you want to view it, just log into facebook or twitter and delete the cookies from the option menu of your browser. (In chrome go to options -> Under the hood -> Clear browsing data and select cookies) After that refresh the page, again browser will ask you to login to facebook. Which means when you erase the cookies the session ID get deleted.
How we can steal someone’s Session ID
This is done by taking over the TCP session between the victim and the web server. It’s never been easier do sidejacking and there’s a add on in firefox called firesheep. You can simply install and the addon and start stealing.
Recently I found an awesome tool called FaceNiff to run on Android. It’s not free BTW. but paying little amount worth it. There are some great advantages on this tool over firesheep. It works on WPA/WPA2 encrypted connection while Firesheep doesn’t. Just think about it. You don’t even need a laptop.
How to use FaceNiff
1. You need a Rooted Android Device
2. Download the latest FaceNiff-2.1b.apk and Install.
3. Have fun!
Scary!! How we can counteract?
Use always HTTPS
Even many secure sites use HTTPS only when log in to the account. After that it uses regular HTTP session. Many sites such as Facebook and Twitter enable to use always HTTPS make impossible to steal the session ID as the session is encrypted. By default it’s disabled you can enable it by going to account settings.
Facebook: Go to Account Settings -> Security -> check HTTPS and save
Twitter: Settings -> at the bottom of the page check Always use HTTPS and save.