Understanding
Session Hijacking
Attackers can still steal your session, even if your credentials are safe
Currently, the only thing that indicates that you are "logged in" is a session key that is stored in your browser. If an attacker gets that value, they too will be "logged in" as you.
Cookies are delicious. And, they are all an attacker needs to break into your online accounts. Forget stealing passwords or breaking private keys… Cookie is all you need.
After you authenticate to a site, it will send a Set-Cookie header with a session value. Any subsequent request that presents that value will be treated as a "logged in" session for that user — wether it's actually them or an attacker. This cookie can be stolen using a Man-in-the-Middle attack or attacking the implementation directly.
Cookies have become part of the foundation of the modern Internet. The first big "security breakthrough" was to move sensitive data from the client's browser to server-side cookies. Yet, hacking some sites is still as easy as modifying the username or rank in a client-side cookie. 😔
Understanding
Session Hijacking
Attackers can still steal your session, even if your credentials are safe
Currently, the only thing that indicates that you are "logged in" is a session key that is stored in your browser. If an attacker gets that value, they too will be "logged in" as you.
Cookies are delicious. And, they are all an attacker needs to break into your online accounts. Forget stealing passwords or breaking private keys… Cookie is all you need.
After you authenticate to a site, it will send a Set-Cookie header with a session value. Any subsequent request that presents that value will be treated as a "logged in" session for that user — wether it's actually them or an attacker. This cookie can be stolen using a Man-in-the-Middle attack or attacking the implementation directly.
Cookies have become part of the foundation of the modern Internet. The first big "security breakthrough" was to move sensitive data from the client's browser to server-side cookies. Yet, hacking some sites is still as easy as modifying the username or rank in a client-side cookie. 😔
Understanding
Session Hijacking
Attackers can still steal your session, even if your credentials are safe
Currently, the only thing that indicates that you are "logged in" is a session key that is stored in your browser. If an attacker gets that value, they too will be "logged in" as you.
Cookies are delicious. And, they are all an attacker needs to break into your online accounts. Forget stealing passwords or breaking private keys… Cookie is all you need.
After you authenticate to a site, it will send a Set-Cookie header with a session value. Any subsequent request that presents that value will be treated as a "logged in" session for that user — wether it's actually them or an attacker. This cookie can be stolen using a Man-in-the-Middle attack or attacking the implementation directly.
Cookies have become part of the foundation of the modern Internet. The first big "security breakthrough" was to move sensitive data from the client's browser to server-side cookies. Yet, hacking some sites is still as easy as modifying the username or rank in a client-side cookie. 😔
Methods
Methods
Methods
Exploit Techniques
Disclaimer: The information provided in this article is for educational and informational purposes only. Allthenticate is committed to enhancing security awareness and readiness in the cybersecurity community. This content is intended to be used responsibly and ethically by security professionals, researchers, and organizations to improve their defensive capabilities.
Disclaimer: The information provided in this article is for educational and informational purposes only. Allthenticate is committed to enhancing security awareness and readiness in the cybersecurity community. This content is intended to be used responsibly and ethically by security professionals, researchers, and organizations to improve their defensive capabilities.
Disclaimer: The information provided in this article is for educational and informational purposes only. Allthenticate is committed to enhancing security awareness and readiness in the cybersecurity community. This content is intended to be used responsibly and ethically by security professionals, researchers, and organizations to improve their defensive capabilities.
Session Sniffing
Attackers can use a man-in-the-middle attack to steal the session ID in transit.
Exploit tools
Session Sniffing
Attackers can use a man-in-the-middle attack to steal the session ID in transit.
Exploit tools
Session Sniffing
Attackers can use a man-in-the-middle attack to steal the session ID in transit.
Exploit tools
Malware
If the attacker can install malicious software (malware) on your computer, they can trivially steal the session cookie, log your keypresses, and much more.
Exploit tools
Malware
If the attacker can install malicious software (malware) on your computer, they can trivially steal the session cookie, log your keypresses, and much more.
Exploit tools
Malware
If the attacker can install malicious software (malware) on your computer, they can trivially steal the session cookie, log your keypresses, and much more.
Exploit tools
Session Fixation
If the websites allow the users to define their own session IDs, an attacker can trick you into setting a session ID that they know.
Exploit tools
Session Fixation
If the websites allow the users to define their own session IDs, an attacker can trick you into setting a session ID that they know.
Exploit tools
Session Fixation
If the websites allow the users to define their own session IDs, an attacker can trick you into setting a session ID that they know.
Exploit tools
Cross-Site Scripting (XSS)
XSS attacks target poor implementations or security vulnerabilities to trick the browser into passing values from a good website to an attacker owned one when you browse to it (e.g., a session ID).
Exploit tools
Cross-Site Scripting (XSS)
XSS attacks target poor implementations or security vulnerabilities to trick the browser into passing values from a good website to an attacker owned one when you browse to it (e.g., a session ID).
Exploit tools
Cross-Site Scripting (XSS)
XSS attacks target poor implementations or security vulnerabilities to trick the browser into passing values from a good website to an attacker owned one when you browse to it (e.g., a session ID).
Exploit tools
Brute Force
If web servers use a small session value or a predictable pattern, it is possible that the attacker may be able to simple "try all of them" and get lucky.
Exploit tools
Brute Force
If web servers use a small session value or a predictable pattern, it is possible that the attacker may be able to simple "try all of them" and get lucky.
Exploit tools
Brute Force
If web servers use a small session value or a predictable pattern, it is possible that the attacker may be able to simple "try all of them" and get lucky.
Exploit tools
Why Traditional Defenses Fall Short
Why Traditional Defenses Fall Short
Why Traditional Defenses Fall Short
Until the sessions are somehow bound to the physical computer that the user is interacting with, or better yet their phone that they carry everywhere, this attack will continue to be trivial and extremely powerful.
Until the sessions are somehow bound to the physical computer that the user is interacting with, or better yet their phone that they carry everywhere, this attack will continue to be trivial and extremely powerful.
How Allthenticate Defends Against This
How Allthenticate Defends Against This
How Allthenticate Defends Against This
Allthenticate eliminates session hijacking
Since Allthenticate binds your sessions to your phone and uses end-to-end encryption, there is nothing to steal on the network, nothing stored on your computer, and nothing sensitive passed around by your browser.
Simply put: all of the attacks mentioned here are rendered completely ineffective.
Authenticated Actions
Current session-based login is all or nothing — you are either logged in and can do everything or you are not.
With Allthenticate, every individual action is authenticated, requiring the user's phone to satisfy the request. Therefore, stealing the phone is the only attack left, not a simple cookie value.
To ensure maximum usability, our patented architecture permits three levels of assurance:
Presence: verifies the phone is still nearby
Intent: verifies a human approved the action
Identification: verifies the owner of the account approved the action
Device-Bound Sessions
By binding each action to the secure key stored on the smartphone, Allthenticate ensures that all remote session attacks will be neutered.
The phone is the key. When you walk away, you automatically be "logged out" and everything will magically work again when you return with your phone.
Secure your organization by eliminating entire classes of vulnerabilities with Allthenticate.
Secure your organization by eliminating entire classes of vulnerabilities with Allthenticate.