Question: What is Session Hijacking?
Session hijacking is an attack where a user session is taken over by an attacker.
Question: What are the Root Causes of Session Hijacking?
- Guessable session ID
- Absence of detection mechanism for “repeated guessing trial” either with brute-force or systematic methods.
- Weak cryptography algorithm
- Unable to detect repeated guessing trials while there is a mechanism in place
- Insecure session handling methods
- Limitation of HTTP: the statelessness of the protocol or lack of any inherent or integrated state management mechanism
Question: What is Session Fixation?
Session Fixation is an attack that permits an attacker to hijack a valid user session.
Question: What are the Root Causes of Session Fixation?
- Permissive Server: a server that accepts client generated session ID
- Session management type in use
- Reuse of session identifiers
Question: What is Broken Authentication?
Attacker get authenticated when he attack on Session Data and get success.
Question: What are the Root Causes of Broken Authentication?
- Lack of metrics: absence of well-developed metrics
- Lack of security knowledge among programmers to apply information and communication security mechanisms to their solutions
- Wrong decisions or compromises
- Use of self-developed modules instead of well tested and thoroughly analyzed modules for security services such as authentication
- Storing user credentials with other application data.
- Guessing Attempts: allowing repeated guessing attempts
- Lack of security awareness among users.
