how ca siteminder helps prevent session hijacking 56761

8/10/2019 How CA Siteminder Helps Prevent Session Hijacking 56761

1/16

Session Hijacking:A New Method of Prevention


2/16

02

The IncreasingImportance of Secure WebApplication DeliveryToday, the enterprise runs on the Web. Whether its providing employeesaround the world with efficient access to information or offering customersproducts and services, more and more organizations are leveraging thepower of online applications.

New access points to the Internet are opened every day. Laptops, tabletsand smartphones enable users to log in from anywhere at any time.

But this flexibility presents a dilemma. Successful organizations mustbalance the need for convenient user access with appropriate securitytechniques to keep hackers from exploiting access points for e-commercefraud, identity theft and other malicious activities.


3/16

03

Session Hijacking: DefinedDue to server-side convenience, HTTP is the predominant method for offering users access to web applications.And because HTTP is a stateless protocol, web applications primarily employ cookies to maintain a session stateonce the user has logged in.

Simple user

experience

Maintaining a session state via cookies offersa simple experience for end userstheyveproven their identities (and identities of theirdevices) via authentication and can movequickly to accessing desired informationfrom an application.

While the need for a favorable user experience is a driving concern for organizations of all sizes, the relianceon the HTTP protocol and HTTP cookies creates vulnerabilities for hackers to steal authenticated sessions.

But this user-friendly experiencecomes at a cost. Cookies can be stolen,intercepted or replayed.

Server stores nosession information

Authentication

Request 1

Response 1 + Cookie

Simple userexperience

Server stores nosession information

Authentication

Request 1

Response 1 + Cookie

Before

After


4/16

04

Session hijacking is not a new phenomenon and has beenconsidered a viable threat since HTTP 1.1. A persistent thornin the side of IT security, session hijacking is now returning toprominence. In part, this is due to the increased use of strictersecurity protocols.

As two-factor login, risk-based authentication and other methodsbecome more widespread in the IT security community, hackershave shifted their focus to weaker links in the chain, such asHTTP sessions themselves. For hackers, mimicking the identityof a user via stolen log-in credentials is becoming increasinglydifficult. Instead, they are allowing users to create a session andthen hijacking that sessions credentials to steal data.

The Open Web Application Security Project (OWASP) highlightssession hijacking in its report, OWASP Top 10 2013: The TenMost Critical Web Application Security Risks . OWASP specificallycalls out these areas:

.

Session Hijacking:Understanding the Threat

Difficulty enabling mobilitywithout increasing risk

Cross-site Scripting (XSS)

Cross-site Request Forgery (CSRF)


5/16




.

05


Application functions related to authentication and sessionmanagement are often not implemented correctly, allowingattackers to compromise passwords, keys or session tokens,or to exploit other implementation flaws to assume theidentities of other users.





6/16

06

XSS flaws occur whenever an application takes untrusteddata and sends it to a web browser without proper validation

or escaping. XSS allows attackers to execute scripts in thevictims browser, which can steal user sessions, defacewebsites or redirect the user to malicious sites.




.






7/1607




.





A CSRF attack causes a logged-on victims browser to senda forged HTTP request to a vulnerable web application.This allows the attacker to force the victims browserto generate requests the vulnerable application thinksare legitimate. 1

1 The Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Top_10_2013-Top_10 .Licensed under the creativecommons Attribution-ShareAlike 3.0 license ( http://creativecommons.org/licenses/by-sa/3.0/ ).No changes were made to the content.
https://www.owasp.org/index.php/Top_10_2013-Top_10http://creativecommons.org/licenses/by-sa/3.0/http://creativecommons.org/licenses/by-sa/3.0/https://www.owasp.org/index.php/Top_10_2013-Top_10


8/1608

As risk-based authentication becomes a stronger hacking deterrent, session hijacking is gaining popularity.Strong authentication is emerging as the impenetrable front door, but there are still critical securityweaknesses inherent in HTTP sessions. Some of the specific session hijacking techniques include:

Session Hijacking Techniques

Spoofing attackUnauthorized session access based on falsifying data

Man-in-the-middle attackStealing an in-transit HTTP cookie without the users knowledge

Man-in-the-browser attackInstallation of code on the browser itself to forward data to a third party

Various CSS and XSS attacks are also common approaches used by hackers and fraudsters. Andperhaps more concerning for enterprise security are the unknown types of attacks that are beingcontinually developed and directed against web sessions with increasing frequency.


9/1609

Single Sign-On as a Threat Multiplier

Single Sign-On (SSO) is rightly regarded as one of the most effective ways to provide a convenientexperienceone log in and the user can access the data needed from multiple applications.

But SSO can also be a hackers best friendbecause hackers can access multiple applicationswith just one stolen cookie or session token.

User

Single Sign-On

CRM server

File server

MAP server

Email server


10/16

Traditional Approaches toSession Hijacking Prevention

Architectures

Rearranging the network architecture is a typical IT securityapproach. By reorganizing their IT systems to a hub-and-spokemodel, security experts attempt to dramatically limit thespread of cookies to other applications.

Cookie managementIT security teams may also restrict the proliferation of databy instituting rules and best practices around cookiesthemselvesfor example, limiting usage to only securecookies, such as those that are HTTP-only or host-only.

Limited external checking

Focusing on IP addresses is another common approach toverifying the validity of a given session. However, proxies,dynamic IP addresses and other factors can obscure the IPaddress of the actual device initiating the session.

TimeoutsLimiting the duration of a cookies validity can also be usedto blunt the threat of session hijacking, but the damage maybe done by the time a session timeout requires the user tore-authenticate the session.

Session hijacking techniques and methods of prevention have developed side by side for nearly two decades.Some of the common forms of prevention employed by the enterprise include:

10

Although a good starting point, these methods are all riddled with shortcomings that render themineffective to enterprises that need to reduce the threat of session hijacking and maintain a superiorend-user experience while supporting multiple ways to access applications.


11/1611

More-in-the-Middle: An Innovative

Approach to Session Hijacking Prevention

By limiting the scope and damage of attacks, traditionalapproaches to session hijacking have achieved some acceptablelevel of effectiveness. However, there are new techniquesemergingmethods that work in concert with strongauthenticationto make it extremely difficult for hackersto steal sessions.

Email server

Website

1

5

3

4

2

1. User logs into website | 2. Before session token is created user redirected to DeviceDNA TM

collection service 3. DeviceDNA collected | 4. DeviceDNA stored and session token created5. User taken to web server with secured session

More Control

More Connection

An Active Approach to SessionSecurity


12/1612


Approach to Session Hijacking PreventionMore Control

More Connection


By adding an interim step between the client and theserver, the enterprise can better control the security of agiven session.

The user receives a session token not from the server orwebsite, but from the layer in the middle that ties thesession token to the specific device that was used forauthentication. This layer serves as an objective checkagainst stolen cookies. Technology that employs thismethodology typically re-checks the devices identityon a periodic basis, preventing a fraudster from stealingthe cookie and using it to log in to an application.


1

5

3

4

2



Email server

Website


13/1613



More Connection


A critical step in this approach is the connectionbetween the SSO cookie and the cookie of any givenapplication. By marrying these two tokens, hackers areunable to log into the web access management andsteal a cookie being used by a Java session.


1

5

3

4

2



Email server

Website


14/1614



More Connection


CA SiteMinder r12.52 provides IT with a critical feature:Enhanced Session Assurance with DeviceDNA. Thiscomponent remembers the device the user was initiallyauthentication on and then actively compares thesettings and history of the users device against the initialdevice to further guarantee the identity of the user andlegitimacy of the login attempt. The patent-pendingtechnology from CA RiskMinder that is incorporatedprovides one of the differentiators that sets this approachapart from traditional methods of session security.By limiting the scope and damage of attacks, traditional

approaches to session hijacking have achieved some acceptablelevel of effectiveness. However, there are new techniquesemergingmethods that work in concert with strongauthenticationto make it extremely difficult for hackersto steal sessions.

1

5

3

4

2



Email server

Website


15/16

Session Hijacking in Summary

15

Threat

As web applications dominatethe business landscape, sessionhijacking is increasingly dangerousto the security of the enterprise.

Improvements in authenticationmethods have shifted hackersfocus away from web sessionlogin credentials and toward theactual session.

Session hijacking comes in

a variety of guises, includingman-in-the-middle andman-in-the-browser attacks.

Traditional Approaches

Enterprise security has been lockedin a war of innovation againstsession hijackers since HTTP 1.1.

Alternate architectures, cookiemanagement and IP checking aresome of the common approachesthat enterprise security hasemployed to guard against sessionhijacking.

These methods provide limited

effectiveness and only serve torestrict the inevitable damage.

Technology of Today

More modern approaches involvethe insertion of another layerbetween the application andthe server.

This middle layer is controlled byenterprise IT security and servesup the sess ion token to the user,making session hijackingextremely difficult.

To increase the efficacy of this

middle layer, the enterprise mustlink the SSO cookie, and anyapplication cookies in use,to a specific device.


16/16

CA Technologies (NASDAQ: CA) is an IT management software and solutions company with expertise across all ITenvironments from mainframe and distributed, to virtual and cloud. CA Technologies manages and secures ITenvironments and enables customers to deliver more flexible IT services. CA Technologies innovative products andservices provide the insight and control essential for IT organizations to power business agility. The majority of theGlobal Fortune 500 relies on CA Technologies to manage evolving IT ecosystems.

CA SiteMinder Secure SSO & Flexible Access Management can provide your organization enterprise-class secure singlesign-on (SSO) and flexible identity access management so that your organization can authenticate users and control accessto web applications and portals. Across internet, intranet and cloud applications, it helps enable the secure delivery ofessential information and applications to your employees, partners, suppliers and customers via secure single sign-on.It also scales to help you meet your growing business needs with flexible administration tools that can support eithercentralized or distributed administration.

For more information about preventing session hijacking,visit www.ca.com/secure-sso .

About the Solution from CA Technologies

Copyright 2014 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.
http://www.ca.com/secure-ssohttp://http://www.ca.com/secure-ssohttp://

how ca siteminder helps prevent session hijacking 56761

Documents