CONFidence - (29-30.11 2010 Prague)
Language: polski | english |cesky

Nick Nikiforakis

Bio: Nick Nikiforakis is a PhD student at the Katholieke Universiteit Leuven, in Belgium. He belongs in the DistriNet research group and specifically in the “Security & Languages” task-force. His current research interests include low-level security for unsafe languages and web application security.

Nick holds a BSc in Computer Science and a MSc on Distributed Systems from the University of Crete in Greece. He worked for 3 years as a research assistant in the Distributed Computing Systems group at the Foundation of Research and Technology in Crete where he did research in network data visualization, authentication schemes using mobile devices and phishing countermeasures. In the past, Nick has presented his work in academic conferences as well as hacking conventions. His work can be found online at

Topic of Presentation: Breaking Web applications in shared hosting environments

Language: English

Abstract: Today, the most commonly used type of web-hosting plan is shared web hosting. In shared web hosting, the client is given access to a limited number of resources which he can use to host his own web site/web application. In this presentation we will mainly focus on the security of session identifiers on shared hosting environments. Session identifiers are the mechanism which helps developers turn the stateless HTTP(S) protocol into a stateful one. The fist time that a user, visits a website/web application , he is assigned a session identifier (typically consisting of a long pseudo-random alphanumerical). On the server-side, the web applications binds the identifier with information about the user (such as if he is logged in, his administrative privileges, etc.). On every subsequent request, the client provides the web application with the ID that was first entrusted to him. This way the web applications can recognize the user amongst many requests and respond appropriately. Due to their great significance, session identifiers have been among the first targets of attacking when it comes to web application hacking. A successful capture and replay of a valid session identifier means instant authentication for the attacker. The most common attacks against sessions so far have been session stealing and session fixation both of which target the client.

In the context of this presentation, we will present two new attacks against session identifiers that are specific for websites which make use of shared hosting plans. We have named the attacks, “Session Snooping” and “Session Poisoning”. The attacks are based on the fact that web applications that use the default functions for session creation and management are not able to distinguish between a session that was created by themselves and a session that was created by a different web application located on the same physical server. This, combined with the unfortunate fact that in most shared hosting plans session stores are common between all websites, provides the attacker with the ability to force web applications to use sessions that they didn’t create. It also allows his own applications to able to read and modify sessions created by other applications. In this way, an attacker can circumvent authentication procedures, steal private data, evade web application firewalls and use this attack as an intermediate step to launch other attacks such as SQL injection and command execution.

We will also present some of the most popular Content Management Systems (CMS) and see how they respond to our attack. Out of the ten CMS tested, nine use sessions and two of these systems use the default session management functionality provided by PHP, and are thus vulnerable to the Session Snooping/ Session Poisoning attacks. Lastly we will discuss techniques that web programmers and administrators can use to protect their websites against these two new attacks.