信息网络安全 ›› 2014, Vol. 14 ›› Issue (8): 21-27.doi: 10.3969/j.issn.1671-1122.2014.08.004

• 技术研究 • 上一篇    下一篇

Session欺骗攻击技术及调查方法研究

徐国天   

  1. 中国刑警学院, 辽宁沈阳 110854
  • 收稿日期:2014-05-21 出版日期:2014-08-01
  • 作者简介:徐国天(1978-),男,辽宁,副教授,硕士,主要研究方向:网络安全、数据还原。
  • 基金资助:
    公安部应用创新计划[2011YYCXXJXY119]

The Research of Session Attack and Investigation Method

XU Guo-tian   

  1. China Criminal Police College, Shenyang Liaoning 110854, China
  • Received:2014-05-21 Online:2014-08-01

摘要: Session认证是目前动态网站常用的一种身份识别机制,目前大多数网站利用session认证机制防止非授权访问。如果用户没有通过身份认证,就请求浏览某个限制访问的页面,网站不能从HTTP请求报文中读出合法的session_id,通常就会将非法访问者重定向到登录页面。session欺骗是指攻击者截获受害者的session_id,使用该值登录站点,进而获得合法用户的身份。如果他获得的是管理员身份,那么他就可以修改网站数据,甚至在主页中植入木马,造成更大的危害。这种攻击方式对信息网络安全构成严重威胁,研究session攻击技术及线索调查方法对公安机关的调查、取证工作有重要意义。session欺骗攻击成功实施的关键在于获得合法用户的session_id值。文章研究了在局域网环境中利用交换机MAC地址表的老化现象和MAC-PORT攻击来截获session_id的方法,研究了在互联网环境中通过XSS攻击截获session_id的方法。通过互联网检索未发现关于session欺骗攻击线索调查方面的相关研究成果。文章提出了基于Referer和HOST字段关联分析的线索调查方法。通过大量实验证明,应用文中提出的线索调查方法可以准确提取入侵痕迹。

关键词: session, MAC-PORT, Referer, HOST

Abstract: Session certification is a common identity recognition mechanism of dynamic website. Most websites use this mechanism to prevent unauthorized access. If the user is not authenticated, then browse to a restricted access page, the site can't read legitimate session_id from the HTTP packet, illegal visitors will be redirected to the login page. Hacker use Session attack to capture the victim's session id, and login to the site by this value. Finally, he can get the victim's identity. If victim is an administrator, then hacker can modify the website data, even plant Trojan, leading to greater harm. It is a serious threat to the security of information network. The research of session attack and investigation method is important to forensic. The key to the successful implementation of session attack is to obtain session_id of legitimate users. Research group found no relevant research results about clue survey area of session spoofing attack.In this paper, three methods to capture session_id are studied such as switch MAC address table "aging" phenomenon, MAC-PORT attack and XSS attack. Investigation method of session attack is also studied.

Key words: session, MAC-PORT, Referer, HOST

中图分类号: