Académique Documents
Professionnel Documents
Culture Documents
discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/215766573
CITATIONS READS
12 167
2 authors:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Thawatchai Chomsiri on 28 April 2016.
Preecha Noiumkar
Thawatchai Chomsiri
Mahasarakham University
Maha sarakham, Thailand.
preecha.n@msu.ac.th
thawatchai@msu.ac.th
487
3. Methodology security level of each Website against the Session
Hijacking attack, so the experiment was designed for a
The researcher conducted the experiment on Local hacker to be able to sniff all cookies in order to bring
Area Network (LAN)—both Switch Network LAN all of them to test. To allow this to happen, the ARP
and Wireless Network LAN. Since this experiment Spoof was included in every test although some tests
was conducted to measure the security level of each were conducted on Wireless LAN. In addition, the
Website against the Session Hijacking attack, so the victim’s computer was controlled so as not installed
experiment was designed for a hacker to be able to anti ARP Spoof program such as Anti ARP, and Static
sniff all cookies in order to bring all of them to test. To ARP was not conducted on that computer. Meanwhile,
allow this to happen, the ARP Spoof was included in on the Gateway Router computer, Static ARP was not
every test although some tests were conducted on conducted, and Static Port (Port Security [4],[5]) was
Wireless LAN. In addition, the victim’s computer was not conducted as well.
controlled so as not installed anti ARP Spoof program Experimenting any Web Mail by SideJacking
such as Anti ARP, and Static ARP was not conducted method, if it was found that the hacker was able to
on that computer. Meanwhile, on the Gateway Router hack the system despite only one time of the
computer, Static ARP was not conducted, and Static experiment, the result was recorded as ‘Success’.
Port (Port Security [4],[5]) was not conducted as well. Then, another Web Mail was tested. However, if the
Experimenting any Web Mail by SideJacking hacker could not hack the system, the test would be
method, if it was found that the hacker was able to repeated in order to entirely gain Links on
hack the system despite only one time of the http://hamster/. After that, the experiment was
experiment, the result was recorded as ‘Success’. preceded by clicking on Links until every Link was
Then, another Web Mail was tested. However, if the clicked. If it was found that the hacker was able to
hacker could not hack the system, the test would be hack the system although not every Link was tested, it
repeated in order to entirely gain Links on is regarded that the hacker could hack the system. The
http://hamster/. After that, the experiment was result was recorded as ‘Success’.
preceded by clicking on Links until every Link was In the case that every Link was clicked; the test was
clicked. If it was found that the hacker was able to conducted repeatedly to ensure that every Link was
hack the system although not every Link was tested, it tested at least 10 times within five minutes or less,
is regarded that the hacker could hack the system. The timing from the first second as soon as the victim
result was recorded as ‘Success’. refreshed the Mailbox page (in order to control the
In the case that every Link was clicked; the test was variable concerning Cookies/Session Timeout). When
conducted repeatedly to ensure that every Link was the test was complete, and the hacker could not hack
tested at least 10 times within five minutes or less, the system even once, the result would be recorded as
timing from the first second as soon as the victim ‘Fail’.
refreshed the Mailbox page (in order to control the For the test that only one Cookie was copied, it
variable concerning Cookies/Session Timeout). When would be checked in order to be certain about how
the test was complete, and the hacker could not hack many Cookies are in the each Web Mail. Then, every
the system even once, the result would be recorded as Cookie was tested. If it was found that the hacker
‘Fail’. could hack the system although not entire Cookies
For the test that only one Cookie was copied, it were tested, the result would be recorded as ‘Success’.
would be checked in order to be certain about how In contrast, if all entire Cookies were tested, but it
many Cookies are in the each Web Mail. Then, every could not be hacked, each Cookie would be repeatedly
Cookie was tested. If it was found that the hacker tested for 10 times. If the entire process was complete,
could hack the system although not entire Cookies but it could not be hacked, the result would be
were tested, the result would be recorded as ‘Success’. recorded as ‘Fail’.
In contrast, if all entire Cookies were tested, but it
could not be hacked, each Cookie would be repeatedly 4. Result
tested for 10 times. If the entire process was complete,
but it could not be hacked, the result would be After the experiment, the results are as follows.
recorded as ‘Fail’. The researcher conducted the
experiment on Local Area Network (LAN)—both 4.1. Table of Result
Switch Network LAN and Wireless Network LAN.
Since this experiment was conducted to measure the The results were concluded in Table 1 and Table 2.
488
Table 1. The Results of the Experiment by Means of 4.2. A Web Mail which able to hack by using
Editing Cookies One by One both one- and all-cookie
Number of
The Name of
Cookies Firstly, this Web Mail was tested by SideJacking,
Cookie Which
No. Service Name Which Must and it was found that the victim’s Mailbox could be
Contains
Be Tested hacked by clicking on URL (on http://hamster/) as
Session ID
shown below.
1 Gmail 8 GX http://mail.google.com/mail
2 AOL Mail 6 N/A For the hacking by changing Cookies one by one, it
was found that there were eight involving Cookies in
3 GMX Mail 5 N/A
the Domain named as follows.
4 Yahoo Mail 12 N/A mail.google.com
5 Inbox Mail 16 CU google.com
6 Gawab Mail - - www.google.com
Yahoo Mail When Cookies were tested one by one, it was found
7 Classic 12 N/A that the victim’s Mailbox could be hacked by changing
8 Zenbe Mail - - the Cookie named “GX” in the Domain named
9 Fast Mail 4 N/A “mail.google.com”.
10 Hotmail 14 RPSTAuth Hence, it could be concluded that Gmail has no
Remark: For Gawab Mail and Zenbe Mail we could resistance to hacking by Session Hijacking--both
not register. copying only one Cookie and copying all Cookies
(SideJacking).
Table 2. Results of the Experiment For Inbox Mail, the experiment began with testing
Hack by by SideJacking, and the result showed that the victim’s
No Hack by using using mailbox could be hacked by clicking on URL as
Service Name shown below (Parameter was not included).
. One Cookie All cookie
(Sidjacking) http://wm34.inbox.com/index.aspx?_cu=
http://wm37.inbox.com/app.aspx?_cu=
1 Gmail Success Success
http://wm37.inbox.com/gui.aspx?_cu=
2 AOL Mail Fail Fail http://wm34.inbox.com/process.aspx?_cu=
3 GMX Mail Fail Fail Regarding the test by changing Cookies one by one,
4 Yahoo Mail Fail Fail it was found that there were 16 involving Cookies in
5 Inbox Mail Success Success the Domain named as follows.
6 Gawab Mail - - inbox.com
Yahoo Mail www.inbox.com
7 Classic Fail Fail i109.inbox.com
8 Zenbe Mail - - When Cookies were tested one by one, it was found
9 Fast Mail Fail Success that the victim’s mailbox could be hacked by changing
10 Hotmail Success Success the Cookie named “CU” in the Domain named
Success = able to hack “inbox.com”.
Fail = unable to hack For hotmail, the experiment began with testing by
We found that some web mail could be hacked SideJacking, and the result showed that the victim’s
using both one- and all-cookie (such as Gmail, Inbox mailbox could be hacked by clicking on URL as
Mail and Hotmail). Some web mail could not be shown below (Parameter was not included).
hacked, although use two methods. And some web http://by123w.bay123.mail.live.com/mail/InboxLig
mail has a middle level security, such as Fast Mail ht.aspx
which could be hacked using SideJacking methods http://by123w.bay123.mail.live.com/mail/ReadMes
only. sageLight.aspx
Regarding the test by changing Cookies one by one,
it was found that there were 14 involving Cookies in
the Domain named as follows.
by123w.bay123.mail.live.com
live.com
489
mail.live.com that AOL Mail, GMX Mail, Yahoo Mail and Fast Mail
When Cookies were tested one by one, it was found could not be hacked while Gmail, Inbox Mail and
that the victim’s mailbox could be hacked by changing Hotmail could be hacked.
the Cookie named “RPSTAuth” in the Domain named For the second method, Session Hijacking is
“live.com”. conducted by copying all Cookies (using SideJacking
As a consequence, it could be concluded that tools). The results show that Gmail, Inbox Mail, Fast
Gmail, Inbox Mail and Hotmail has no resistance to Mail and Hotmail could be hacked while AOL Mail,
hacking by Session Hijacking--both copying only one GMX Mail and Yahoo Mail could not be hacked.
Cookie and copying all Cookies (SideJacking). As a result, it is concluded that the Web Mail which
has the height security are AOL Mail, GMX Mail and
4.3. A Web Mail which unable to hack by using Yahoo Mail; while the Web Mail with the low security
both one- and all-cookie is Gmail, Inbox Mail and Hotmail.
The next research to be conducted in the future is
Yahoo Mail was tested by changing Cookies one by testing the security level of the top 10 free Web Mails
one (from 12 entirely involving Cookies), but it was by the “top 10 Web-Hacking Method”. The world top
found that the victim’s mailbox could not be hacked. It 10 free Web Mails would be tested one by one by
might be possible that Yahoo Mail uses two Cookies using the top 10 popular web-hacking methods[6],[7]
or more; otherwise, it might include another security comprising such as XSS: Cross Site Scripting, Session
mechanism. Then, Yahoo Mail was tested by Hijacking, SQL Injection, etc. This research would be
SideJacking, and it was found that there were conducted in order to find the differences of the
involving Links as follows. security level between 10 free Web Mails. It would be
http://us.mg3.mail.yahoo.com/ws/mail/v1/formrpc? beneficial information for users regarding selecting
http://us.mg3.mail.yahoo.com/dc/launch ?. free Web Mails to use.
http://us.mg3.mail.yahoo.com/dc/rs?
http://us.mg3.mail.yahoo.com/fc/fc? 6. References
http://us.bc.yahoo.com/
http://geo.yahoo.com/ [1] “Top 17 Free Email Services – About Email”
http://presence.msg.yahoo.com/ http//email.about.com/od/freeemailreviews/tp/free_email.htm
http://ts.richmedia.yahoo.com/
[2] http://www.erratasec.com/news.html
http://www.yahoo.com/
However, after the above Links were clicked on and [3] Hamster tool – Sidejacking (cookie munging / man-in-
thoroughly tested, it was found that SideJacking tools the-middle), BlackHat, 28 July thru 2 Aug 2007 – Las
were unable to hack the victim’s mailbox. For this Vegas, NV.
result, it might be possible that Yahoo Mail employs
another mechanism apart from Cookies, or it might use [4] “Cisco IOS Switch Security Configuration Guide”,
Web Technology which has not yet been supported by www.cisco.com
SideJacking tools.
For AOL Mail and GMX Mail, results like Yahoo [5] "HTTPS Hacking Protection". Thawatchai Chomsiri.
Mail. We could not hack by using SidJacking and Proc. of the IEEE 21st International Conference on
Advanced Information Networking and Applications (AINA-
could not hack by using one cookie.
07), Volume 1, IEEE CS Press, May 2007, Niagara Falls,
Therefore, it could be concluded that AOL Mail, CANADA.
GMX Mail and Yahoo Mail has the resistance to
hacking by Session Hijacking--both copying only one [6] http://www.owasp.org/index.php/Top_10_2007
Cookie and copying all Cookies (SideJacking).
[7] http://www.infosecurity-magazine.com/webinars/
5. Conclusion & Future Works Top_ten_web_application_hack_attacks.html
490