Tracking user’s browser and OS settings as a measure to prevent account hijacking (updated)
Dear Habrovchane! Yesterday's version of the article, I thought it was in the drafts. And therefore it was displayed unfinished. I offer the full, added version
Many online services seek to secure the accounts of their users in a variety of ways. Someone is tracking an IP address, dropping cookies when it is changed (this happens at the Seklab ; vKontakte simply asks to confirm the last 4 digits of the mobile phone). Someone session lives for a limited time, forcing the user to log in again and again. These methods have their advantages and disadvantages. But whichever mechanism is used, tracking the browser’s settings and the user's OS will provide additional protection against account hijacking ( as additional protection, but by no means the main one ). And it is very strange that I still have not been able to meet a single service supporting this protection mechanism.
')
Ask a question: in what cases at the next visit of a resource at the user will the cookies be similar to the previous visit, but will the data of the browser and the OS used (which can be pulled out from the User-Agent) change? Only in 3 cases:
1. The user has logged in from different computers (for example, at home and at work) and for some reason uses different browsers.
2. The user has logged in from 1 computer in different browsers (this will probably suffer only web developers and especially curious).Or those who pollute the OS with obscure baubles (hello to vkSaver fans)
3. The user has hijacked the session.
Detecting is not offered the entire parameter User-Agent, but the type of browser (IE, FF, Chrome, Safari, etc.) and the operating system (Windows, Linux, MacOS). This will solve the problem of false positives when updating software on the user's computer.
Yes, the User-Agent can be replaced. But:
1. Quite often, none of the session hijackers are soared with this.
2. Substitution of User-Agent can be defined (read below how).
Consider the proposed method of protection in addition to the existing ones. In conjunction with the classic cases of theft session.
This is a good practice. But it will not help if the userdoes not have brains had the sense to enter his account via the wireless network, where his session was listened to. Either he became a victim of the man-in-the-middle attack from an attacker who is on the same subnet as the provider (do not laugh, a case that is bearded, but still often encountered). Most likely, the attacker will not bathe with the change User-Agent. That's what we count on. As a result, additional protection works.
Well, moreover, it is inconvenient for the user (often log in). So also the situation is absolutely similar to the previous one. And again: changing the User-Agent can be a clear signal of attempted session hijacking.
Alternatively, one of the cookie variables can be generated on the basis of the User-Agent. Because malefactors quite often copy to themselves all cookies of the server indiscriminately, then they will fall back, copying to themselves a variable bound to another User-Agent.
“Well, it’s not difficult to replace the User-Agent, only experienced shackers will not cope with this
- someone here will say their visitors.
Indeed, who needs - he will be able to replace. But an interesting way to determine the browser via javascript comes to the rescue. The method is very effective, he checked.
Although, this method can be circumvented: javascript is executed in the browser, on the user’s side (a potential attacker), then we can control its execution and, thereby, bypass the check ( Firebug as one of the options). But this must be clearly known. In addition, obfuscation of the script greatly complicates the task.
Many online services seek to secure the accounts of their users in a variety of ways. Someone is tracking an IP address, dropping cookies when it is changed (this happens at the Seklab ; vKontakte simply asks to confirm the last 4 digits of the mobile phone). Someone session lives for a limited time, forcing the user to log in again and again. These methods have their advantages and disadvantages. But whichever mechanism is used, tracking the browser’s settings and the user's OS will provide additional protection against account hijacking ( as additional protection, but by no means the main one ). And it is very strange that I still have not been able to meet a single service supporting this protection mechanism.
')
Ask a question: in what cases at the next visit of a resource at the user will the cookies be similar to the previous visit, but will the data of the browser and the OS used (which can be pulled out from the User-Agent) change? Only in 3 cases:
1. The user has logged in from different computers (for example, at home and at work) and for some reason uses different browsers.
2. The user has logged in from 1 computer in different browsers (this will probably suffer only web developers and especially curious).
3. The user has hijacked the session.
Detecting is not offered the entire parameter User-Agent, but the type of browser (IE, FF, Chrome, Safari, etc.) and the operating system (Windows, Linux, MacOS). This will solve the problem of false positives when updating software on the user's computer.
Yes, the User-Agent can be replaced. But:
1. Quite often, none of the session hijackers are soared with this.
2. Substitution of User-Agent can be defined (read below how).
Consider the proposed method of protection in addition to the existing ones. In conjunction with the classic cases of theft session.
IP address change tracking
This is a good practice. But it will not help if the user
Session lives for a limited time.
Well, moreover, it is inconvenient for the user (often log in). So also the situation is absolutely similar to the previous one. And again: changing the User-Agent can be a clear signal of attempted session hijacking.
And what about those who still use different browsers at home and at work?
Alternatively, one of the cookie variables can be generated on the basis of the User-Agent. Because malefactors quite often copy to themselves all cookies of the server indiscriminately, then they will fall back, copying to themselves a variable bound to another User-Agent.
“Well, it’s not difficult to replace the User-Agent, only experienced shackers will not cope with this shkolota ,”
- someone here will say their visitors.Indeed, who needs - he will be able to replace. But an interesting way to determine the browser via javascript comes to the rescue. The method is very effective, he checked.
Although, this method can be circumvented: javascript is executed in the browser, on the user’s side (a potential attacker), then we can control its execution and, thereby, bypass the check ( Firebug as one of the options). But this must be clearly known. In addition, obfuscation of the script greatly complicates the task.
Source: https://habr.com/ru/post/139604/
All Articles