Wednesday, December 28, 2011

Splunk - Session ID spoofing

Session hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer (see HTTP cookie theft).
Ways to identify Session hijacking is to look for appearance of more than one IP address in a single http request or transaction.

The following command can be used in splunk to identify the session spoofing attempt from the security logs.
index= “your index source” | transaction session_id | where mvcount(src )>1 | table session_id, src, alert_detail, url_title, http_user_agent
http_user_agent field is to identify whether the user is using a well-known browser or a offline crawling agent.