FireSheep FF Extension Makes for Easy Session Hijacking

Posted by Jake Reynolds on October 27, 2010

FireSheep is a Firefox browser extension written by Eric Butler and released at Toorcon 12. It allows anyone to hijack users' sessions from a large list of popular sites including FaceBook, Google, and Salesforce. It does so by sniffing session cookies from cleartext (non-HTTPS) web connections to the target sites. It currently operates on shared-medium networks like wireless and Ethernet hubs but a little ARP-poisoning would probably make it work on most switched LANs.

Web application security best practices mandate the use of SSL for the transfer of any sensitive information and this includes session cookies. The problem is that many popular sites allow cleartext HTTP connections in addition to HTTPS connections. All it takes is one cleartext HTTP request containing a user's session cookie to impersonate that user on a site.




There have been a lot of suggestions about how to prevent one's sessions from being stolen via FireSheep or other tools that use the same attack method. ForceTLS is a Firefox extension that allows users to configure which domains they want to automatically enforce SSL connections to. Good luck to all of you IE users on that one.



I'm surprised that there haven't been more conversations about how to secure web applications to protect users from these attacks... you know... so they don't have to protect themselves. Here are a list of suggestions that web developers should follow in order to accomplish this:

  1. If possible, only support HTTPS and make users explicitly enter https://a.b.c to access the site.
  2. The last suggestion isn't possible due to business requirements in a lot of applications. Cleartext requests should be redirected to secure connections in this case.
  3. Developers should ensure that sensitive cookies have their paths and domains configured such that they are only sent to URLs where session cookies are needed. For instance: Set a path of "/auth/" rather than "/" so that cookies are only sent with requests to "/auth/whatever" and not to "/javascripts/script.js."
  4. Use "Secure" cookies so that browsers will not send them out insecure (non-HTTPS) channels.

Of course, this is all kind of a moot point since man-in-the-middle attacks succeed most of the time even in the presence of SSL. This is because users are usually willing to accept browser certificate warnings. Still, FireSheep is a very cool extension and helps shed light on a ubiquitous problem.

Have Questions?
Get Answers