翻訳と辞書
Words near each other
・ Sessility (limnology)
・ Sessility (zoology)
・ Sessiluncus
・ Session
・ Session (computer science)
・ Session (parliamentary procedure)
・ Session (Presbyterianism)
・ Session (web analytics)
・ Session 9
・ Session Americana
・ Session Announcement Protocol
・ Session border controller
・ Session capping
・ Session Description Protocol
・ Session fixation
Session hijacking
・ Session ID
・ Session Initiation Protocol
・ Session key
・ Session laws
・ Session layer
・ Session man
・ Session Man (film)
・ Session Manager Subsystem
・ Session multiplexing
・ Session musician
・ Session of Christ
・ Session One
・ Session poisoning
・ Session replay


Dictionary Lists
翻訳と辞書 辞書検索 [ 開発暫定版 ]
スポンサード リンク

Session hijacking : ウィキペディア英語版
Session hijacking

In computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called a ''session key''—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer (see HTTP cookie theft).
A popular method is using source-routed IP packets. This allows an attacker at point ''B'' on the network to participate in a conversation between ''A'' and ''C'' by encouraging the IP packets to pass through ''B's'' machine.
If source-routing is turned off, the attacker can use "blind" hijacking, whereby it guesses the responses of the two machines. Thus, the attacker can send a command, but can never see the response. However, a common command would be to set a password allowing access from somewhere else on the net.
An attacker can also be "inline" between ''A'' and ''C'' using a sniffing program to watch the conversation. This is known as a "man-in-the-middle attack".
==History of the HTTP==
Session hijacking was not possible with early versions of HTTP.
HTTP protocol versions 0.8 and 0.9 lacked cookies and other features necessary for session hijacking. Version 0.9beta of Mosaic Netscape, released on October 13, 1994, supported cookies.
Early versions of HTTP 1.0 did have some security weaknesses relating to session hijacking, but they were difficult to exploit due to the vagaries of most early HTTP 1.0 servers and browsers. As HTTP 1.0 has been designated as a fallback for HTTP 1.1 since the early 2000s—and as HTTP 1.0 servers are all essentially HTTP 1.1 servers the session hijacking problem has evolved into a nearly permanent security risk.
The introduction of supercookies and other features with the modernized HTTP 1.1 has allowed for the hijacking problem to become an ongoing security problem. Webserver and browser state machine standardization has contributed to this ongoing security problem.

抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)
ウィキペディアで「Session hijacking」の詳細全文を読む



スポンサード リンク
翻訳と辞書 : 翻訳のためのインターネットリソース

Copyright(C) kotoba.ne.jp 1997-2016. All Rights Reserved.