{"id":222,"date":"2021-02-02T20:02:48","date_gmt":"2021-02-02T20:02:48","guid":{"rendered":"https:\/\/fde.cat\/?p=222"},"modified":"2021-02-02T20:02:50","modified_gmt":"2021-02-02T20:02:50","slug":"how-salesforce-helps-protect-you-from-session-hijacking-threats","status":"publish","type":"post","link":"https:\/\/fde.cat\/index.php\/2021\/02\/02\/how-salesforce-helps-protect-you-from-session-hijacking-threats\/","title":{"rendered":"How Salesforce Helps Protect You From Session Hijacking Threats"},"content":{"rendered":"<p><em>Co-authors: Ping Yan and Yuly\u00a0Tenorio<\/em><\/p>\n<figure><img decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/cdn-images-1.medium.com\/max\/1000\/1*4NwrDVwV2BUJHE0pv39rRw.png?w=750&#038;ssl=1\" data-recalc-dims=\"1\"><\/figure>\n<p><strong>Background on Session Hijacking<\/strong><\/p>\n<p>All communication on the internet happens over a set of standards called TCP\/IP (Transmission Control Protocol\/Internet Protocol). They are the World Wide Web\u2019s core communication system that enables Internet-connected devices to communicate simultaneously with each other. This system lays the groundwork over which higher level protocols such as HTTP and FTP operate and is necessary to transport data packets over the internet. ARPANET adopted TCP\/IP on <strong>January 1, 1983. <\/strong>From there, researchers began to assemble the \u201cnetwork of networks\u201d that became the modern internet.<\/p>\n<p>While the protocols accelerated the growth of modern communication, they also offered certain characteristics that malicious attackers could take advantage of, such as their <em>statelessness<\/em>. Every time you type in a URL or log into a website, a <em>session <\/em>is established between you (the client) and the website (the server). To make this communication efficient, sessions are often maintained by servers until you log out or are inactive for a period of more than 30 minutes. This way, servers can handle requests originating from the same user efficiently. But this also leads to a type of attack called <strong>session hijacking, <\/strong>also known as cookie theft, in which an attacker takes control of a user\u2019s\u00a0session<strong>.<\/strong><\/p>\n<figure><img decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/cdn-images-1.medium.com\/max\/712\/1*Yx23EAf55x486r5M-38V-Q.png?w=750&#038;ssl=1\" data-recalc-dims=\"1\"><\/figure>\n<p>According to application vulnerability trends report 2014, 79% of web applications are susceptible to this session management vulnerability[1]. Even in the recent application vulnerability report from Trustwave[2], authentication bypass using session hijacking is at 5.1% of all the critical vulnerabilities, second only to unpatched Windows systems, which constituted 10.8% of critical vulnerabilities.<\/p>\n<p><strong>How Attackers Steal Session Identifiers<\/strong><\/p>\n<p>Session identifiers are often randomly created by the server using timestamp, IP address, and some predictable fields. If an attacker somehow gets access to a session ID, they can get complete access to the user\u2019s session. What does this mean? It means they have opened Pandora\u2019s box. They can escalate their privileges, exfiltrate data, sell the credentials on the dark web, and\u00a0more.<\/p>\n<p>This attack is possible because authentication is performed only at the beginning of a user session. Therefore, if an attacker gets access to the session identifier after the session is established, then the attacker can perform malicious actions. Attackers can gain access to the session identifiers in one of the following ways:<\/p>\n<ul>\n<li><strong>Cross-site scripting\u00a0<\/strong>: The attacker gets the victim to execute malicious client-side JavaScript on a vulnerable site which captures the session cookie\/ID and sends it to the attacker.<\/li>\n<li><strong>Man in the Middle (MitM) Packet sniffing<\/strong>: The attacker gains access to the session ID via a MitM attack between the client and the server if credentials are sent via an unencrypted or untrusted channel.<\/li>\n<li><strong>Malware: <\/strong>Malware installed on client machines and can steal user\u2019s browser cookies and make them available to adversaries without the user\u2019s knowledge.<\/li>\n<li><strong>Brute-force attack<\/strong>: The attackers can attempt to guess a valid session ID if it\u2019s insecurely generated by trying different combinations for generated based on timestamp, IP address, etc, as they are aware that these fields are indeed used to create session identifiers.<\/li>\n<\/ul>\n<p><strong>How Salesforce Combats Session Hijacking<\/strong><\/p>\n<p>With an unrivaled customer success platform, protecting our customer\u2019s data and maintaining Trust as our #1 value is paramount.<\/p>\n<p>In order to detect session hijacking attempts, we need to identify the device from which a user has logged in. We use browser fingerprinting as a data point for identifying a device. If, within a session, we observe a significant deviation in the browser fingerprint, it is highly likely there is unauthorized activity from a different device using the stolen legitimate session ID. While we use browser fingerprints to identify a device, we do not use it to track a user. The data is used strictly for the purposes of detecting suspicious behavior.<\/p>\n<p>The session hijacking risk score is computed for every pair of intra-session browser fingerprints and compared to an empirically determined threshold to detect anomalous user sessions in real-time. Upon this discovery by our detection engine, our response engine will follow by terminating the suspicious session and any child sessions.<\/p>\n<p>By taking this action, Salesforce helps prevent the attacker from performing any subsequent malicious activity with that user\u2019s session. This autonomous enforcement makes session hijacking costly for attackers and results in safer sessions for Salesforce customers.<\/p>\n<figure><img decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/cdn-images-1.medium.com\/max\/1024\/1*Q4YmU1NCnlcFmkWnIGMMAQ.png?w=750&#038;ssl=1\" data-recalc-dims=\"1\"><\/figure>\n<p><strong>What Can You Do To Protect\u00a0Yourself<\/strong><\/p>\n<p>In general, it is imperative to ensure cyber hygiene[3]in your organization. When connecting from an insecure network, such as through a public Wi-Fi network, use a VPN tunnel to help prevent attackers sniffing traffic going over an unencrypted open network. In addition, at the end of every session, ensure you explicitly log out in order to terminate your session so that your session ID gets invalidated.<\/p>\n<p>Salesforce provides its customers with <a href=\"https:\/\/developer.salesforce.com\/docs\/atlas.en-us.securityImplGuide.meta\/securityImplGuide\/security_auth_configure.htm\">a suite of secure authentication and account verification techniques to adapt and apply on their domains<\/a>, and we recommend you take advantage of those. In the meantime, we will continue to build state-of-the-art detection and response techniques to help protect our customers from session hijacking attacks, among other\u00a0threats.<\/p>\n<h3>References<\/h3>\n<ol>\n<li><a href=\"https:\/\/www.trustwave.com\/en-us\/resources\/library\/documents\/2014-trustwave-global-security-report\/\">https:\/\/www.trustwave.com\/en-us\/resources\/library\/documents\/2014-trustwave-global-security-report\/<\/a><\/li>\n<li><a href=\"https:\/\/www.trustwave.com\/en-us\/resources\/library\/documents\/2019-trustwave-global-security-report\/\">https:\/\/www.trustwave.com\/en-us\/resources\/library\/documents\/2019-trustwave-global-security-report\/<\/a><\/li>\n<li><a href=\"https:\/\/trailhead.salesforce.com\/en\/content\/learn\/modules\/cybersecurity-risk-management\">https:\/\/trailhead.salesforce.com\/en\/content\/learn\/modules\/cybersecurity-risk-management<\/a><\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/medium.com\/_\/stat?event=post.clientViewed&amp;referrerSource=full_rss&amp;postId=c39f4cf84cee\" width=\"1\" height=\"1\" alt=\"\"><\/p>\n<hr>\n<p><a href=\"https:\/\/engineering.salesforce.com\/how-salesforce-helps-protect-you-from-session-hijacking-threats-c39f4cf84cee\">How Salesforce Helps Protect You From Session Hijacking Threats<\/a> was originally published in <a href=\"https:\/\/engineering.salesforce.com\/\">Salesforce Engineering<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>\n<p><a href=\"https:\/\/engineering.salesforce.com\/how-salesforce-helps-protect-you-from-session-hijacking-threats-c39f4cf84cee?source=rss----cfe1120185d3---4\" target=\"_blank\" rel=\"noopener\">Read More<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Co-authors: Ping Yan and Yuly\u00a0Tenorio Background on Session Hijacking All communication on the internet happens over a set of standards called TCP\/IP (Transmission Control Protocol\/Internet Protocol). They are the World Wide Web\u2019s core communication system that enables Internet-connected devices to communicate simultaneously with each other. This system lays the groundwork over which higher level protocols&hellip; <a class=\"more-link\" href=\"https:\/\/fde.cat\/index.php\/2021\/02\/02\/how-salesforce-helps-protect-you-from-session-hijacking-threats\/\">Continue reading <span class=\"screen-reader-text\">How Salesforce Helps Protect You From Session Hijacking Threats<\/span><\/a><\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","footnotes":""},"categories":[7],"tags":[],"class_list":["post-222","post","type-post","status-publish","format-standard","hentry","category-technology","entry"],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":604,"url":"https:\/\/fde.cat\/index.php\/2022\/07\/06\/watch-metas-engineers-discuss-quic-and-tcp-innovations-for-our-network\/","url_meta":{"origin":222,"position":0},"title":"Watch Meta\u2019s engineers discuss QUIC and TCP innovations for our network","date":"July 6, 2022","format":false,"excerpt":"With more than 75 percent of our internet traffic set to use QUIC and HTTP\/3 together, QUIC is slowly moving to become the de facto protocol used for internet communication at Meta. For Meta\u2019s data center network, TCP remains the primary network transport protocol that supports thousands of services on\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":868,"url":"https:\/\/fde.cat\/index.php\/2024\/05\/22\/post-quantum-readiness-for-tls-at-meta\/","url_meta":{"origin":222,"position":1},"title":"Post-quantum readiness for TLS at Meta","date":"May 22, 2024","format":false,"excerpt":"Today, the internet (like most digital infrastructure in general) relies heavily on the security offered by public-key cryptosystems such as RSA, Diffie-Hellman (DH), and elliptic curve cryptography (ECC). But the advent of quantum computers has raised real questions about the long-term privacy of data exchanged over the internet. In the\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":833,"url":"https:\/\/fde.cat\/index.php\/2024\/03\/06\/making-messaging-interoperability-with-third-parties-safe-for-users-in-europe\/","url_meta":{"origin":222,"position":2},"title":"Making messaging interoperability with third parties safe for users in Europe","date":"March 6, 2024","format":false,"excerpt":"To comply with a new EU law, the Digital Markets Act (DMA), which comes into force on March 7th, we\u2019ve made major changes to WhatsApp and Messenger to enable interoperability with third-party messaging services.\u00a0 We\u2019re sharing how we enabled third-party interoperability (interop) while maintaining end-to-end encryption (E2EE) and other privacy\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":307,"url":"https:\/\/fde.cat\/index.php\/2021\/08\/31\/running-border-gateway-protocol-in-large-scale-data-centers\/","url_meta":{"origin":222,"position":3},"title":"Running Border Gateway Protocol in large-scale data centers","date":"August 31, 2021","format":false,"excerpt":"What the research is: A first-of-its-kind study that details the scalable design, software implementation, and operations of Facebook\u2019s data center routing design, based on Border Gateway Protocol (BGP). BGP was originally designed to interconnect autonomous internet service providers (ISPs) on the global internet. Highly scalable and widely acknowledged as an\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":166,"url":"https:\/\/fde.cat\/index.php\/2020\/12\/30\/2020-year-in-review-connectivity-innovations-faster-apps-and-progress-toward-net-zero\/","url_meta":{"origin":222,"position":4},"title":"2020 year in review: Connectivity innovations, faster apps, and progress toward net zero","date":"December 30, 2020","format":false,"excerpt":"It goes without saying that 2020 has been a challenging year, to put it lightly. But if anything, the COVID-19 pandemic has shined a light on our need to connect as people. For Facebook, that meant our work has become more important than ever. Whether it was finding new and\u2026","rel":"","context":"In &quot;External&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":595,"url":"https:\/\/fde.cat\/index.php\/2022\/06\/08\/introducing-zelos-a-zookeeper-api-leveraging-delos\/","url_meta":{"origin":222,"position":5},"title":"Introducing Zelos: A ZooKeeper API leveraging Delos","date":"June 8, 2022","format":false,"excerpt":"Within large-scale services, durable storage, distributed leases, and coordination primitives such as distributed locks, semaphores, and events should be strongly consistent. At Meta, we have historically used Apache ZooKeeper as a centralized service for these primitives. However, as Meta\u2019s workload has scaled, we\u2019ve found ourselves pushing the limits of ZooKeeper\u2019s\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/222","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/comments?post=222"}],"version-history":[{"count":1,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/222\/revisions"}],"predecessor-version":[{"id":243,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/222\/revisions\/243"}],"wp:attachment":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/media?parent=222"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/categories?post=222"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/tags?post=222"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}