ABH-OCT-031017 DYNAMIC REVIEW | Completion Statement
DYNAMIC REVIEW SITE
Website designing is one of the most important aspects of developing a business in an organised way. It is also helpful for launching any new product. If a company wants to promote a new product, website is the best possible way of performing the task. This course work has covered a discussion on a website, which has a detailed description of raccoons. HTML and Java Script has been used to design the front end of the website, whereas, PHP is the main back ends language. PHP has the capability of connecting the web page to the web server. If a user wants to put any new review or update or delete any existing review, the website has that facility also. Finally, the study concludes with the discussion on the topic of session fixation and session hijacking.
This is a website, which helps the users to see individual raccoon in different page with the detailed description of them. This description includes the name of the raccoon, their photo, a review list and average rating. Users are also able to give new reviews along with their own name and a specific rate. When the user first login to the website, it shows a menu list of all raccoons with sorting facility. If the user selects a particular menu, it shows the detailed description of the raccoon. If there is more than one user in the website and any one updates any review, the website automatically shows the update in the list.
This website has been made with the help of several different programming languages like PHP, HTML, Java Script. In the opinion of Bharathi et al. (2016), in order to create the database, one can use My SQL queries and implement them successfully for creating a complete database. Here, two tables are required for the database. One is for the detailed description of the raccoons and another one is for the user details. Both the tables are interconnected for a specific reason. If a user wants to post a new review or update any existing review or wants to delete a review, raccoon id is required for each purpose. The first table named Raccoon has a primary key, id, which is the foreign key for the second table namely Review. The back end technology has been made using PHP language, where different methods are used for inserting and retrieving the data. It also allows the users to update or delete any post from the existing database.
Session fixation or session hijacking is two different terms. Both are the attempts for accessing a system as a different user. In the opinion of Jain, Sahu & Tomar (2015), session fixation refers to the concept of using session id in the address bar or the URL in order to predict the id and use them after for login. There are two steps for performing the session fixation process:
- First, need to send the target to the URL: http://unsafe/?PHPSESSID=mysession
- Then go to the URL: http://unsafe/?PHPSESSID=mysession.
It looks like the same user has logged in to the website.
Another way of acting like a different user is:
- First, login to the URL: http://unsafe/?PHPSESSID=mysession
- Then, send the actual user to the URL: http://unsafe/payment_methods?PHPSESSID=mysession.
As per Zheng et al (2015), this process is used to hack the data and account information of a user. In this process, the users are unaware of the fact that they are redirecting to a different website or URL, where all the information can be stolen in a hidden way.
In order to counter these attacks, users must not put their session ids in the URL section. According to Kim (2014), another way to mitigate session hijacking is to re generate the ids. The session must be expired, once a user logout from the system or the website. If the session does not have the feature of auto expiration, then that can be used by the hackers and the attackers in order to steal information from the existing user’s account. SSL certificates are very important in order to defend a hacking tool like Fire sheep. As demonstrated by Kamal (2016), all the login forms and sessions must pass through SSL before permitting the users to access the data.
The users must use the secure session cookies along with the HttpOnly flags. Both hijacking and fixation are interrelated with each other. Session fixation comes in the scenario, when hackers have become successful to hijack the session. Apart from these, there is another terminology associated to session fixation. This is: client side scripting. The process is as follow:
- The attacker requires to establish a connection to the web server
- Then a session id has been issued
- The victim needs to receive a link along with the session id
- The victim needs to click on the link in order to make the process successful
- In order to get the access of the email id, the victim must click on the link.
- Then the victim unknowingly provides the credentials in order to get the access and the information becomes vulnerable to the hacker.
- In this step, the hacker uses the session id for getting the access of the use account.
This is a very popular process for hacking the user account and gets all personal and private information of the users. In this way, the hackers are able to know the personal account number of the users, their pin number and other bank details.
Website designing is nothing but a promotional activity of any organisation. If an organisation plans to make its business larger or launch any new product, the best possible way to let the public know about the product is to make a website and promote that product in the website. The course work has covered a discussion on the theme of a particular website, session fixation and hijacking. Additionally it includes the DOM diagram of the website. This study has helped to understand the difference between session fixation and session hijacking. Finally, the case work concludes with the DOM diagram of the website.
Bharathi, K. P. M., Suganthi, S., Mary, P. V., & BalaMurugan, C. (2016). MAGIC COOKIE AND MAC ADDRESS VALIDATION. FOR PREVENTING SESSION HIJACKING, 7754(8), 95-100.
Jain, V., Sahu, D. R., & Tomar, D. S. (2015). Session Hijacking: Threat Analysis and Countermeasures. In Int. Conf. on Futuristic Trends in Computational Analysis and Knowledge Management, 445(7), 89-95.
Kamal, P. (2016). State of the Art Survey on Session Hijacking. Global Journal of Computer Science and Technology, 16(1), 885-890.
Kim, P. (2014). The hacker playbook: Practical guide to penetration testing. US: Secure Planet LLC.
Zheng, X., Jiang, J., Liang, J., Duan, H. X., Chen, S., Wan, T., & Weaver, N. (2015). Cookies Lack Integrity: Real-World Implications. In USENIX Security Symposium, 5541(3), 707-721.