Session hijacking, XSS and CSRF

In a common manner, these attacks target each device to steal user-related informations, then the server with the obtained informations. They involve injecting a script written in the Javascript language used by the client application.

They target therefore particularly Javascript based applications, such as web applications and hybrid app.

Session (or cookie) hijacking

Session hijackings

In hijackings, the attacker uses an exploit on a device to take over a session between this device and a host. It disconnects then the device from the communication. The server still believes that it is communicating to the original device and sends private information to the attacker.

Cross-site scripting ("XSS")

Companies like Twitter, Facebook, MySpace or YouTube have experienced XSS attacks in different forms, that represent one of the main threats to the net.

XSS Attacks

The XSS attack principle lies in the trust the client places in the server, and the ability to mix up Javascript scripts with HTML information descriptions in a web page. The attacker exploits the application XSS vulnerabilities in order to inject a script into the web page used by the device. The injected script can either point the user transparently to a malicious server or allow the attacker to hijack the user's session and execute dangerous commands.

Cross-site request forgery ("CSRF")

Successful CSRF attacks are little documented. Nevertheless, a european bank allowed illicit money transfers due to a CSRF attack, and hackers infiltrated an asian telecom operator system to steal 8 million customer coordinates with a similar attack.

CSRF Attacks

Unlike cross-site scripting (XSS) which exploits the trust a device has for a particular server, CSRF exploits the trust that a server has in a user's browser or hybrid app. In a first step, the user connects to a known server and authenticates himself. Then he is pointed to a malicious server, which injects a script into the user browser or the hybrid app. This script tricks the device to send an action request to the previous server. If the targeted server keeps the user authentication information in a cookie and the cookie hasn't expired, the action may succeed.

With the Motilia mobility suite, business data are not transmitted in a technical context based on HTML and Javascript. Furthermore, an integrated security mechanism protects the authenticity and integrity of communication between the mobile devices and the server.

In deploying your mobile solution based on Motilia, you get the integrated security mechanisms