WIMAX

Worldwide Interoperability for Microwave Access

WIMAX is a telecommunications technology aimed at providing wireless data over long distances in a variety of ways, from point-to-point links to full mobile cellular type access. It is based on the IEEE 802.16 standard, which is also called WirelessMAN. The name WiMAX was created by the WiMAX Forum, which was formed in June 2001 to promote conformance and interoperability of the standard.

Unwired WiMax PC Card

What is WiMAX Forum?
An industry-led, non-profit corporation
formed to promote and certify compatibility and
interoperability of 802.16 broadband wireless products

What is IEEE 802.16 ?
An IEEE Standard for Wireless Metropolitan Area
Networks

Mortivation for 802.16

Cellular & WiFi Backhaul
Broadband on demand
Digital TV
Residential Broadband
Under-served areas
Portable and mobile coverage

Attack process

Generally, session fixation attack is a three-step process, as shown in fallowing Figure :

1. Session setup:
First, the attacker either sets up a so-called “trap session” on
the target server and obtains that session’s ID, or selects a – usually arbitrary
– session ID to be used in the attack. In some cases, the established trap
session needs to be maintained (kept alive) by repeatedly sending requests
referencing it to avoid idle session timeout.


2. Session fixation:
Next, the attacker needs to introduce her session ID to the
user’s browser, thereby fixing his session.

3. Session entrance:
Finally, the attacker has to wait until the user logs in to
the target server using the previously fixed session ID and then enter the
user’s session.

What is session Hijacking?

Web-based applications frequently use sessions to provide a friendly environment to their users. HTTP is a stateless protocol, which means that it provides no
integrated way for a web server to maintain states throughout user’s subsequent
requests. In order to overcome this problem, web servers – or sometimes web
applications – implement various kinds of session management. The basic idea behind web session management is that the server generates a session identifier (ID) at some early point in user interaction, sends this ID to the user’s browser and makes sure that this same ID will be sent back by the browser along with each subsequent request. Session IDs thereby become identification tokens for users, and servers can use them to maintain session data (e.g., variables) and create a session-like experience to the users.

There are three widely used methods for maintaining sessions in web environment: URL arguments, hidden form fields and cookies. While each of them has its benefits and shortcomings, cookies have proven to be the most convenient and also the least insecure of the three. From security perspective, most – if not all - known attacks against cookie-based session maintenance schemes can also be used against URL- or hidden form fields-based schemes, while the converse is not true. This makes cookies the best choice security-wise.

Very often, session IDs are not only identification tokens, but also authenticators. This means that upon login, users are authenticated based on their credentials (e.g., usernames/passwords or digital certificates) and issued session IDs that will
effectively serve as temporary static passwords for accessing their sessions.

This makes session IDs a very appealing target for attackers. In many cases, an
attacker who manages to obtain a valid ID of user’s session can use it to directly enter that session – often without arising user’s suspicion. Interestingly, most cross-site scripting proof-of-concept exploits focus on obtaining the session ID stored in browser’s cookie storage. This class of attacks, where the attacker gains access to the user’s session by obtaining his session ID, is called session hijacking.

Web session security is focused on preventing three types of attacks against session IDs: interception, prediction and brute-force attacks. Encrypted communication effectively protects against interception1. Using cryptographically strong pseudorandom number generators and carefully chosen seeds that don’t leak from the server prevents prediction of session IDs. Finally, session IDs are immune to brute-force methods if their effective bit-length is large enough with respect to the number of simultaneous sessions.

Proposals have been made for mitigating the threat of stolen session IDs, and
some products already implement such ideas (e.g., RSA Security’s ACE/Agents for
web servers).