Session Hijacking Explained

The session id is an unpredictable and unique number assigned by the server while the user visits the website. The unpredictable session-id is one of the employed mitigation techniques to save websites from any cyber attack. These values can be stored as a  cookie, form field, or URL (Uniform Resource Locator).  Today, we will discuss what session hijacking is, the techniques employed by the attacker to hijack session-id, and the prevention mechanism to avoid session hijacking attacks.

What is Session Hijacking?

Session hijacking is also called Cookie Hijacking or TCP Session Hijacking. Whenever you are using open wifi or public wifi, you are vulnerable to this attack. The network administrator, who can potentially be the hacker, can easily intercept the traffic, capture session-id, and eventually impersonate the victim’s identity. This is a simple demonstration of a session hijacking attack.

Session hijacking is exploiting a valid session id (also called a session key) to gain unauthorized access to the website on a computer. In simple terms, the malicious guy basically hijacks the TCP connection between the victim and the server and steals HTTP cookies and other details from the web browser to steal sensitive data from web servers.

Techniques used for session hijacking

The malicious guy can use different techniques to intercept HTTP cookies and steal session IDs. I am listing some as follows:

1. Session Sniffing: In this technique, attackers capture network traffic between two users and are eventually able to succeed in capturing a valid session ID.
2. Cross-site scripting is a technique for executing malicious payloads into the victim browser, and attackers steal cookies (cookies contain valid session-id). Cross-site scripting is broadly classified into three types: Persistent XSS, where the malicious input originates from the website's database. Reflected XSS, where the malicious input originates from the request sent by the victim. DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code.
3. Man-in-the-middle-attack (MITM) is a technique of intercepting traffic between client and victim to hijack session id.
4. The predictable session token is a vulnerability in a web application. If this vulnerability is present, the attacker easily predicts the session token to bypass the authentication mechanism.
5. The man-in-the-browser attack is similar to the MITM attack. Here attackers use trojans to capture the browser cookies for manipulation

Prevention mechanism employed to mitigate session hijacking attack

Here we will discuss prevention mechanisms to avoid session hijacking.

1. SSL/TLS protocol
   Must use SSL/TLS to encrypt traffic between client and server. This helps in mitigating MITM, MITB, and other similar attacks. This is currently one of the widely accepted techniques by most of the major web-based banks and companies to protect customers from sniffing-style attacks.
2. Use a long number or string as session-id
   Use a long random number or string while implementing session id. This reduces the risk of guessing session-id by brute force attack.
3. Regenerate session-id after login
   The session id needs to be regenerated after login. This reduces the risk of session fixation as the attacker does not know the session id. The most commonly recommended protocols today are Secure Shell (SSH), Secure Socket Layers (SSL), and Internet Protocol Security (IPSec).