Session Hijacking Explained
The session id is an unpredictable and unique number assigned by the server while the user visits the website. The unpredictable session-id is one of the employed mitigation techniques to save websites from any cyber attack. These values can be stored as a cookie, form field, or URL (Uniform Resource Locator). Today, we will discuss what session hijacking is, the techniques employed by the attacker to hijack session-id, and the prevention mechanism to avoid session hijacking attacks.
What is Session Hijacking?
Session hijacking is also called Cookie Hijacking or TCP Session Hijacking. Whenever you are using open wifi or public wifi, you are vulnerable to this attack. The network administrator, who can potentially be the hacker, can easily intercept the traffic, capture session-id, and eventually impersonate the victim’s identity. This is a simple demonstration of a session hijacking attack.
Session hijacking is exploiting a valid session id (also called a session key) to gain unauthorized access to the website on a computer. In simple terms, the malicious guy basically hijacks TCP connection between victim and server and steals HTTP cookies and other details from the web browser to steal sensitive data from web servers.
Techniques used for session hijacking
The malicious guy can use different techniques to intercept HTTP cookies and to steal session id. I am listing some as follows:
- Session Sniffing: In this technique, attackers capture network traffic between two users and eventually able to succeed in capture valid session id.
- Cross-site scripting is a technique for executing malicious payload into the victim browser, and attackers steal cookies (cookies contain valid session-id). Cross-site scripting is broadly classified into three types: Persistent XSS, where the malicious input originates from the website's database. Reflected XSS, where the malicious input originates from the request sent by the victim. DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code.
- Man-in-the-middle-attack (MITM) is a technique of intercepting traffic between client and victim to hijacking session id.
- The predictable session token is a vulnerability in a web application. If this vulnerability is present, the attacker easily predicts the session token to bypass the authentication mechanism.
- The man-in-the-browser attack is similar to the MITM attack. Here attacker use trojans to capture the browser cookies for manipulation
Prevention mechanism employed to mitigate session hijacking attack
Here we will discuss prevention mechanism to avoid session hijacking.
- SSL/TLS protocol
Must use SSL/TLS to encrypt traffic between client and server. This helps in mitigating MITM, MITB, and other similar attacks. This is currently one of the widely accepted technique by most of the major web-based banks and companies to protect customers from preventing sniffing-style attacks.
- Use long number or string as session-id
Use a long random number or string while implementing session id. This reduces the risk of guessing session-id by brute force attack.
- Regenerate session-id after login
Session id needs to be regenerated after login. This reduces the risk of session fixation as the attacker does not know the session id. The most commonly recommended protocols today are Secure Shell (SSH), Secure Socket Layers (SSL), and Internet Protocol Security (IPSec).
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.