Session hijacking is a type of attack where an adversary exploits weaknesses in how an application implements sessions and user authentication. As a result, the adversary can hijack or manipulate an active session and use it to gain unauthorized access to an application.
When a user signs in to a web application such as Facebook or Twitter, the application returns a unique session identifier, often referred to as a “session cookie” or a “session token”, that identifies users to the server throughout the session, so they don’t have to re-authenticate every time they send a request to the app. Session cookies are used as an authentication token after a user has been authenticated and are generally valid for a certain period of time, even if the web application is not actively used. As long as the user’s device holds on to that session token, the server will enable them to use the application. When a user signs out of an application, the server invalidates the session token and all further access to the account requires the user to reauthenticate.
Session cookies are stored in the memory or disk of the client device used to access the application.
In a session hijacking attack, the attacker steals the user’s session token and uses it to access the user’s account. There are two common ways to stage a session hijacking attack:
- Reusing session IDs, also known as session replay, is when an attacker tries to reuse a stolen session token used previously during a transaction. It is the most common form of session hijacking. Common ways used to steal session tokens include infecting the user’s device with malware that can read the session token from memory or disk, or visiting a malicious web page that serves a malicious script that forces the user’s computer to send the session cookie data to the server. Another technique used to steal session tokens is session sidejacking, where the attacker takes advantage of an unencrypted communication channel between a victim and application to steal session tokens. The attacker simply sniffs the unencrypted traffic on a network looking for session tokens. Once a session token is captured, the attacker uses it with the targeted application to impersonate the victim. Unsecured Wi-Fi hotspots are particularly vulnerable to session sidejacking, as anyone sharing the network will generally be able to read most of the web traffic between connected devices and the access point.
Possible mitigations include invalidating session tokens after logout, setting a time-out expiration on session tokens, communicating session tokens over encrypted communications channels, and avoiding putting session tokens in GET methods (because they can end up in the URL) or enabling HTTP TRACE requests.
- Session fixation is when the attacker causes a client to establish a session with the target application using a session identifier provided by the attacker. Once the user successfully authenticates to the target software and receives from the application a session token with the session identifier provided by the attacker, the attacker can use the session identifier to impersonate the user and carry out transactions. To carry out such an attack, the target application needs to rely on client-generated session identifiers.
Another way to obtain the session identifier is to simply guess it. This is feasible when the algorithm used to generate session identifiers is not sufficiently random.
Possible mitigations to session fixation attacks include preventing user/client-generated session identifiers and using session identifiers that are hard to guess.