The Secret Security Wiki

Categories

Home > Wikis > Threats and Tools > Session Hijacking

Categories

Session Hijacking

Session hijacking, also known as cookie side-jacking, is another form of man-in-the-middle attack that will give a hacker full access to an online account. When you sign in to an online account such as Facebook or Twitter, the application returns a “session cookie,” a piece of data that identifies the user to the server and gives them access to their account. As long as the user’s device holds on to that session token, the server will enable them to use the application.

When a user signs out of an application, the server invalidates the session token and all further access to the account requires the user to re-enter their login credentials.

In a session hijacking attack, the hacker steals the user’s session token and uses it to access the user’s account. There are several ways that an attacker can stage a session hijacking attack, such as inflicting the user’s device with a malware that monitors and steals session data. Another method is the use of cross-site scripting attacks, in which an attacker uploads a programming script into a webpage that the user frequently visits and forces the user’s computer to send the session cookie data to the server. Other methods of session hijacking leverage flaws in the application’s programming to guess or reveal session cookie information.

Read our full guide on how to prevent Man in the Middle Attacks

There are four methods used to perpetrate a session hijacking attack:

  1. Session fixation:
    where the attacker sets a user’s session id to one known to him, for example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in.
  2. Session side jacking:
    where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many websites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client. Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised.[1] Unsecured Wi-Fi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access point.
  3. Cross-site scripting:
    where the attacker tricks the user’s computer into running code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations.
  4. Malware:
     and unwanted programs can use browser hijacking to steal a browser’s cookie files without a user’s knowledge, and then perform actions (like installing Android apps) without the user’s knowledge.[2] An attacker with physical access can simply attempt to steal the session key by, for example, obtaining the file or memory contents of the appropriate part of either the user’s computer or the server.

Protection against session hijacking mostly lays on the shoulders of app developers, who will have to make sure their programming practices are secure. Users can protect themselves against hijacking attacks by using encrypted communications (via HTTPS and VPN). They can also minimize the attacks of potential session hijacking attacks by frequently signing out of their accounts to invalidate their session cookies.

Read our full guide on how to prevent Man in the Middle Attacks