Session hijacking refers to an attack on a user session by a hacker. When we log into any service, the session is active. The ideal scenario is when we use a web application, such a banking application, to conduct a financial transaction. Cookie Hijacking, also known as cookie side jacking, is another name for session hijacking. A hacker’s attack is more targeted the more detailed information they have about our sessions. For web applications and browser sessions, this session hijacking is typical.
Session Hijacking Workflow
Types of Session Hijacking:
Session Hijacking is of Three types:
- Active Session Hijacking : When the attacker seizes command of the active session, it is known as an active session hijacking. The legitimate network user goes offline, and the attacker uses the system in the authorized user’s place. They have the ability to take over client-server communication as well. Attackers transmit a lot of traffic to a legitimate session to disrupt connection between the client and server and launch a denial of service attack (DoS).
- Passive Session Hijacking : In Passive Session Hijacking, instead of controlling the overall session of a network of targeted user, the attacker monitors the communication between a user and a server. The main motive of the hacker is to listen to all the data and record it for the future use. Basically, it steals the exchanged information and use for irrelevant activity. This is also a kind of man-in-middle attack (as the attacker is in between the client and the server exchanging information.
- Hybrid Hijacking : The combination of Active Session Hijacking and Passive Session Hijacking is referred to as Hybrid Hijacking. In this the attackers monitors the communication channel (the network traffic), whenever they find the issue, they take over the control on the web session and fulfill their malicious tasks.
To perform these all kinds of Session Hijacking attacks, the attackers use various methods. They have the choice to use a single method or more than one method simultaneously to perform Session Hijacking. Those methods are:
- Brute-forcing the Session ID
- Cross-Site Scripting (XSS) or Misdirected Trust
- Malware infections
- Session Fixation
- Session side-jacking
These all Session Hijacking methods can be elaborated as:
- Brute-forcing the Session ID : As the name suggests, the attack user uses guessing and trial method to find Session ID depending on its length. This is due to lack of security and shorter length. The introduction of a strong and long session key made this method increase in a slow rate.
- Cross-Site Scripting (XSS) or Misdirected Trust : In Cross-Site-Scripting, the attacker tries to find out the flaws and the weak point in the web server and injects its code into that. This activity of the attacker will help the attacker to find out the Session ID.
- Man-in-the-browser : Man-in-the-browser uses a Trojan Horse (program that uses malicious code) to perform its required action. The attacker puts themselves in the communication channel of a server and a client. The main purpose of performing this attacks by the attacker is to cause financial fraud.
- Malware infections : In Malware Infections, attacker can deceive the user to open a link that is a malware or Trojans program which will install the malicious software in the device. These are programmed to steal the browser cookies without the user’s knowledge.
- Session Fixation : Attackers create a duplicate or another disguised session in Session Fixation. It simply motivates or trick the user into authenticating the vulnerable server. This can be done by sending an email to the user, which on clicking directs to the attacker session.
- Session side-jacking : In Session side-jacking, the attackers tries to get access over a session using the network traffic. This becomes easy when the user is using an insecure Wi-Fi. The reading of network traffic and stealing of session cookie is done by packet sniffing. Packet Sniffing is a technique by which the data flowing across a network is observed.
Exploiting the session hijack vulnerability
Four categories of Vulnerabilities exploit the session hijack:
- Injecting Client-Side Scripts
- Creates a faulty page and hacker attacks
Session Side Jacking Vulnerabilities
- Use packet Sniffers to attack
- E.g.- Man in the middle attack
Session Fixation Vulnerabilities
- Mainly done through fake websites
- User assumes it is an original link and clicks
Malware Installation Vulnerabilities
- The hacker sends the malicious code to disrupt the application or networks or the communication
- Hacker gets access to the applications
Overall, the hacker uses session hijacking to gain unauthorized access to the system by exploiting a number of vulnerabilities. The user believes that the session is original because he is unaware of any system changes. These weaknesses allow the hacker to take over the data or information.
What Can Attackers Do After Successful Session Hijacking?
- The attacker can perform any action that the user was carrying out with his credentials.
- The hacker can gain access to multiple web applications, from financial systems and customer records to line-of-business systems potentially containing valuable intellectual property.
- The attacker can use session hijacking cookies for identifying authenticated users in single sign-on systems (SSO).
- Here are a few examples:
- Attackers can log into bank accounts for transferring money
- Hackers can use the access for online shopping
- Hackers can get access to sensitive data and sell it on the dark web
- Hackers can demand a ransom from the user in exchange for the data
Prevention of Session hijacking
- Session hijacking can be protected by taking preventive measures on the client side.
- Software Updating, End Point Security will be a key from a user side.
- Having Biometric authentication for every user session can prevent attacks.
- End to End encryption can be done between the user browser and web server using secure HTTP or SSL.
- We can have the session value stored in the session cookie.
- We can have an automatic log off after the session ends.
- We can use session ID monitors.
- VPN use can prevent unauthorized access.
- Web server generating long random session cookies can prevent attacks.
- Usage of Session ID monitors enhances security.
- Deleting the session cookie from the user server and computer enhances security.
- Having different HTTP header order for different sessions is a good precaution.
In this article we have covered the key concepts of session hijacking and the ways by which this activity can be performed by the hacker. We have discussed the methods for unauthorized access by hackers or attackers, including the techniques used by hackers for injecting vulnerabilities. We have understood the concept of Session spoofing and Session fixation. We learnt the various activities that a hacker can perform after getting control of the user session, and finally touched upon how to prevent session hijacking.