Session hijacking is an attack where an attacker takes over a user's active session on a website or application. The attacker intercepts the session identifier, usually a cookie, that is transmitted between the user's browser and the server to authenticate the session. This allows the attacker to impersonate the legitimate user on the website. Common techniques used by attackers to hijack sessions include sniffing network traffic to intercept cookies, exploiting vulnerabilities like cross-site scripting to steal cookies, using malware to hijack sessions, and predicting patterns in session identifiers. Defenses against session hijacking include using HTTPS, installing security software, avoiding public WiFi, and being wary of phishing attempts.
Session hijacking is an attack where an attacker takes over a user's active session on a website or application. The attacker intercepts the session identifier, usually a cookie, that is transmitted between the user's browser and the server to authenticate the session. This allows the attacker to impersonate the legitimate user on the website. Common techniques used by attackers to hijack sessions include sniffing network traffic to intercept cookies, exploiting vulnerabilities like cross-site scripting to steal cookies, using malware to hijack sessions, and predicting patterns in session identifiers. Defenses against session hijacking include using HTTPS, installing security software, avoiding public WiFi, and being wary of phishing attempts.
Session hijacking is an attack where an attacker takes over a user's active session on a website or application. The attacker intercepts the session identifier, usually a cookie, that is transmitted between the user's browser and the server to authenticate the session. This allows the attacker to impersonate the legitimate user on the website. Common techniques used by attackers to hijack sessions include sniffing network traffic to intercept cookies, exploiting vulnerabilities like cross-site scripting to steal cookies, using malware to hijack sessions, and predicting patterns in session identifiers. Defenses against session hijacking include using HTTPS, installing security software, avoiding public WiFi, and being wary of phishing attempts.
Session hijacking is an attack where an attacker takes over a user's active session on a website or application. The attacker intercepts the session identifier, usually a cookie, that is transmitted between the user's browser and the server to authenticate the session. This allows the attacker to impersonate the legitimate user on the website. Common techniques used by attackers to hijack sessions include sniffing network traffic to intercept cookies, exploiting vulnerabilities like cross-site scripting to steal cookies, using malware to hijack sessions, and predicting patterns in session identifiers. Defenses against session hijacking include using HTTPS, installing security software, avoiding public WiFi, and being wary of phishing attempts.
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
You are on page 1/ 3
SESSION HIJACKING
Session hijacking is an attack where a user session is taken over by an attacker. A session starts when you log into a service and ends when you log out; for example, your banking application. The attack relies on the attacker’s knowledge of your session cookie, so it is also called cookie hijacking or cookie side-jacking. Although any computer’s session could be hijacked, session hijacking most commonly applies to browser sessions and web applications. In most cases when you log into a web application (for example, via a username and password), the server sets a temporary session cookie in your browser to remember that you are currently logged in and authenticated. HTTP is a stateless protocol and session cookies attached to every HTTP header are the most popular way for the server to identify your browser or your current session. To perform session hijacking, an attacker needs to know the victim’s session ID (session key). This can be obtained by stealing the session cookie or convincing the user to click a malicious link containing a prepared session ID. In both cases, after the user is authenticated on the server, the attacker can take over (hijack) the session by using the same session ID for their own browser session. The server is then fooled into treating the attacker’s connection as the original user’s valid session
why session hijacking is successful?
Session hijacking can be successful because attackers can intercept and manipulate the session identifiers used by the web applications, which are often transmitted in clear text or in easily guessable formats. This allows attackers to impersonate the victim's identity and take control of their active session.
SESSION HIJACKING TECHNIQUES:-
Session sniffing:- It is one of the basic techniques used with application-layer session hijacking. The attacker uses a sniffer tool such as Wireshark, or a proxy, such as OWASP Zed, to capture network traffic which contains the session ID between a website and a client. Once an attacker captures this value, he can use this valid token to gain unauthorized access into system.
Predictable sessions token ID:- Many web servers use a custom algorithm or some predefined pattern to generate session IDs. Greater the predictability of a session token, the weaker it is and the easier it is to predict. If an attacker can capture several IDs and analyze its pattern, he may predict a valid session ID.
Man-in-the-browser attack :-This is similar to a man-in-the-middle attack, but the attacker must first infect the victim's computer with a Trojan through some form of trickery or deceit. Once the victim is tricked into installing malware onto the system, the malware waits for the victim to visit a targeted site. The man-in-the-browser malware can invisibly modify transaction information and it can also create additional transactions without the user knowing. Because the requests are initiated from the victim's computer, it is very difficult for the web service to detect that the requests are fake.
Cross-site scripting :-Cybercriminals exploit server or application vulnerabilities to inject client-side scripts into web pages. This causes the browser to execute arbitrary code when it loads a compromised page. If HttpOnly isn’t set in session cookies, cybercriminals can gain access to the session key through injected scripts, giving them the information, they need for session hijacking.
Session side jacking :-Cybercriminals can use packet sniffing to monitor a victim’s network traffic and intercept session cookies after the user has authenticated on the server. If TLS encryption is only used for login pages and not for the entire session, cybercriminals can hijack the session, act as the user within the targeted web application.
Session fixation attacks:- This technique steals a valid session ID that is yet to be authenticated. Then, the attacker tries to trick the user into authenticating with this ID. Once authenticated, the attacker now has access to the victim's computer. Session fixation explores a limitation in the way the web application manages a session ID. Three common variations exist: session tokens hidden in an URL argument, session tokens hidden in a form field and session tokens hidden in a session cookie.
SESSION HIJACKING PROCESS
1. Sniffing into Active Session:
The attacker then finds an active session between the target and another machine and places himself between them. Using a sniffer like Wireshark, he captures the traffic and tries to gather information about the session.
2. Monitor:
He then monitors the traffic for vulnerable protocols like HTTP, telnet, rlogin, etc., and tries to find any valid authentication packets passing through.
3. Session Id Retrieval: The attacker tries to predict the session id using available information. Now that a target has been chosen, the next step in the session hijacking process is sequence number prediction. Sequence number prediction is a critical step because failing to predict the correct sequence number will result in the server sending reset packets and terminating the connection attempt. If the attacker guesses the sequence numbers wrong repeatedly, the likelihood of detecting the attack increases.
4. Stealing:
In application-level hijacking, active attacks are pursued to steal the session Id. Man in the middle attack, cross-site scripting, sniffing are used to steal the session id.
Brute Forcing: This is a time-consuming process.
While sequencing number guessing can be done manually by skilled attackers, software tools are available to automate the process.
5. Take One of the Parties Offline:
Once a session is chosen and sequence numbers predicted, one of the targets has to be silenced. This is generally done with a denial of service attack. The attacker must ensure that the client computer remains offline for the duration of the attack, or the client computer will begin transmitting data on the network causing the workstation and the server to repeatedly attempt to synchronize their connections; resulting in a condition known as an ACK storm.
6. Take over the Session and Maintain the Connection:
The final phase of the session hijack attack entails taking over the communication session between the workstation and server. The attacker will spoof their client IP address, to avoid detection, and include a sequence number that was predicted earlier. If the server accepts this information, the attacker has successfully attacked the communication session.
Types of Session Hijacking:
Session Hijacking is of Three types: 1. Active Session Hijacking : An Active Session Hijacking occurs when the attacker takes control over the active session. The actual user of the network becomes in offline mode, and the attacker acts as the authorized user. They can also take control over the communication between the client and the server. To cause an interrupt in the communication between client and server, the attackers send massive traffic to attack a valid session and cause a denial of service attack(DoS).
2. Passive Session Hijacking : In Passive Session Hijacking, instead of controlling the overall session of a network of targeted user, the attacker monitors the communication between a user and a server. The main motive of the hacker is to listen to all the data and record it for the future use. Basically, it steals the exchanged information and use for irrelevant activity. This is also a kind of man-in-middle attack (as the attacker is in between the client and the server exchanging information. 3. Hybrid Hijacking : The combination of Active Session Hijacking and Passive Session Hijacking is referred to as Hybrid Hijacking. In this the attackers monitors the communication channel (the network traffic), whenever they find the issue, they take over the control on the web session and fulfill their malicious tasks.
HOW TO PREVENT SESSION HIJACKING
There’s a lot you can do to help protect yourself online. Take these steps to help prevent session hijacking and increase your online security: 1. Avoid public Wi-Fi:- Never use public Wi-Fi, for important transactions like banking, online shopping, or logging into your email or social media accounts. There may be a cybercriminal at the next table who is using packet sniffing to capture session cookies and other information. 2. Use a VPN :- If you want to use public Wi-Fi, get a virtual private network (VPN) to help stay safe and keep session hijackers out of your sessions. A VPN masks your IP address and keeps your online activities private by creating a “private tunnel” through which all your online activity travels. A VPN encrypts the data you send and receive. 3. Add security software :- Install licensed security software on your devices and make sure to update it regularly. You can also set automatic updates. Security software can detect viruses and protect you from malware, including the malware attackers who perform session hijacking. 4. Watch out for scams:- Avoid clicking on any link in an email unless you’ve verified that it’s from a legitimate sender. Session hijackers may send you an email with a link and showing an urgency to click it. The link may install malware on your device or take you to a login page that will log you into a site using a session ID provided by the attacker. 5. Be aware of site security :- Reputable banks, email providers, online merchants, and social media sites have safeguards in place to avoid session hijacking. Smart site owners will install HTTPS on the entire site, not just their homepage. They’ll also find and close security loopholes promptly. The possibility of falling victim to a session hijacking attack can be scary. But just taking these steps will go a long way toward protecting you from these attackers who want to steal your session information. Over the past decade, more individuals have access to the internet than ever before. Many organizations develop web-based applications, which users can use to interact with them. But improper configuration and poorly written codes in web servers are a threat and can be used to gain unauthorized access to the servers' sensitive data.
Causes of webservers being compromised
Web server is a computer where the web content is stored. Web servers run on various operating systems connected to the back-end database and run various applications 1. Personal Computer Security :- When a personal computer is hacked, the attack could include stealing saved information for websites and logins. This gives the criminal access to online resources using your own credentials. These hacks can come from compromised websites, infected software or through bots scanning various IP addresses looking for weakness in a system. 2. Indirect Server Hacks :- A direct assault on your website isn’t the only way the criminal can gain access to its pages. Many sites are hosted on “shared” server. This means that all accounts hosted on that server are utilizing the same drives, CPUs and memory space. If any one of these websites are compromised, it could lead to hackers accessing your data indirectly. Even a hack aimed specifically at the hosting company can put the information at risk. 3. Responding to Phishing :- Email Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable source. It is usually done through email. Its goal is to steal sensitive data like credit card and login information, or to install malware on the victim's machine. The hacker will create an email that looks legitimate asking for passwords or providing links to “log in” to your account. In many cases, these links lead to hacked websites that are hosting a false page in order to obtain the information. 4. Outdated Scripts :- Scripts are often used to develop a website to control everything from graphics to databases. They are also a common element for hackers to gain control of the website itself. When a script is detected as having an exploit, developers will create updates in order to prevent cyber-attacks. Even installation scripts for web-based applications, plugins and add-ons can open the doors to hackers. 5. Lack of security policy and procedures :- Lack of a security policy and procedures such as updating antivirus software, patching the operating system and web server software can create security loopholes for attackers. 6. Bugs in the operating system and web servers :- Discovered bugs in the operating system or web server software can also be exploited to gain unauthorized access to the system
