Open in app

Sign in

Write

Sign in

We Need To Know Session Hijacking

RAJLE GOVINDA
7 min readJan 20, 2022

Session Hijacking also Known as Cookie Hijacking

Session Hijacking also Known as Cookie Hijacking, cookie hijacking, is the exploitation of a valid Computer session sometimes also called a session key to gain unauthorized access to information or services in a computer system.

What is Session Hijacking?

Session Hijacking, also known as TCP session hijacking, is a method of taking over a web user session by surreptitiously obtaining the session ID and masquerading as the authorized user. Once the user’s session ID has been accessed, the attacker can masquerade as that user and do anything the user is authorized to do on the network.

One of the most valuable byproducts of this type of attack is the ability to gain access to a server without having to authenticate to it. Once the attacker hijacks a session, they no longer have to worry about authenticating to the server as long as the communication session remains active. The attacker enjoys the same server access as the compromised user because the user has already authenticated to the server before the attack.

What is a session?

A session is a series of interactions between two communication endpoints that occurs during the span of a single connection. When a user logs into an application, a session is created on the server in order to maintain the state for other requests originating from the same user.

Applications use sessions to store parameters that are relevant to the user. The session is kept “alive” on the server as long as the user is logged on to the system. The session is destroyed when the user logs out from the system or after a predefined period of inactivity. When the session is destroyed, the user’s data should also be deleted from the allocated memory space.

A session ID is an identification string (usually a long, random, alpha-numeric string) that is transmitted between the client and the server. Session IDs are commonly stored in cookies, URLs and hidden fields of web pages.

Besides the useful functionality of session IDs, there are several security problems associated with them. Many of the popular websites use algorithms based on easily predictable variables, such as time or IP address, in order to generate the Session IDs, causing their session IDs to be predictable. If encryption is not used (typically SSL), Session IDs are transmitted in the clear and are susceptible to eavesdropping.

How is a session hijacked?

Attackers have several options to hijack a user’s session, depending on the attacker’s position and vector. Here are some of the ways a session can be hijacked:

  • Cross-site scripting (XSS): Attackers exploit vulnerabilities within servers or applications to inject client-side Java scripts into the users’ web pages, causing your browser to execute arbitrary code when it loads a compromised page. If the server doesn’t set the HTTPOnly in session cookies, injected scripts can gain access to your session key, providing attackers with the necessary information for session hijacking.
  • Session side jacking: By using packet sniffing, an attacker can monitor the traffic within the network and intercept the user’s session cookies after they have authenticated it. If the website takes the cheap route of using SSL/TLS encryption for its login pages only, the attacker can use the session key they have derived from packet sniffing to hijack the user’s session and impersonate them to perform actions in the web application. This can usually happen in case of an unsecured WiFi Hotspot in order to gain access to the network, monitor the traffic and set up their own access points to perform the attack.
  • Session fixation: Attackers supply a session key and spoof the user into accessing a vulnerable server.

The threat of session hijacking exists due to stateless protocol. These protocols have limitations, which is why they are vulnerable to attacks.

Role of Encryption

In order to protect a user’s session from getting hijacked, organizations can incorporate certain encryptions. These encryptions are necessary to protect your consumers’ sessions and are in the form of certificates.

  • SSL: SSL stands for Secure Sockets Layer and, in short, it’s the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details.
  • TLS: TLS (Transport Layer Security) is just an updated, more secure, version of SSL

How to Prevent Session Hijacking

In order to protect yourself from being hijacked while in a session, you need to strengthen the mechanisms in web applications. This can be done through communication and session management. Here are a few ways you can reduce the risk of session hijacking:

  • HTTPS: The use of HTTPS ensures that there is SSL/TLS encryption throughout the session traffic. Attackers will be unable to intercept the plaintext session ID, even if the victim’s traffic was monitored. It is advised to use HSTS (HTTP Strict Transport Security) to guarantee complete encryption.
  • HTTPOnly: Setting up an HTTPOnly attribute prevents access to the stored cookies from the client-side scripts. This can prevent attackers from deploying XSS attacks that rely on injecting Java Scripts in the browser.
  • System Updates: Install reputable antivirus software which can easily detect viruses and protect you from any type of malware (including the malware attackers use to perform session hijacking). Keep your systems up to date by setting up automatic updates on all your devices.
  • Session Management: In order to offer sufficient security, website operators can incorporate web frameworks, instead of inventing their own session management systems.
  • Session Key: It is advised to regenerate session keys after their initial authentication. This renders the session ID extracted by attackers useless as the ID changes immediately after authentication.
  • Identity Verification: Perform additional identity verification from the user beyond the session key. This includes checking the user’s usual IP address or application usage patterns.
  • Public Hotspot: Avoid using public WiFi to protect the integrity of your sessions and opt for secure wireless networks.
  • VPN: Use a Virtual Private Network (VPN) to stay safe from session hijackers. A VPN masks your IP and keeps your session protected by creating a “private tunnel” through which all your online activities will be encrypted.
  • Phishing Scam: Avoiding falling for phishing attacks. Only click on links in an email that you have verified to have been sent from a legitimate sender.

Example of Session Hijacking

A session attack takes advantage of data leaks in the compression ratio of TLS requests. This then gives them access to users’ login cookies which can be used to hijack the user's session. One such incident occurred in September 2012, when an organization of session hijackers called CRIME breached an organization’s website.

CRIME ended up hijacking the session by decrypting HTTPS cookies set by the website and authenticated themselves as users by brute force, siphoning a considerable amount of data.

What are examples of session hijacking?

Several high-profile examples illustrate exactly what can occur as a result of a session hijacking attack. Some of the most notable examples include:

1) “Zoom-bombing”

When the COVID-19 pandemic hit, the world turned digital, with school, work, and social events taking place over video conferencing applications like Zoom. It didn’t take long until these video conferences became a popular victim for session hijacking, even earning the name “Zoom-bombing.”

Several notable instances occurred in which attackers engaged in session hijacking to join private video sessions. The most-reported instances included those in which the attackers made themselves known by shouting profanities, hateful language, and sharing pornographic images. In response, companies like Zoom issued stronger privacy protections, such as meeting passwords and waiting rooms, so that meeting hosts could manually admit guests.

2) Mozilla Firefox “Firesheep” extension

In 2010, Mozilla Firefox released a browser extension called Firesheep that opened a vulnerability for people using the browser on public, unencrypted Wifi networks. Specifically, the Firesheep extension made it easy for attackers to easily steal these users’ session cookies from any website added to their preferences in the browser. Ultimately, many websites responded to protect against this session hijacking risk by requiring HTTP Secure (HTTPS) connections.

3) Slack

In 2019, a researcher on a bug bounty platform found a vulnerability in Slack that would allow attackers to force users into fake session redirects and then steal their session cookies, ultimately giving the attackers access to any data shared within Slack (which for many organizations ends up being quite a lot). Slack responded quickly and patched the vulnerability within 24 hours of the researcher identifying it.

4) GitLab

In 2017, a security researcher identified a vulnerability in GitLab in which users’ session tokens were available directly in the URL. Upon digging deeper, the researcher found that GitLab also used persistent session tokens that never expired, meaning once an attacker got one session token, they could use it without the worry of expiration.

This combination of open exposure and persistent tokens presented a serious risk, opening users to various severe attacks through session hijacking via a brute force attack. GitLab ultimately fixed the vulnerability by changing how it used and stored those tokens.

Session Hijacking
Cookies
Sessions
Hacking
Penetration Testing

--

--

RAJLE GOVINDA

Written by RAJLE GOVINDA

14 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams