Announcement Announcement Module
No announcement yet.
Session Hijacking Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Session Hijacking

    Session Hijacking Is an attack by which a hacker exploits a valid computer session and gains access to a client’s session identifier. Since HTTP is a stateless protocol, when a user logs into a website, a session is created on that Web Server for that user, this session contains all this user's information being used by the server so the username and password is not needed at every page request. The server uses a unique identifier(Session Identifier) to authenticate this user to this session, this session identifier is passed between the web server and the user's computer at every request. Session Hijacking is an attack by which the hacker steals this user's session identifier and then sends this session identifier as their own to the server and tricks the server into thinking they are that user. This is show in the diagrams below:



    Attackers’ use several session hijacking attacks to gain access to user sessions on a server, the most common of these attacks are listed and described below

    1) Session Prediction

    Some web applications use non-random numbers as session identifiers, therefore, if an attacker is able to understand how session identifiers are generated by that server, the attacker can predict a valid session identifier and gain access to that application. This method is mostly used when an attacker just wants to gain access to an application and not access to any specific user’s account; since it will be extremely difficult to predict a session identifier for a specific user; this is due to the fact that session identifiers are usually generated using several variables including time.
    • Prevention:-
    This attack can be prevented by using a strong algorithm to generate session identifiers, and using other methods to make session identifiers as unpredictable as possible, the most common way is to use a random number.

    2) Session Sidejacking -

    It is a Session Hijacking attack where the hacker steals the client’s session cookie; the cookie is usually stolen by an attacker sniffing packets transferred between a server and a client, and stealing the session cookie from these packets. This attack can be carried out by: (1) an attacker on the same local area network (LAN) as the client, and (2) an attacker that has access to data transferred between that client and the server.
    • Prevention:-
    Since packets are mostly stolen from users connected to unsecured networks (especially wireless networks), so this attack can be prevented by avoiding the use of unsecured networks.

    2) Session Fixation -

    All of the other methods of session hijacking focus on stealing or predicting a session identifier already created, and using it. Session fixation, on the other hand is where the attacker sets the user’s session identifier before that user logs into a site. In this case, the attacker would know the user’s Session identifier and can easily make use of this identifier.


    This is where the attacker put the session identifier in a URL that the client clicks on (; this would set that user’s session identifier to 1234, after setting the user’s session identifier the attacker can easily exploit that user’s session.

    Hidden form fields

    The attacker tricks the user into logging in to the target web server through a look-alike login form that in reality comes from another web server (probably the attacker’s server). During the login, the attacker can easily capture or set that user’s session information.


    The attacker sets the user’s cookie information using some script. (example: document.cookie=”PHPSESSID=1233”).Since this attack is carried out by the attacker using some method to set the user’s cookie,
    • Prevention:-
    1)Setting “session.use_only_cookies” to true on your web-server. This would disable setting session identifiers using values passed in the URL. 2) Users should check hyperlinks before clicking on them, when a user hovers over a hyperlink; browsers display the URL that the hyperlink is pointing to at the bottom of the browse

    4)Cross Site Scripting

    Cross site scripting is one of the attacks that can be used to steal user’s session information, since these scripts can be injected into the user’s browser and can be used for anything including returning user’s session information and session fixation (OWASP, 2010).
    • Example: “http://worldbank.dom/” – This would look like a normal hyperlink to users, but when they click on it, this simple script actually sets that user’s session identifier.

    Preventing Session Hijacking Since session hijacking is where the attacker steals a user's Session Identifier, to prevent this attack, we would need to prevent the user's Session Identifier. There are several things we can do to help to prevent this attack:
    1. Use Secure Connections as much as possible, since SSL creates an encrypted connection between the client and server, any data the attacker steals during this transfer would be useless to them. However, SSL does not fully secure against this attack, and hackers can still use session hijacking even over HTTPS.
    2. Regenerate user's session identifier often, therefore, even though the attacker may manage to steal a user's session identifier, when it is regenerated, the Session Identifier he stole would be useless.
    3. You can implement an IP Address Check to match a user's Session Identifier to his/her IP Address. However this may have its limitations.
    4. Another method is to use HTTP only cookies, these are cookies that claim to be inaccessible from the DOM, However, some hackers have claimed to gain access to HTTP only cookies through the dom. HTTP only cookies would still make it harder to gain access to cookies using most of the session hijacking attacks.
    Last edited by nisanth; 8th May 2014, 12:52 PM.
Tag Cloud Tag Cloud Module