Session hijacking stands for a cyberattack where a malicious hacker places himself in between your computer and the website’s server while you are engaged in an active computer session ( the time between you first log into your bank account, and then log off after your operation, for example) in order to steal it.
Big websites and servers with many connected computers and visitors are the ideal targets for session hijacking because the attacker can blend in with the great amounts of traffic and stay hidden in the background.
It is often called cookie hijacking or cookie side-jacking because the hacker gains knowledge of your session cookie giving him access to the session ID that lets him impersonate the user and perform actions on his behalf: transferring your money to his account for instance.
The biggest threat of session hijacking is that the malicious attacker can also enter the server and access its information without having to hack a registered account. In addition, he can also make modifications on the server to help him hack it in the future or to simplify a data-stealing operation.
Many websites and web applications have software vulnerabilities that allow a malicious hacker to infect them with malicious scripts. When a user visits or does a certain action on infected websites, the scripts activate.
Meaning: The hacker will infect websites or web applications with a malicious script. Reason: the web application has vulnerabilities. Method: the hacker takes an online app and sends malicious code (Java, HTML, Flash, etc.) to an end-user. The code seems to be trustworthy because it belongs to the server.
Another way to make sure session stealing malware doesn’t infect you is to use traffic filtering solutions. These programs scan your traffic and then block any malware that might be coming towards your PC. A traffic filtering solution will also scan your outgoing traffic.
The final phase of the session hijack attack entails taking over the communication session between the workstation and server. The attacker will spoof their client IP address, to avoid detection, and include a sequence number that was predicted earlier. If the server accepts this information, the attacker has successfully attacked the communication session.
Now that a target has been chosen, the next step in the session hijacking process is sequence number prediction. Sequence number prediction is a critical step because failing to predict the correct sequence number will result in the server sending reset packets and terminating the connection attempt. If the attacker guesses the sequence numbers wrong repeatedly, the likelihood of detecting the attack increases.
Packet sniffing software can be used to sniff network traffic for the purpose of locating vulnerable protocols like FTP, Telnet, and rlogin.
This is generally done with a denial of service attack. The attacker must ensure that the client computer remains offline for the duration of the attack, or the client computer will begin transmitting data on the network causing the workstation and the server to repeatedly attempt to synchronize their connections; resulting in a condition known as an ACK storm.
Attackers look for two things prior to their attack- first, they look for networks that have a high level of utilization; high volume networks help attackers to remain anonymous and they also provide a healthy supply of users to choose from, which also helps the attack .
Port scanning software can also be used to identify servers that have FTP, Telnet, or rlogin ports open. 1. Sniffing into Active Session: The attacker then finds an active session between the target and another machine and places himself between them.
Ultimately, the purpose of session hijacking is to exploit vulnerabilities in network sessions in order to view or steal confidential data and use restricted network resources.
In order to perform session hijacking, an attacker must complete a series of steps. The session hijacking process is as follows: 1 Reconnaissance: The first step of the session hijacking process involves the attacker scoping out their target in order to find an active session. Typically, attackers use applications like network sniffers to help them accomplish this step. 2 Network Monitoring: In this step, the attacker will lurk on the compromised network, attempting to identify the use of any vulnerable traffic that has not been properly secured. Protocols such as FTP and HTTP are commonly known to be insecure. 3 Determining Session ID: The next step involves the attacker determining the session ID that allows for a legitimate connection to take place. The attacker will use all the information they have gathered during the previous two steps to try and predict the session ID. 4 Infiltration: Once the attacker has retrieved the correct session ID, the next step involves infiltrating the network and taking over, or hijacking, the user's session.
Transport Layer Hijacking occurs in TCP sessions and involves the attacker disrupting the communication channel between a client and server in such a way that data is unable to be exchanged . Thus, the attacker is able to send fraudulent data packets that appear legitimate to both the client and server, essentially taking over the session. IP spoofing is a type of attack that involves the hijacker using a forged IP address in order to appear as a trusted host. In this way, the hijacker is able to communicate freely with computers on the network. Blind Hijacking is a technique where an attacker will intercept communications during a session and send his own malicious data or commands. However, the attacker will not be able to see the responses he receives and would only be guessing as to what the client and server are responding.
In Application Layer Hijacking, an attacker either steals or successfully predicts the session token needed in order to hijack a session. This type of session hijacking mainly occurs with sessions that utilize HTTP. Two examples of Application Layer Hijacking include Man-in-the-Middle attacks and attacks that utilize a proxy. A Man-in-the-Middle attack occurs when an attacker is able to fit himself in the communication channel between a client and a server, much like the example noted at the start of this lesson. Proxy attacks, on the other hand, occurs when an attacker causes network traffic to go through a proxy that he or she has set up, capturing the session ID in the process.
Typically, attackers use applications like network sniffers to help them accomplish this step. Network Monitoring: In this step, the attacker will lurk on the compromised network, attempting to identify the use of any vulnerable traffic that has not been properly secured.
IP spoofing is a type of attack that involves the hijacker using a forged IP address in order to appear as a trusted host. In this way, the hijacker is able to communicate freely with computers on the network.
In our initial example where you send notes in class, the malicious classmate would use passive session hijacking if he or she is merely reading the contents of your notes. However, if they alter the message or send their own notes disguised as yours, they would be utilizing active session hijacking.
To defend a network with session hijacking, a defender has to implement both security measures at Application level and Network level. Network level hijacks can be prevented by Ciphering the packets so that the hijacker cannot decipher the packet headers, to obtain any information which will aid in spoofing. This encryption can be provided by using protocols such as IPSEC, SSL, SSH etc. Internet security protocol (IPSEC) has the ability to encrypt the packet on some shared key between the two parties involved in communication. IPsec runs in two modes: Transport and Tunnel.#N#In Transport Mode only the data sent in the packet is encrypted while in Tunnel Mode both packet headers and data are encrypted, so it is more restrictive.
The most common method of session hijacking is called IP spoofing, when an attacker uses source-routed IP packets to insert commands into an active communication between two nodes on a network and disguising itself as one of the authenticated users. This type of attack is possible because authentication typically is only done at the start ...
Attacker can also capture victim’s Session ID using XSS attack by using javascript. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker. Spoofing is pretending to be someone else.
In Transport Mode only the data sent in the packet is encrypted while in Tunnel Mode both packet headers and data are encrypted, so it is more restrictive. Session hijacking is a serious threat to Networks and Web applications on web as most of the systems are vulnerable to it.
Here’s a fun and silly illustration to bring a bit of levity to an otherwise serious topic.
A cybercriminal can hijack the session of the victim by stealing the session ID or a session cookie to make the server believe that the criminal is the legitimate user. The bad guys can also hijack the session by persuading the victim to log in using a compromised session ID.
A cybercriminal can use various methods to hijack your session. They can also use a combination of methods to carry out a session hijacking attack. Let’s look at some of the most commonly used methods of session hijacking as well as some other closely related attack methods.
Isn’t it scary to see so many methods used for session hijacking? However, implementing preventive and security measures can help you secure your session. Cybercriminals take different routes for each session hijacking method; hence, security experts must devise different measures to foil their attacks and put a stop to these threats.
A cybercriminal can do virtually anything a victim can do by hijacking the victim’s session. The server will consider the attacker as a legitimate user. An attacker can steal money (carry out the transfer from his bank account) or steal sensitive information.
Why we call it passive session hijacking because attackers does not need to interact with the user and make him perform any specific actions. There is less risk of suspicion level.
TCP Hijacking is oldest type of session hijacking. TCP session hijacking actually deals with the successful prediction of the Initial sequence numbers that gets exchanged between two host. A client and the server.
The Most Common Type of XSS Flaw. It is a Server Side Vulnerability. When a Web Server takes any input from a User and returns the same back to the User without any Validation, This leads to a Non-Persistent XSS Vulnerability.
Session is semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user.
This JavaScript can Steal A’s Cookies which have been placed by PayPal and send it to the Attacker. Your Web Browser will not block Access to the Cookie it since it was accessed by the PayPal’s Website it self. The Attacker now has access to A’s Cookie which will Lead to the Account being Compromised.
However, by using Dynamic Content on the Website, your web application may become vulnerable to Cross Site Scripting Attacks. Also known as XSS, it is one of the most prevalent vulnerability on the Internet Today!
In passive session hijacking attackers does not hijack active session instead they capture the login credentials while the original user is trying to establish a new connection with the server, and attacker is sitting silently on the same network and recording the login credentials.