Session hijacking is the act of taking control of a user session after successfully obtaining or generating an authentication session ID. Session hijacking involves an attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user’s Web application session while that session is still in progress.
Types of Session Hijacking
There are two types of session hijacking attacks:
Active: In an active attack, an attacker finds an active session and takes over
Passive: With passive attack, an attacker hijacks a session, but sits back, and watches and records all the traffic that is being sent forth.
Session Hijacking Attacks:
Attackers’ use several session hijacking attacks to gain access to user sessions on a server, the most common of these attacks are listed below:
- Session Prediction
- Session Sidejacking
- Session Fixation
- Cross Site Scripting
- Using Proxy Servers
- Physical Access to Server
Defending Against Session Hijacking
Since session hijacking is where the attacker steals a user’s Session Identifier, to prevent this attack, we would need to prevent the user’s Session Identifier. There are several things we can do to help to prevent this attack:
- Use Secure Connections (Achieved through Secure Socket Layer(SSL) – as much as possible, since SSL creates an encrypted connection between the client and server, any data the attacker steals during this transfer would be useless to them. However, SSL does not fully secure against this attack, and hackers can still use session hijacking even over HTTPS.
- Regenerate user’s session identifier often, therefore, even though the attacker may manage to steal a user’s session identifier, when it is regenerated, the Session Identifier he stole would be useless.
- You can implement an IP Address Check to match a user’s Session Identifier to his/her IP Address. However this may have its limitations.
- Another method is to use HTTP only cookies, these are cookies that claim to be inaccessible from the DOM, However, some hackers have claimed to gain access to HTTP only cookies through the dom. HTTP only cookies would still make it harder to gain access to cookies using most of the session hijacking attacks. However if session Sidejacking is used, These cookies can easily be stolen from over a LAN network. Session Sidejacking is spoofing cookies over a LAN network.