Session Hijacking Attacks How they Work and What you Can do to Prevent them#

A web application user interacts with it in a variety of ways and can perform different actions depending upon his access restrictions. Most of the time these web applications require users to login in order to perform different actions that only authenticated and authorized users are allowed to perform. HTTP is a stateless protocol that doesn’t maintain user state when he/she performs different actions while using the web application. This meant that the application developers had to come up with a different way in order to maintain the state of the user’s connection with the web application. The use of session IDs and cookies is one such way to maintain this state. However malicious adversaries can employ different tactics to hijack the session of a legitimate user. These types of attacks are called session hijacking attacks. This article goes over the basics of the user session on the application and session hijacking, the types of session hijacking attacks, and the different techniques that can be used to prevent these attacks.

What is a User Session, Session ID, and Session Cookies#

In general terms, a session can be defined as the series of communications that take place between two computing devices for the duration of a single connection. In the context of a web application, a session can be defined as the set of protocols and technologies that are used on the server and client side of the web application that is used to maintain the state of the requests that are coming from a particular user. This session is created whenever a user logs in and gets authenticated by the web application. Every user has a separate session on the web application and this session is kept alive as long as the user is logged into the application. This session gets destroyed when either the user logs out or if a certain time period has elapsed after user inactivity.

A session ID on the other hand is a unique alpha-numeric identifier that is associated with each user of the web application and is used to identify that user on the web application. These session IDs are normally used in the cookies, URLs, and other hidden fields on a web page. These session IDs are exchanged between the server and the user’s browser in order to identify the user. Following is an example of a URL with session ID attached as a parameter:

https://www.example-site.com/index.php?id=1234567891abcde

This session ID and other session-related information are contained in a file called the session cookie. The session cookie file is sent together with every web page request made by the browser to the server. The session cookie enables the server to save time and allow a user to have a smoother experience by letting it know which page elements have already been sent by the browser. This file containing the session information is erased when the browser closes at the termination of a user session on the application. Session cookies contain information that is stored in a temporary memory location which is deleted after the session ends. Unlike other cookies, session cookies are never stored on a user’s device. Therefore, they are also known as transient cookies, non-persistent cookies, or temporary cookies.

By using the example of a user exploring an e-commerce website, one can better understand the implementation of a session cookie in a web application. Let’s say the user makes a few purchases from an online store. This cookie makes sure that the session won’t be lost even if the user leaves the shopping cart to look at other items in the store or even when he closes the application. The use of the session cookie allows for the retrieval of shopping cart whenever the same user revisits the online store again. The session cookie contains the user’s session ID as well as a list of the items in the shopping cart. The shopping website uses this cookie to check and maintain the state of each request generated by the user on the website. This cookie is included with each request to the server and each response sent to the user by the web application.

Session IDs provide an extremely useful functionality while using the web applications. However, these session IDs are quite susceptible to a variety of attacks if not implemented correctly. One of the main reasons behind these security weaknesses, is that a web application sometimes generates its session IDs using algorithms that are based on easily known characteristics, like time or IP address, making these session IDs predictable and vulnerable to such attacks.

What is a Session Hijacking attack?#

A session hijacking attack, as the name indicates, involves a malicious adversary taking over the user session by capturing the legitimate user’s session ID. After accessing the user’s session ID, the attacker leverages it to access the web application’s resources or perform actions on it pretending to be that user. The primary goal of a session hijacking attack is to bypass the authentication mechanisms of the web application and access the web application as an already authenticated user. After the attack is successful, the attacker will have the same access privileges and authorizations as that of the victim user. The attacker after hijacking the user session may then perform anything that a user could do on the website such as carrying out credit card transactions, shopping at an online store, deleting the user accounts and so much more. In essence, in a session hijacking attack, the attacker makes the web application believe that they are the real user.

Most common forms of a Session Hijacking Attack#

A session hijacking attack can be performed in a variety of ways. The basic aim of all these forms of attack is the same and that is to bypass authentication controls of a web application by stealing a user session and masquerading as that user. This section goes over some of the most common forms of a session hijacking attack. Each of these attack forms is described below:

IP Spoofing#

Spoofing is a type of cyber-attack when a malicious adversary uses a computer, device, or network to appear to be a legitimate entity in an effort to mislead other computer networks. An attacker can use spoofing attacks to steal sensitive information, inject malware on the target devices, convert them into botnets, and much more. On the other hand, IP spoofing is the process of creating Internet Protocol (IP) packets with a fictitious source IP address in order to masquerade as another computer system. An IP spoofing attack use tools to alter the source address in the packet header in order to deceive the receiving computer system into thinking the packet originates from a trustworthy source, such as another computer on a legitimate network, and convince it to accept it. Using this method, an attacker can transmit the server packets that have been corrupted and may contain the IP address of a valid client computer. This will deceive the target server into thinking it is communicating with an authorized user.

Packet/Session Sniffing or Session Side Jacking attack#

Attackers can capture or log network packets as they are passing between a client and a server by using packet analyzing tools like Wireshark or Wi-Fi analyzers in packet or session sniffing attacks, often referred to as session side jacking attacks. Attacks such as “session sniffing” give the attacker the ability to intercept network packets that are being transferred between two nodes and contain session information. Network communication is left open to a variety of attacks if a web application doesn’t use SSL or TLS to encrypt it. An attacker can leverage packet sniffing tools to capture sensitive information such as session cookies and use them to impersonate a legitimate user. Public Wifi networks are especially susceptible to such kinds of attacks since they lack sufficient security controls to protect network traffic. The attacker can either use network packet analyzers or use fake access points to intercept network traffic and steal the cookies. The attacker can then use the stolen cookies to masquerade as the victim user.

Cross-site Scripting attack#

Cross-site scripting flaws can be used by an attacker to steal crucial session data. Client-side scripts (often JavaScript) are injected into webpages via server or application vulnerabilities, causing the browser to run the script when it loads the infected page. Malicious scripts can steal a valid user’s session ID if the server doesn’t employ the HttpOnly property in session cookies. To comprehend how the attacker can take use of this flaw to steal a user’s session cookie, consider the following scenario. A user may be duped into clicking a malicious link by an attacker using social engineering or a phishing attack. On the other hand, the malicious link has a client-side script that, when clicked, runs on the user’s browser. The malicious script then steals the user’s session information using the document. cookie argument on the web page and sends it to the attacker’s website.

Session fixation attack#

A session fixation attack involves an attacker tricking the user into using a session ID that is previously known to him. The attacker then hijacks this active user session and enables the attacker to carry out further harmful activities. This type of attack occurs due to vulnerable session management settings and allows the users to reuse recent session IDs. The malicious adversary in this type of attack fixes an active session on the user’s browser before stealing the session using different attack techniques. Therefore, by leveraging this attack, an attacker is able to trick the vulnerable application into treating the forged requests as if they were being made by the legitimate user session.

Brute force attack#

To create session IDs, the web application occasionally use shoddy algorithms. The usage of session IDs with predictable values—which might be based on details like the date, time, IP address, and many other things—gives rise to the vulnerability in this case. When malicious adversaries discover that the session IDs used by the underlying web server are predictable, they can use a variety of brute force techniques to successfully guess the legitimate user session IDs.

How to Prevent Session Hijacking Attacks?#

This section goes over some of the recommended techniques that can be used to prevent session hijacking attacks in a web application. The application developers must enforce both application as well as network level controls to ensure that the session information is protected from different attack vectors.

Enforce End-to-End Encryption Controls#

The application must use HTTPS on all its interfaces and pages to safeguard the session information. Additionally, the application must also use encryption techniques to safeguard the network traffic being exchanged between the client and the server side of the application. For this purpose, various encryption schemes can be used that encrypt this traffic from end-to-end such as SSL, TLS, IPSEC, etc. Besides these controls, the application must also use endpoint security controls to protect the session information from different attacks such as XSS (cross-site scripting) attacks.

Implement Strong Session ID generating algorithm#

The application must use robust algorithms to generate session IDs to prevent session IDs from being compromised by brute force attacks. As a result, the session IDs won’t be compromised by guessing attacks such as brute force attacks that make use of their predictable patterns.

Prevent Re-use of Session IDs#

To stop session IDs from being reused, the online application needs to have robust security measures. By doing this, the application will be protected from session fixation attacks. After a user logs in, the web application needs to have enough security measures to generate new, random session IDs. They won’t be able to accomplish anything significant, even if the attacker manages to mislead the victim into clicking a link with a fixated session ID. Their fixed session ID will become useless right away after user logs into the application.

Employ Intrusion Detection and Intrusion Prevention Systems#

The organization must implement IDS and IPS (Intrusion Detection and Intrusion Prevention Systems) to prevent malicious traffic inside the corporate network. IDS/IPS systems look at the data that enters the network and compare it to an internal database of known attack signatures. If the IDS/IPS system detects suspicious network activity, an alert will be generated that will ultimately result in blocking that suspicious network traffic.

Be on the lookout for Phishing attacks#

Avoid clicking on any link in an email unless the message is from a legitimate sender. The attacker can craft an email with a malicious links and create a sense of urgency in the user in order for them to click on the link. As soon as the user clicks on the link, it directs the user to a web page using a session ID already known to the attacker or the attacker’s script gets executed in order to steal the user’s session information.

Avoid Using Public WiFi#

The web application users must be educated to never use public Wi-Fi, especially for important tasks like carrying out banking transactions, doing online shopping, performing office work, logging into your email, and much more. Public Wifi networks are a special attack target for malicious adversaries. Attackers can use different techniques to steal sensitive information from the users connecting to public Wi-Fi networks.

See also

Want to learn practical Secure Software Development skills? Enrol in MCSI’s MASE - Certified Application Security Engineer