Pages

Subscribe:

tutorial on Session hijacking attack



Session hijacking attack


When a user log in to the acccount, it starts a session with that account and this session ends up with logout. In a running session, user is given a session id which is unique identifier of the user for that session and is only valid for that session. Session hijacking is the type of attack in which hacker gain access to the session id to gain unauthorized access to information or services.


Session hijacking can be done at 2 levels:

  1. Network level (TCP and UDP session hijacking)
  2. Application level (HTTP session hijacking)



Network level (TCP and UDP session hijacking)


TCP session hijacking
TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine. It can be done by following ways.

  1. IP Spoofing: Assuming the identity
  2. Man in the Middle attack using Packet Sniffers
  3. Blind attacks which involves bruteforcing of session id.



UDP session hijacking
It is similar to TCP session hijacking but easier than that because UDP does not use packet sequencing and synchronizing.


Hijacking Application Levels
In HTTP session hijacking hacker tries to get access to the session ID used in the session to identify the user. HTTP is state less so it need session ID with each request. If hacker get the session id, he can hijack the victim's session.

  1. XSS
  2. Man in the middle attack
  3. Bruteforcing session id
  4. Man in the browser attack

Session hijacking is widely used for hacking into website accounts. In websites, session id is stored in the form of cookies in the client browser. If you want to hijack some one's session, you have to steal the session informations of that user. 
Session hijacking has been an ongoing problem for web browser developers and security experts for at least 5 years.


Prevention:

  1. Use of ArpON which is used to prevent Man In The Middle Attack through ARP Spoofing.
  2. Use of HTTPS protocol for secure sessions. It uses an encrypted sessions.
  3. Set the expiry time of cookies as less as possible.