Session Hijacking

Dennis Faas's picture

In computer science, session hijacking is the exploitation of a valid computer session (commonly known as a "session key") used to gain unauthorized access to information or services in a computer system.

For example, when a user logs in to a web site, the user's PC is tagged with a session key using a browser cookie (a cookie is a small file stored on the users PC that the browser reads).

Any time the user requires access to a restricted area of a website (usually requiring login), the session key is extracted from the users' PC and compared to the key stored on the web server. If valid, the user is allowed to proceed to the restricted area.

Session Hijacking and the 'Magic Cookie'

Session hijacking in particular is used to refer to the theft of a 'magic cookie' used to authenticate a user to a remote server.

The 'magic cookie' has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer (using cookie theft, known as "cookiejacking").

TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine, though this is unlikely to happen if the session is encrypted (using a secure connection, such as those which begin with https://)

Session Hijacking: 4 Main Methods

There are four main methods used to perpetrate a session hijack. These are:

Session Fixation

This is where the attacker sets a user's session id to one known to him, for example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in.

Session Sidejacking

This is where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many web sites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated.

This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client. Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised.

Unsecured WiFi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access point.

Physical Access to Local Machine

Alternatively, an attacker with physical access can simply attempt to steal the session key by, for example, obtaining the file or memory contents of the appropriate part of either the user's computer or the server.

Cross-site scripting

This is where the attacker tricks the user's computer into running code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations.

Session Hijacking: Prevention

Methods to prevent session hijacking include:

Use of a long random number or string as the session key. This reduces the risk that an attacker could simply guess a valid session key through trial and error or brute force attacks.

Regenerating the session id after a successful login. This prevents session fixation because the attacker does not know the session id of the user after he has logged in.

Encryption of the data passed between the parties; in particular the session key. This technique is widely relied-upon by web-based banks and other e-commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack.

Some services make secondary checks against the identity of the user. For example, a web server could check with each request made that the IP address of the user matched the one last used during that session. This does not prevent attacks by somebody who shares the same IP address, however, and could be frustrating for users whose IP address is liable to change during a browsing session.

Alternatively, some services will change the value of the cookie with each and every request. This dramatically reduces the window in which an attacker can operate and makes it easy to identify whether an attack has taken place, but can cause other technical problems (for example, preventing the back button from working properly, on the web).

Users may also wish to log out of websites whenever they are finished using them.

Session Hijacking and Firesheep

Recently a firefox extension called Firesheep has exploited and made it easy for public wifi users to be attacked by session hijackers. Websites like Facebook, Twitter, and any that the user adds to their preferences allow the firesheep user to easily access private information from cookies and threaten the public wifi users personal property.

This article originated from and has been edited for our audience. This document is licensed under the GNU Free Documentation License (GFDL), which means that you can copy and modify it as long as the entire work (including additions) remains under this license.

Rate this article: 
No votes yet