Session Hijacking

Last updated 8 months ago

Objectives: Understanding session hijacking concepts, Understanding application level session hijacking, Understanding network level session hijacking, Session hijacking tools, Session hijacking countermeasures, Overview of session hijacking penetration testing

Session Hijacking Concepts

  • What is session hijacking?

    • Since most authentication occurs at the start of a TCP session, this allows the attacker to gain access to the machine. He can take the cookie and play it as his own

    • Cookie will however expire after sometime. Much easier to steal cookie than brute force a password/token

  • Why is session hijacking successful?

    • No account lockout for invalid session IDs

    • Weak session ID generation algorithm

    • Insecure handling of session IDs

    • Indefinite session expiration time

    • Most computers using TCP/IP are vulnerable

    • Most countermeasures do not work unless you use encryption

  • Session Hijacking Process

    • Referer attack: attacker tries to lure a user to click on a link to malicious site

    • Get Request [pull the web page]

    • During Session Hijacking process (syn-ack), attacker must time it to jump into the session

    • Brute forcing: attacker attempts difference IDs until he succeeds

    • Sniff>Monitor>Session Desynchronization>Session ID prediction>Command Injection

  • Types of session hijacking

    • Active Attack: Attacker finds active session and takes over

    • Passive Attack: Attack hijacks a session but sits back and watches and records all the traffic that is being sent forth

    • Session Hijacking in OSI Model: Network Level Hiking, Application Level Hijackings

    • Network Level OSI Model: Network level hijacking can be defined as the interception of the packet during transmission between client and server

    • Application Level Hijacking: App level hijacking is about gaining control over the HTTPs user session by obtaining the session IDs

  • Spoofing vs Hijacking

    • Spoofing Attack: pretends to be another user

      • Attack pretends to be another user

    • Hijacking: process of taking over an existing active session

Application Level Session Hijacking

  • A session token can be compromised in various ways

  • Session sniffing

    • Sniff to capture valid session token or ID

  • Predictable session token

    • Predict a session ID generated by a weak algorithm

    • Guesses unique session value or deduce session ID

  • Man-in-middle attack

    • Intruding an existing connection and intercept

    • Attackers use different techniques and split the TCP connection

  • Man-in-browser attack

    • Uses a trojan horse to intercept calls between browser and its security mechanisms

    • Can be a malicious extension

  • Cross-site script attack

    • XSS enables attackers to inject malicious client side scripts into web pages

  • Malicious Javascript code

    • Trojan horse can change proxy settings in user’s browser

  • Cross-site request forgery attack (CSRF)

    • A CSRF attack exploits victim’s active session with a trusted site in order to perform malicious activities

  • Session replay attack

    • In session reply, the attacker listens to the conversation between the user and the server and captures the authentication token of the user

    • Once authentication token is captured, the attacker replays the request to the server with the authentication token

  • Session fixation

    • Session fixation is an attack that allows an attacker to hijack a valid user session

    • Attack tries to lure a user to authenticate himself with a known session ID and then hijacks the user-validated session

    • Attacker has to provide a legitimate web app session ID and try to lure the victim browser to use it

  • CSRF Cross site request forgery:

    • User visits banking site. Attacker has user somehow visit his site. His site infects and adds onto her session and insert more commands into her session and do things she did not authorize.

Network Level Session Hijacking

  • The 3-way handshake: if the attacker can anticipate the next sequence and ACK number , they can spoof bobs address and start a communication with the server

  • TCP/IP Hijacking:

    • Blind Hijacking

      • Attacker injects malicious data or commands into the intercepted communication in the TCP session even if the source-routing is disabled

      • The attacker can send the data or comments but has no access to see the response

      • You might be able to see the effects however

    • UDP Hijacking

    • Manipulating the packet

Session Hijacking Tools

  • ZAP (zed attack proxy by OWASP) is an integrated penetration testing tool

  • BURP Suite: inspect and modify traffic. Analyzes all kinds of content. Is an interception proxy


  • IPSec: protocol suite for securing IP communications by authenticating and encrypting each IP packet of a communication session

  • Deployed widely to implement virtual private networks (VPNs) and for remote user access through dial up connection to private networks

  • Transport Mode: Authenticates two connected computers. Option to encrypt data transfer. Compatible with NAT

  • Tunnel Mode: Encapsulates packets being transferred. Option to encrypt data. Not compatible with NAT.