As the name suggests, Session Hijacking involves the exploitation of the web session control mechanism. The attacker basically exploits vulnerable connections and steals HTTP cookies to gain unauthorized access to sensitive information/data stored in web servers.
These attacks, also known as Cookie Hijacking or TCP Session Hijacking, can be performed in a variety of techniques. The main ones include:
- Session Sniffing – This involves the use of packet sniffing to read network traffic between two parties and eventually capture a valid Session ID (SID).
- Cross-site Scripting (XSS) – Malicious payloads trick the victim’s browser into executing dangerous commands, eventually leading to the cookie theft.
- Predictable Session Token – This involves predicting session ID values that permit an attacker to bypass the authentication schema of an application.
- Man-in-the-middle attack (MITM) – This technique is basically the interception of the TCP connection between the server and the client.
- Man-in-the-browser attack – Although similar to MITM attacks, here the malicious attackers use Trojans to perform the interception and manipulation.
The illustration above demonstrates a classic session sniffing situation. Also known as session sidejacking, this is extremely common at places with unsecure WiFi hotspots (coffee shops, restaurants, airports, etc). The network owner, who can potentially be the attacker, can easily hijack the session by intercepting the traffic from the various nodes.
Before diving into remediation and mitigation techniques, it’s important to determine the susceptibility. If a work network is using old unencrypted protocols such as Telnet, FTP or DNS, the chances of being hacked are extremely high. Common hacking tools such as Juggernaut and Hunt can also be used to determine the session’s immunity.
The most effective countermeasure network-level session hijacking is to pick encrypted transport protocols that enable secure connections. The most commonly recommended protocols today are Secure Shell (SSH), Secure Socket Layers (SSL) and Internet Protocol Security (IPSec). These ensure the session key goes through secure information tunnels.
CxSAST scans the application code and lets the user know what kind of protocol has been implemented. This is useful in complex development environments where third-part and open source components are often used without appropriate scrutiny. Once the whole application is scanned and tested, session hijacking risks fall significantly.