Session Hijacking: Session hijacking is semi- permanent interactive information interchange, also known as a meeting between two or more communicating devices. When you hijack someones session you take their sessionID and pretend its your own, hence called session hijacking. Usually the sessionID is transferred in the cookie, Cookie is a small piece of information that is stored in the user's browser and it is generated by the web server & sent to the browser for authentication purpose, If you can access the other parties cookie you can just put it in your own cookie and you've stolen their session.
This can be done in several ways, for example by sniffing the wireless network and looking at the HTTP packets being transferred or by XSS attack where you can tell the victims browser to reveal their cookie information to you.
Types of Session Hijacking
1. Active:- In an active attack, an attacker finds an active session and takes over the session by using tools that predict the next sequence number used in the TCP session.
2. Passive:- With a passive attack, an attacker hijacks a session and watches and records all of the traffic that is being sent from authorized user. It uses sniffers on the network and gathers information such as passwords and then uses that information to authenticate as a separate session.
Session hijacking can be active or passive in nature depending on the degree of involvement of the attacker in the attack.
The essential difference between an active and passive hijack is that while an active hijack takes over an existing session, a passive attack monitors an ongoing session.
Most common methods used to Session Hijack:-
1.) Session fixation:- In this attacker fixes the users session ID before the user even logs into the target server, This is accomplished by:
Attacker connects to the server(target) and server generates a session token and sends it to the attacker, attacker Crafts a URL containing the session token and sends it to victim, victim clicks on the link and logs in to the site with the same session token,Server thinks it is the same user and retains session token,attacker sends another request to the server with the session token and hijacks the victims session .
2.) Session Sniffing:- In this attacker uses a sniffer to capture a valid token (Session ID), then he uses the session ID to gain unauthorized access to the Web Server.
3.) Cross side scripting:- Attacker uses malicious code or programs into a crafted link and inject into user's browser, when the victim clicks on the link the Script will run, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser
4.) Man-in-the-middle attack:- The man-in-the middle attack realizes some sort of communication between the two system.
In this scenario,attacker camouflages as a proxy, like it usually happen in as HTTP transaction.The target is TCP connection the client and the server attacker.Then attacker splits the original connection into two new other connection, one between the client and the attacker and the other between the attacker and the server.
5.) Man-in-the-browser attack:- It is same as Man-in-the-middle attack, but in this case a Trojan Horse is used to manipulate & intercepts all communication between the users browser and the destination web server and modifies the messages.
How to prevent session hijacking
- To use SSL/HTTPS encryption for the sensitive areas(Eg:Login page) of the web site,it prevents session sniffing attacks.
- Set the HTTP attribute on the session cookie.
- Use of a long random number or string as the session key. This reduces the risk that an attacker could simply guess a valid session key.
- Once user is successfully logged in Regenerating the session id, it prevents session fixation.
- Use of secondary checks against the identify of the user (eg. web servercheck with each request made that the IP address of the user matched the one last used during that session).
- Change the value of the cookie with each and every request.
Session Hijacking tools
2.) Wireshark & Add N Edit Cookies Add-on
3.) BlackSheep Add on