session hijacking

What is session hijacking and how to prevent it?

Sessions are an essential part of internet communication and are mostly web-based. Session hijacking is a web attack carried out by exploiting active web sessions. A session is a period of communication between two computer systems. A web server needs authentication since every user communication via websites uses multiple TCP/IP channels.

A common form of authentication is always the use of a username and password, which are usually predefined. After successful authentication, the webserver sends a session token to the user, which is then stored in the user’s machine enabling a session. The session ID can be stored as a cookie in the HTTP header or the URL.

How does session hijacking work?

Session hijacking happens when an intruder takes advantage of a compromised active session by hijacking or stealing the HTTP cookies used to maintain a session on most websites. Another way is by predicting an active session to gain unauthorized access to information in a remote webserver without detection as the intruder uses the credentials of the particular user. The session token or HTTP header can be compromised and manipulated in many ways, including:

  • Session Sniffing: Sniffing can be used to hijack a session when there is non-encrypted communication between the web server and the user, and the session ID is being sent in plain text. Hence, if an intruder is monitoring the network, he or she can get the session ID, which they can then use to be automatically authenticated to the webserver. In monitoring the network, ethical hacking tools such as Wireshark and Kismet can be used to capture sensitive data packets such as the session ID from the network.
  • Cross-site scripting (XSS): OWASP names cross-site scripting as among the top ten web application security risks. A server can be vulnerable to a cross-site scripting exploit, which enables an attacker to execute malicious code from the user’s side, gathering session information. An attacker can target a victim’s browser and send a scripted JavaScript link, which upon opening by the user, runs the malicious code in the browser hijacking sessions.

Session Hijacking Countermeasures

End-to-end encryption between the user’s browser and the web server using secure HTTP or SSL, which prevents unauthorized access to the session ID. VPNs can also be used to encrypt everything, not just the traffic to the webserver using personal VPN solution tools.

Web servers can generate long and random session cookies, which reduces the chances of an adversary guessing or predicting what a session cookie could be.

Session ID monitors can also be used to monitor if these IDs are being used, and utilities such as Blacksheep can be used to send fake session IDs to the network and monitor if an intruder is trying to use the session ID.

There should be an automatic log off if a session ends in use, and the client should be required to re-authenticate using a different session ID. Additionally, a server can be directed to delete a session cookie from the client’s computer to minimize the amount of time a session cookie is being exposed in the network.

How to Become an Ethical Hacker

Becoming a Certified Ethical Hacker (CEH) is certainly nothing to take lightly. This course will immerse you into the Hacker Mindset so that you will be able to defend against future attacks. Upon completion of the Certified Ethical Hacker training, you will have scanned, tested, hacked, and secured your own networks and systems. With this knowledge, you can bring peace of mind to an organization knowing their network is more secure from today’s biggest and toughest cybercriminals.



What is the difference between session hijacking and IP spoofing?
IP spoofing is simply forging the IP addresses in an IP packet. This is used in many types of “attacks,” including session hijacking. Session hijacking occurs at the TCP level. According to Internet Security Systems, “TCP session hijacking is when a hacker takes over a TCP session between two machines.
Why is session hijacking successful?
This means that a successful session hijack can give the attacker SSO access to multiple web applications, from financial systems and customer records to line-of-business systems potentially containing valuable intellectual property.
Which technology can protect against session hijacking?
Network-level hijacks can be prevented by ciphering the packets so that the hijacker cannot decipher the packet headers, to obtain any information which will aid in spoofing. This encryption can be provided by using protocols such as IPSEC, SSL, SSH, etc.
get certified from ec-council
Write for Us