Session hijacking is one of the most common web security threats. It is easy to launch if proper defenses are not...
used, and it can be difficult to detect. It's important, therefore, to take the proper pre-emptive steps to keep sessions safe, especially within the application layer, which is where primary attack vectors exist.
In attempting to hijack a session, the attacker's objective is simple: to steal, predict or reuse a session token. To prevent this from happening, you need to understand session hijacking prevention. Popular culprits are session sniffing, predictable session token ID, man in the browser, client-side and session fixation.
Session sniffing is one of the most basic techniques used with application layer session hijacking. The attacker uses a sniffer, such as Wireshark, or a proxy, such as OWASP Zed, to capture network traffic -- containing the session ID -- traveling from a website to a client. Several common formats are shown here:
Notice how the JSESSIONID is set to a value of 1WRAuUyubAmxaGvtxbGuO4RfNjN1R3. If the attacker can capture this value, he can use this valid token to gain unauthorized access.
Many web servers use a custom algorithm or predefined pattern to generate session IDs. The greater the predictability of a session token, the weaker it is and the easier it is to predict. If the attacker can capture several IDs and analyze the pattern, he may be able to predict a valid session ID. For example, suppose you were able to capture one ID as follows:
This may look somewhat secure and sufficiently long and complex enough to ensure session hijacking prevention. However, if you can capture several session tokens, patterns in their value may become evident, as shown here:
Upon discovering this sequence, an attacker can easily predict a valid session ID and use it to gain access to a victim's account.
Man in the browser
A man-in-the-browser attack is similar to a man-in-the-middle attack, but the attacker must first infect the victim's computer with a Trojan. The attacker usually gets the malware onto the victim's computer through some form of trickery or deceit. For example, the victim may have been asked to install some plug-in to watch a video, update a program or install a screensaver. Once the victim is tricked into installing malware onto her system, the malware waits for the victim to visit a targeted site. The man-in-the-browser malware can invisibly modify transaction information, like the amount or destination. It can also create additional transactions without the user knowing. Because the requests are initiated from the victim's computer, it is very difficult for the web service to detect that the requests are fake.
Session fixation attacks work by stealing a valid session ID that has yet to be authenticated. Then, the attacker tries to trick the user into authenticating with this ID. Once authenticated, the attacker now has access to the victim's computer. Session fixation explores a limitation in the way the web application manages a session ID. Three common variations exist: session tokens hidden in an URL argument, session tokens hidden in a form field and session tokens hidden in a session cookie.
Session hijacking prevention and its benefits
What's important to remember when learning how to prevent session hijacking and other attacks is it's possible for an attacker to steal and reuse session identifiers or other sensitive cookie values when they're stored or transmitted insecurely. While providing 100% protection can be difficult, encryption is the main defense. When a user authenticates, Secure Sockets Layer and a secure cookie should be mandatory. When authenticated users visit one or more secure pages, they should continue to be forced to use HTTPS with Secure and HttpOnly flags set on sensitive session cookies. The session ID should be a random value that cannot be easily predicted.
Sometimes, the session IDs are obscured via hex, Unicode or some other type of encoding, which is a poor practice and should be avoided. Security by obscurity never works. Short session timeouts should be enforced to mitigate risk. Controls should be used to block multiple sessions under the same account and never validate the client by just the IP address. Verify the token -- generated upon login, which should be stored with the user's ID session in the database -- matches. Finally, the HTTP_USER_AGENT should also be verified to make sure it has not changed. Hijacking attacks are dangerous and can give attackers an authenticated connection, which could allow them to gain greater access. Session hijacking prevention becomes more critical as these attacks become more elaborate.
How to prevent session hijacking and how it works without passwords
How the Forbidden attack targets HTTPS sessions
How IP address hijacking works