Session Hijacking is a type of web attack which steal the existing active Session. The main purpose of Session Hijacking is to bypass authentication process and gain unauthorized access to the computer or Website. In simple words, hackers will login as some other client using their Sessions.

What is a session?

The session refers to certain time period that communication of two computer systems or two parts of a single system takes place. When one logins to a password protected system, the session is used. The session will be valid up to the end of the communication. In some cases, such as in the above described case, the session is user-initiated. There is technology initiated sessions also. Various email clients use the sessions and these are examples for the sessions initiated by the technology. However, many of the active sessions will be hidden from the users. They will not know when a session starts and ends. The session is an important factor in the Internet communications.

How Does Session Hijacking Works?

As we know, the http communication uses many TCP connections and so that the server needs a method to recognize every user’s connections. The most used method is the authentication process and then the server sends a token to the client browser. This token is composed of a set of variable width and it could be used in different ways, like in the URL, in the header of http requisition as a cookie, in other part of the header of the http request or in the body of the http requisition. The attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the web server. This compromising of session token can occur in different ways.

Different Session Hijacking methods:

Session fixation

In this method, the Hacker sets a user’s session id to known victim. For example, Hacker will send email to known victim  with a link that contains a particular session id. If the victim followed that link, the hacker can use that session and gain access.

Session SideJacking(session Sniffing)

In this method, the attacker use packet sniffing to and steal the Session cookie.  In order to prevent this, some websites use SSL(encrypts the session).  but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client.  Unsecured Hotspots are vulnerable to this type of Session Hijacking.

Client-side attacks (XSS, Malicious JavaScript Codes, Trojans, etc)

Hacker can steal the Session by running the Malicious Javascript codes in client system.  Usually hackers attack some websites using XSS and insert their own Malicious Javascript codes. In client point view it is trusted website, he will visit the website.  When victim visit the link , Malicious Javascript will executed.  It will steal the Session cookies and other confidential data.

Physical access

If the hacker has physical access, it is easy for him to steal the Session.  Usually this will occur in public cafe.  In public cafe , one use login to some websites(facebook, gmail).  A hacker come after victim can steal the session cookies.

How to prevent the Session Hijacking?

As we’ve seen earlier, the method often used to steal session id is by installing a malicious code on the client website and then the cookie is stealing. The best way to prevent session hijacking is enabling the protection from the client side. It is recommended that taking preventive measures for the session hijacking on the client side. The users should have efficient antivirus, anti-malware software, and should keep the software up to date.

There is a technique that uses engines which fingerprints all requests of a session. In addition to tracking the IP address and SSL session id, the engines also track the http headers. Each change in the header adds penalty points to the session and the session gets terminated as soon as the points exceeds a certain limit. This limit can be configured. This is effective because when intrusion occurs, it will have a different http header order.

These are the recommended preventive measures to be taken from both the client and server sides in order to prevent the session hijacking attack.