Call Now

Send Message[email protected]

Our LocationHyderabad, Telangana

SESSION HIJACKING

A session stores information (in variables) to be used across multiple pages when a user logs in to this online account. Unlike cookies, this information is not stored on the user’s computer. Typically maintained by the server, and created on the first request or after an authentication process. The session-id is exchanged between a web browser and the server on every request.

Different ways to exchange session-Id

  1. Hidden form fields
  2. Cookies (most common)

Session Token

Session ID or session token is a piece of data that is used in network communications to identify a session. It is used to determine a user that has logged into a website, these IDS or tokens can be used by an attacker to hijack the session and obtain potential privileges. A session ID is usually a randomly generated string to decrease the probability of obtaining a valid one by means of a brute-force search.

Cookie

Cookies are strings of data that a web server sends to the browser. When a browser requests an object from the same domain in the future, the browser will send the same string of dates back to the origin server. The data sent from the web server in the form of an HTTP header called “Set-Cookie”. The browser sends the cookie back to the server in an HTTP header called “Cookie”.

The primary purpose of a cookie is to create customized web pages based on user identities.

Attack Methods

  • Guessing Session-Id – shorter length, predictable
  • Session Fixing – predictable, session created before authentication
  • Session Sniffing (typical on non-SSL sessions) – same subnet as client or server.
  • Cross-Site Scripting (XSS) – User trusting source, application vulnerability.

Session Sniffing

Attackers can sniff all the traffic from the established TCP session and perform identity theft, information theft, fraud, etc. The attacker steals a valid session ID and uses it to authenticate himself with the server.

Session Hijacking

Session Hijacking refers to stealing this session-Id and using it to impersonate and access data over a valid TCP communication session between two computers. Application-level hijacking is about gaining control over the HTTP user session by obtaining the session IDs.

Suggestive Measures for General Users:

  • Do not click on the links that are received through
  • Logout from the application instead of closing the
  • Always use an updated b
  • Clear the browsing data like cache, cookies,

Suggestive Measures for Developer point:

  • Create Session keys with lengthy strings or random number so that it is difficult for an attacker to guess a valid session
  • Regenerate the session ID after a successful login to prevent session fixation attack (attack starts before user logs in).
  • Encrypt the data and session key that is transferred between the user and the web servers.
  • Expire the session as soon as the user logs
  • Use firewalls to prevent malicious content from entering into the