• Identity 101
  • Session Hijacking Attack: Definition, Damage & Defense

Session Hijacking Attack: Definition, Damage & Defense

Learn how Adaptive Multi-Factor Authentication combats data breaches, weak passwords, and phishing attacks.
Read more
Okta
Updated: 04/21/2022 - 12:35
Time to read: 3 minutes

A session hijacking attack is a form of impersonation. The hacker gains access to a valid computer session key, and with that tiny bit of information, the intruder can do almost anything an authorized user can.

We'll help you understand what is session hijacking, and we'll explain how you can protect yourself and your data.

What Is a Session Hijacking Attack?

A period of communication between two devices (like a computer and a server) is a session. Authentication starts the process, and when it's successful, the server generates a session token that's stored in the user's browser. During session hijacking, that token is stolen or predicted. 

With your session ID, your hacker can:

  • Take over your session. Anything you're authorized to do on that site, your hacker is also able to do. That could mean transferring money, making a purchase, or changing your password. 
  • Search for more opportunities. Does logging in on one site (like Google) allow you to work on another site (like YouTube)? Your hacker will find out. 

This technique is slightly different than session spoofing. During a spoof, your hacker impersonates you and starts a new session without your knowledge. During session hijacking, you'll also be working on the same server at the same time as your attacker (until the program crashes or you're removed from it).

How Does Session Hijacking Start?

Servers are designed with security in mind, and it should be difficult for anyone to engage in session hijacking. Unfortunately, breaches are common.

Five known techniques exist, including:

  • Cross-site script (XSS) attacks. An attacker sends you a seemingly innocent link. You click on it, and malicious code runs. The hacker gains your session key. This approach is considered a top application security risk by OWASP.  
  • Malware. Your hacker plants a malicious link in an email or on a website. When you're infected, the hacker can steal session keys or otherwise take over your device. Sometimes, hackers use malware to engage in man-in-the-middle or man-in-the-browser attacks, where they can see everything you do on any server.
  • Session fixation. The hacker sends you a known session key via a link. When you log in via that link, the hacker has your cookie.  
  • Session-side jacking. The hacker uses a sniffing tool to read unencrypted traffic that passes between your device and the server. If you're working on a public WiFi, the hacker's job is even easier as your traffic may not be encrypted.  
  • Session sniffing. Your session ID is sent in an unencrypted state, and your hacker monitors the network to spot it. 

Hackers can also use tools like Firesheep. This Firefox extension is used over public WiFi sessions to copy session cookies on authenticated websites. Hackers can also use platform-specific tools like the WhatsappSniffer to bypass their work and take over sessions entirely. 

Many more tools exist, including DroidSheep and CookieCadger. As long as hackers want to take over sessions, hacking development teams will be there to help them.

How to Prevent Session Hijacking

Many modern browsers include built-in session hijacking protection. Ensuring that you're using the latest software each time you access the web is a quick and easy way to keep your data secure. 

Four other security options include:

  • Beefing up encryption. Ensure that all movement to and from your server is completely encrypted, so no bystander can watch and steal. 
  • Demanding a VPN. If you or your employees must do work in public spaces, ensure that your communication is protected with a VPN. Public WiFi is simply too dangerous. 
  • Randomizing. Set up your server to issue random session cookies, so hackers have a hard time guessing what comes next. 
  • Cutting ties. When a session ends, log out. If you're a site administrator, log off users after a period of inactivity. 

References

OWASP Top Ten. OWASP. 

How Firesheep Can Hijack Web Sessions. (November 2010). Dark Reading. 

WhatsApp Sniffer Apk Download for Android. WhatsApp Sniffer Apk.

What Is Session Hijacking and How to Prevent It? EC-Council.