Session hijacking is a kind of web attack that targets a computer session. Through this attack, a hacker is able to gain unauthorized access to the information or services on your computer. Session hijacking is also known as cookie hijacking. Through this technique, a hacker is able to intrude into a valid computer session and then exploit the session to his own ends.
What is a session?
When you try to log into a service like Gmail, you are asked for your login credentials. Once you provide the username and password, these details are matched against your stored credentials. If there is a perfect match, you are allowed to log in.
The service then creates a unique session ID or cookie and sends it to your browser. After you are recognized as an authenticated user, the service uses the cookie to identify you. And it is going to share relevant content with you only if your browser has the relevant session ID or cookie.
As long as you are logged into the service, the session continues. The session ends when your computer or device stops communicating with the server of that service. The session ID for a given session is unique and the same for the entire length of the session.
For instance, if you are visiting a website and stay on that website for 30 minutes, you will have a single session ID. If you close the website and later revisit it, you may be assigned a new session ID.
How does session hijacking work?
When a hacker tries to exploit a session ID, this is known as session hijacking. Simply put, a session ID is your identification after you have logged into a service. If your browser has this ID, you are recognized as a legitimate user. But if a hacker can gain access to this ID, he can use it to gain illegitimate access to the service.
When you log into a service, that service sends you a cookie or session ID. This cookie is a token of variable width. A hacker can gain access to this token in a variety of ways including:
Cross-site Script Attack – A hacker may use a website to host malicious software. A user, not knowing that the website is compromised, visits the website. The malicious payload then installs malicious software on the user’s browser. Once this happens, the hacker is able to steal the session ID tokens and use them to gain access to various services while posing as the user.
Session Sniffing – This is another way of getting access to the session ID. A hacker typically uses a sniffer or different sniffing methods to read network traffic for service and capture the session ID. Once he has the session ID, it’s easy to impersonate the user and gain unauthorized access to the service.
Session Token Predicting – Many websites use incremental session ID tokens. So if one user has visited the website and received a token, the next visitor will have a token that is increased by a single number. A hacker can use this vulnerability to predict the session ID tokens. By using hit and error he may use multiple attempts to find the valid session ID tokens and then use these tokens to gain unauthorized access.
Session Fixation – If a hacker knows a previous session ID, he can use it to gain unauthorized access. The attacker prepares a URL containing the previously known session ID and sends it to the user via email. When the user clicks on the link and logs in, the hacker is able to gain access since he already has the session ID.
How does one prevent session hijacking?
Session hijacking can be easily prevented by implementing various measures and taking suitable precautions. Following are some effective ways of preventing session hijacking.
- Data Encryption: If all the traffic between the user’s computer and the service-side server is encrypted, this makes it harder for the hacker to hijack a session ID. Many websites use HTTP Secure, instead of simple HTTP, to achieve such encryption. You can also use SSL/TLS credentials to verify users and encrypt the data traffic.
- Random Session ID: As stated above, incremental session IDs are easier to predict for an attacker. This is why websites and services can thwart an attacker by using random session IDs with a longer width. This reduces the odds of session token prediction and makes it harder for the hacker to guess the token through the trial-and-error method.
- Using a VPN: A VPN is another excellent way of preventing session hijacking. A quality VPN uses high-grade encryption and traffic routing. These tactics prevent session sniffing and help in securing all communications between you and a service server.
- Regenerating Session ID: An attacker can use a previously known session ID to gain unauthorized access. This can be done by a social engineering attack, persuading a user to click on a link with the previous session ID. To prevent this, many services generate a new session ID every time a user logs in. The new session ID blocks out the hacker even if he knew the previous ID.
- Cookie Randomization: Another method for preventing session hijacking is cookie randomization. In this technique, a website or a service change a cookie every time the user makes a request. The upside of this is that it makes it extremely hard for a hacker to exploit the session ID. On the downside, it considerably slows down the user experience.
Many websites and services increasingly use HTTPS and other security measures to prevent hijacking. On the user end, a quality VPN is an excellent tool to reduce the chances of such an attack. As with other aspects of digital security, constant vigilance is the key to prevention.
About the Author:
Cybersecurity enthusiast, WordPress guru, data-safety tools tester with over 10 years experience.