Session Hijacking is an attack by which a hacker exploits a valid computer session and gains access to a client’s session identifier. Since HTTP is a stateless protocol, when a user logs into a website, a session is created on that Web Server for that user, this session contains all this user's information being used by the server so the username and password is not needed at every page request. The server uses a unique identifier(Session Identifier) to authenticate this user to this session, this session identifier is passed between the web server and the user's computer at every request. Session Hijacking is an attack by which the hacker steals this user's session identifier and then sends this session identifier as their own to the server and tricks the server into thinking they are that user. This is show in the diagrams below:
After gaining access to a client’s session identifier for a website, the hacker then injects the client’s session identifier into his/her browser. From then on, when that attacker connects to that website, since his session identifier is the same as the authentic user, he will be logged in as that userand will have access to all of that user’s information and privileges on that website. Note - attackers cannot get a user’s password using session hijacking.
Session Hijacking is one of the simple attacks on the internet, and with the implementation of Firesheep(http://cleverlogic.net/articles/firesheep-session-hijacking-made-easy), Session Hijacking have become very popular; this can be concluded by the fact that there has been over 1 million downloads of Firesheep and thousands of success stories and videos. Firesheep also have an average daily usage of 490 users (Mozilla Firefox, 2010).
Session Hijacking Attacks:
Attackers’ use several session hijacking attacks to gain access to user sessions on a server, the most common of these attacks are listed and described below:
- Session Prediction - http://cleverlogic.net/tutorials/what-session-prediction
- Session Sidejacking - http://cleverlogic.net/tutorials/session-sidejacking-overview
- Session Fixation - http://cleverlogic.net/tutorials/session-fixation-overview
- Cross Site Scripting - http://cleverlogic.net/tutorials/cross-site-scripting-0
- Using Proxy Servers - http://cleverlogic.net/content/using-proxy-servers-session-hijacking
- Physical Access to Server
Preventing Session Hijacking
Since session hijacking is where the attacker steals a user's Session Identifier, to prevent this attack, we would need to prevent the user's Session Identifier. There are several things we can do to help to prevent this attack:
- Use Secure Connections (Achieved through Secure Socket Layer(SSL) - http://cleverlogic.net/articles/secure-socket-layer-overview) as much as possible, since SSL creates an encrypted connection between the client and server, any data the attacker steals during this transfer would be useless to them. However, SSL does not fully secure against this attack, and hackers can still use session hijacking even over HTTPS
- Regenerate user's session identifier often, therefore, even though the attacker may manage to steal a user's session identifier, when it is regenerated, the Session Identifier he stole would be useless.
- You can implement an IP Address Check to match a user's Session Identifier to his/her IP Address. However this may have its limitations.
- For my final year project titled "Mitigating HTTP Session Hijacking" i built an application to help prevent this attack. more on this can be found here: http://cleverlogic.net/articles/kochure. I would strongly advise implementing this application on your Web Server.
- Another method is to use HTTP only cookies, these are cookies that claim to be inaccessible from the DOM, However, some hackers have claimed to gain access to HTTP only cookies through the dom. HTTP only cookies would still make it harder to gain access to cookies using most of the session hijacking attacks. However if session Sidejacking is used, These cookies can easily be stolen from over a LAN network. Session Sidejacking is spoofing cookies over a LAN network, More can be found on the session Sidejecking page linked to above.
- More information about preventing each of the above listed Session Hijacking attacks can be found on the Attack's Page.
To get a better understanding of how this attack is carried out, a step-by-step tutorial can be found at http://cleverlogic.net/tutorials/session-hijacking-facebook-accounts. Note this tutorial is only for informative purposes. Any questions can be posted below in the comments section.