Cyber-criminals have come a long way down, creating new tools, tactics, and procedures to attack their victims and cause massive damage and a lot of chaos. Today’s blog talks about another type of cyber-attack called a session hijacking attack, which the hackers use to steal an authenticated user’s online session.
A session hijacking attack is a type of cyber-attack in which threat actors take advantage of the mechanism that controls a web session. The population of our world is enormous, and among all the people, there are several millions of people who access the internet on a daily basis. The client devices don’t have to manage these many connections, but the web servers that host websites have to manage several hundreds of thousands of connections at a given time. The servers also have to distinguish the connections from each other. To achieve this purpose, the server uses a session token that is used to recognize a specific session. This token gets generated and is sent by the server to the client browser after the client is successfully authenticated by the server. Different servers use different forms of session tokens. A session is the duration of time during which a connection between a client and a server remains established. Session management is achieved by the use of various protocols belonging to the OSI or the TCP/IP networking model. A session gets created when a user logs into a specific website, and as long as that session token is present on the client device, the user would be able to continue with their authenticated session without having to log in again. The session is terminated when a user logs out of the web application, and the session token present on the client device does not remain valid anymore. If the user would navigate to the same website again, they would have to login into their account once again.
In a session hijacking attack, the adversary manages to either steal the session token or make a guess to what the value of the session token would be, and by using that session token, the adversary manages to gain unauthorized access to the server. The threat actors can use various ways to steal or predict the session tokens. Session hijacking can be performed by using active or passive techniques. Some of the methods the attackers could use are performing man-in-the-middle (MITM) attacks, using sniffing techniques to intercept the token, leveraging man-in-the-browser attacks, performing client-side attacks, such as cross-site scripting or using malware, and performing session prediction attacks.
Let us take an example of a session hijacking attack. Imagine if a person is using a social networking website just to check their news feed or accessing their online banking account to make a few online transactions. Now, if the site that they are browsing does not have the right mechanisms in place to protect the session token from getting stolen, then a threat actor could use one or the other method to either steal or guess the value of the session token being used to identify the user’s session. After obtaining the session token, the attacker could easily use that session token to authenticate themselves to the web server and perform other malicious activities on the website the user is currently logged into. The hackers could do something like steal money from the victim’s bank account if they hijacked the session while the victim was using an online banking website, or they could do something like posting bogus posts on the victim’s social networking website that could cause the victim’s reputation to be damaged severely.
You would be surprised to know how many websites are vulnerable to a session hijacking attack. This should sound an alarm for all the web developers out there who get lazy when it comes to securing a web application. Organizations should start making sure that their developers are coding the web applications securely.