Session Hijacking: A brief Overview
Introduction
In this blog, we shall be discussing the session hijacking attack and how it can affect the end-users of a web-based platform, but before we begin I would like to give the audience a bit of idea regarding three terms namely Cookie and Session and Session ID.
A cookie is a file which is stored in a text form by a website that you would have visited on your browser. It helps websites to identify your device as well as storing certain information which could be referenced later on by the website in any of its functionality. It can be used for cases like tracking what you do on the website, making the usability of the website more effective and efficient, setting advertisements depending upon what the user does on the website etc.
A session is basically a group of interactions which has taken place between you (the end-user) and the web platform including all the clicks, changing of values and submitting any data. As we know that HTTP is a stateless connection protocol meaning that each request happening between the client and the host would be treated differently from each other, this would force the end-users to identify themselves on the website during every action or click they perform there. To avoid this issue, developers use sessions which basically saves the state of the user on the website and uses it as a reference in case the user visits the website again or goes to some other page on the same website. They can be reset or destroyed either after a certain duration from the session being created or when the user logs out of the platform hence making the chunks of data being temporarily stored on the device.
A session ID or session token is basically data usually in an encrypted form stored as a string. These tokens are used for the end-users to identify themselves on the website and it is done either through referencing the session token stored as a cookie, directly from the URL as a parameter or a hidden input value on the webpage.
What is Session Hijacking?
A Session Hijacking attack involves an attacker stealing the victim’s session token giving the attacker full control over the victim’s account since the attacker can use that session ID for authenticating to the website without the need for any credentials. To execute this attack, the attacker would generally send a malicious link to the victim which once opened would try to look out for the cookies storing the session ID of the victim and then send it data back to the attacker.
Let us understand the attack from the image which you can see on the left-hand side. Let us assume that we have a user called John who is a visitor of let’s say site XYZ which stores the session ID’s of registered/signed-in users in their browsers so that they can access it with ease when they visit the website again and John has an account registered there. In case 1, John decides to visit XYZ again, and since John had his session ID stored in the browser, the website would try to look out for the cookie storing the session ID and then log in to the platform using it. In case 2, let’s assume that John was sitting in a cafe where an attacker was able to capture the traffic going from John’s device to the website and hence was able to successfully find the session ID of John which was being used to log in to the website. Now the attacker can basically replace his session ID with that of John and log into the website without the need of any credentials of our user John. Now the attacker would have complete controls and powers that John had when he would normally visit the website.
What are the attack vectors of Session Hijacking?
In the following points, we will be discussing a few attack vectors which can lead to a successful session hijacking attack.
Cross-site Scripting
In this attack vector the attacker crafts special payloads for stealing the session token from a victim. It leverages the cross-site scripting vulnerability and can be targeted to selected individuals like in case of a reflective XSS vulnerability or any visitor of the page like in case of a stored XSS vulnerability.
Let us look at the payload listed below:
This payload would basically fetch all the cookies stored in the victim’s browser for the given website and then load another webpage which in this case is a malicious URL that we provided along with an empty token parameter. The PHP page would take the parameter which in our case are the cookies as an input and then save it on the attacker’s side. Although this payload is pretty basic, attackers would rely on sophisticated payloads depending upon the security level on the website and if there are any XSS filters in place.
Packet Sniffing
The attacker can rely on capturing the network traffic between the victim’s device and the website. If the requests being made to the website is through an unencrypted protocol (HTTP) it would be easier for an attacker to filter out the traffic and look out for the packets which contained the authentication requests along with the session token.
In the above example, we can see one such packet which was a part of the HTTP requests made by a victim to the website. The request contains a cookie called PHPSESSID which stores the session token of the users on the browser. By performing a successful packet sniffing attack, an attacker can easily fetch the session ID of the victim which was being used for the target website. This token could now be used by the attacker to authenticate to the website as the victim.
Guessing / Brute forcing
In case the session IDs share some similar pattern, it could be used for guessing the session tokens of other users as well. In case the website uses the same set of session IDs or share some similarities, the attacker can use a list of those session IDs/segments for brute-forcing the authentication mechanism present on the website.
Mitigating Session Hijacking Attacks
Session Hijacking Attacks can be mitigated from the following but not limited to methods:
Use random and unguessable Session IDs
In order to prevent users from guessing or brute-forcing the session IDs, the developers can make sure that they use random and unguessable session IDs for the users which do not show any similarities across different users.
Use HTTPS for visitors to access your website
In order to prevent an attacker from finding the session IDs being passed in clear-text through the unencrypted HTTP protocol during a packet sniffing attack, the developers can make sure that the visitors access the website through HTTPS rather than HTTP which will help in encrypting all the traffic between a user’s device and the website.
Use temporary session IDs
In order to prevent attackers from using the session IDs of the victim in the long run, the developers can use temporary session IDs which are destroyed after every sign-out action or after a few hours/days forcing the users to authenticate to the website once again.
Use the Secure Cookie Flag
In order to prevent the cookies from being sent through the unencrypted HTTP protocol making the Session IDs available in clear-text, the developers can set the Secure Cookie Flag which forces the browsers of the users to only send the cookies on the website through the HTTPS protocol causing the traffic to be encrypted while sending it to the website.
Let’s conclude
Session hijacking is dangerous since it puts all the power of a user on the website at risk. It can be used for targeting anyone ranging from users having the least permissions to the one having the most (site administrators). It is important for an organization/website to implement certain mechanisms which can help mitigate this issue, some of which were listed above. It is also necessary for the developers to look out for other vulnerabilities on the platform and patch them since Session Hijacking can leverage the existing vulnerabilities on the website for executing the attack.
An equal level of precautions should be taken by the end-users as well. It is necessary that they trust the URLs that they visit and force their traffic to the website through the HTTPS protocol or else use a Virtual Private Network (VPN) which can help in preventing an attacker from getting the session ID during a packet sniffing attack.
For Further Reference
Make sure to dive deep into the topic of session hijacking. Till then happy Hacking, if you have any sort of feedback, please reach me out.
