This is the most common browser applications and web applications used for session hijacking. In most scenarios when you log into the web application and the server creates a temporary session cookie in your browser to remember that you are currently logged in and authenticated.

When you are accessing through HTTP that is a stateless protocol and session cookies attached to every HTTP header are the most popular way for the server to identify your browser and current session.

When you perform session hijacking, as an attacker you need to know the victim’s session ID (Session Key). It can be obtained by stealing the session cookie or persuading the user to click a malicious link containing a prepared session ID.

In both the scenarios, the user is authenticated on the server and the attacker can take over (hijack) the session by using the same session ID for their own browser. The Server at that time fooled into treating the attacker’s connection as the original user’s valid session.

What are the main differences between session hijacking and Session spoofing?

Hijacking and spoofing differ in the timing of the attack. Session hijacking is performed against a user who is currently logged in and authenticated. The Victim’s point of view the attack will often cause the targeted application to behave unpredictably or crash. The attacker uses the stolen or counterfeit session tokens to initiate a new session and impersonate the original user which might not be aware of the attack.

What are the methods used for the session hijacking?

The attackers have many options for the session hijacking which can depend on the attack vector and the attacker’s position. The first broad category :

• Brute Force: The attacker can simply use it to try and guess the session key of a user’s active session which is feasible only. The application uses a prediction session identifier. Sequential keys were a typical weak point and the modern applications and protocol versions session IDs are long and randomly generated. Endure the resistance to the brute force attacks and the key generation algorithm must give truly unpredictable values with enough entropy to make guessing attacks impractical.

• Cookie theft by malware or direct access: The common way of obtaining session cookies is to install malware on the user’s machine to perform automated session sniffing. The user has visited a malicious website or clicked a link in a spam email, the malware scans the user’s network traffic for the session cookies and sends them to the attacker. when the session key is to directly access the cookie file in the client browser’s temporary local storage (often called the cookie jar). The task can be performed by the malware but the attacker with local or remote access to the system.

• Session Fixation: The Victim’s cookie, the attackers may simply supply a known session key, and the trick the user came into the access of the vulnerable server. By using the HTTP query parameters in a crafted link that was sent by e-mail or provided by on the malicious website. When the victims click the link and they are taken to validate the login form but the session key that will be used to supply by the attackers. After final authentication, the attacker can use the known session key to hijack the session.

• Session side Hijacking: The attack requires the attacker’s active participation and the first thing that comes to mind when people think of “being hacked”. The packet sniffing, attackers can monitors the user’s network traffic and intercept session cookies after the user is authenticated on the server. If the website only uses SSL/TLS encryption for the login pages and not for the entire session, the attacker can use the Sniffied session key to jack the session and impersonate the user to perform actions in the target web application. The attackers need access to the victim’s network, typical attack scenarios involve unsecured Wi-Fi hotspots attacker can either monitor traffic in public networker set up thor own access point and perform man-in-the-middle attacks.
• Cross-site Scripting (XSS): The most dangerous and widespread method of web session hijacking. By exploiting server or application vulnerabilities, attackers can inject client-side scripts (typically javascript) into web pages cause your browser to execute arbitrary code when it loads a compromised page. The Http Only attribute in session cookies, injected scripts can gain access to your session key, providing attackers with the necessary information for session hijacking.

If any suggestions for this article.Please! Comment in the comment section.

The post What is Session Hijacking ? what are the methods ? appeared first on Vednam.