Session hijacking, also known as TCPhường session hijacking, is a method of taking over a web user session by surreptitiously obtaining the session ID và masquerading as the authorized user. Once the user"s session ID has been accessed, the attacker can masquerade as that user và bởi anything the user is authorized lớn vì chưng on the network.One of the most valuable byproducts of this type of attaông chồng is the ability khổng lồ gain access to lớn a VPS without having to authenticate lớn it. Once the attacker hijacks a session, they no longer have khổng lồ worry about authenticating to lớn the hệ thống as long as the communication session remains active sầu. The attacker enjoys the same server access as the compromised user because the user has already authenticated khổng lồ the VPS prior lớn the attack.  


What is a session?

HTTP. is stateless, so application designers had khổng lồ develop a way lớn traông chồng the state between multiple connections from the same user, instead of requesting the user khổng lồ authenticate upon each clichồng in a website application. A session is a series of interactions between two communication over points that occurs during the span of a single connection. When a user logs into lớn an application, a session is created on the server in order lớn maintain the state for other requests originating from the same user.

Bạn đang xem: Session hijacking là gì

Applications use sessions to store parameters that are relevant khổng lồ the user. The session is kept "alive" on the VPS as long as the user is logged on to lớn the system. The session is destroyed when the user logs-out from the system or after a predefined period of inactivity. When the session is destroyed, the user"s data should also be deleted from the allocated memory space.

A session ID is an identification string (usually a long, random, alpha-numeric string) that is transmitted between the client and the VPS. Session IDs are commonly stored in cookies, URLs & hidden fields of website pages.

Besides the useful functionality of session IDs, there are several security problems associated with them. Many of the popular websites use algorithms based on easily predictable variables, such as time or IP address, in order to lớn generate the Session IDs, causing their session IDs khổng lồ be predictable. If encryption is not used (typically SSL), Session IDs are transmitted in the clear và are susceptible to lớn eavesdropping.

How does session hijacking work?

The most popular culprits for carrying out a session hijacking are session sniffing, predictable session token ID, man in the browser, cross-site scripting, session sidejacking, session fixation.

Session sniffing. This is one of the most basic techniques used with application-layer session hijacking. The attacker uses a sniffer, such as Wireshark, or a proxy, such as OWASP Zed, to capture network traffic containing the session ID between a trang web và a client. Once the attacker captures this value, he can use this valid token to gain unauthorized access. Predictable sessions token ID. Many web servers use a custom algorithm or predefined pattern khổng lồ generate session IDs. The greater the predictability of a session token, the weaker it is & the easier it is lớn predict. If the attacker can capture several IDs and analyze the pattern, he may be able to predict a valid session ID. Cross-site scripting. Cybercriminals exploit VPS or application vulnerabilities to inject client-side scripts into website pages. This causes the browser khổng lồ execute arbitrary code when it loads a compromised page. If HttpOnly isn’t set in session cookies, cybercriminals can gain access to lớn the session key through injected scripts, giving them the information they need for session hijacking.  Session side jacking.

Xem thêm: Nghĩa Của Từ Trong Đó Tiếng Anh Là Gì ? Ví Dụ Cách Sử Dụng Từ Này?

Cyberciminals can use packet sniffing to monitor a victim’s network traffic & intercept session cookies after the user has authenticated on the VPS. If TLS encryption is only used for login pages & not for the entire session, cybercriminals can hijaông chồng the session, act as the user within the targeted web application. Session fixation attacks. This technique steals a valid session ID that has yet to lớn be authenticated. Then, the attacker tries to lớn triông xã the user into authenticating with this ID. Once authenticated, the attacker now has access lớn the victim"s computer. Session fixation explores a limitation in the way the website application manages a session ID. Three common variations exist session tokens are hidden in an URL argument, session tokens hidden in a khung field & session tokens hidden in a session cookie.

The session hijack attaông xã is very stealthy. Session hijaông xã attacks are usually waged against busy networks with a high number of active sầu communication sessions. The high network utilization not only provides the attacker with a large number of sessions khổng lồ exploit, but it can also provide the attacker with a shroud of protection due to lớn a large number of active sầu sessions on the VPS. 

What Do Attackers Gain from Session Hijacking?

When cybercriminals have sầu hijacked a session, they can bởi virtually anything that the legitimate user was authorized khổng lồ vày during the active session. The most severe examples include transferring money from the user’s bank tài khoản, buying merchandise from web stores, accessing personally identifiable information (PII) for identity theft, & even stealing data from company systems. 

What are some examples of session hijacking attacks?

In September 2012, security researchers Tnhì Duong và Juliano Rizzo announced CRIME, an attaông xã takes advantage of an information leak in the compression ratio of TLS requests as a side channel to enable them to lớn decrypt the requests made by the client to lớn the hệ thống. This, in turn, allows them to grab the user’s login cookie & then hijaông chồng the user’s session and impersonate her on high-value destinations such as banks or e-commerce sites.

The demonstration showed how an attacker might exedễ thương this attack khổng lồ recover the headers of an HTTP request. Since HTTPhường headers contain cookies, and cookies are the primary vehicle for web application authentication (after login), this presents a significant attachồng.

CRIME decrypts HTTPS cookies phối by websites to remember authenticated users by means of brute force. The attachồng code forces the victim"s browser lớn sover specially crafted HTTPS requests to lớn a targeted website & analyzes the variation in their length after they"ve sầu been compressed in order lớn determine the value of the victim"s session cookie. This is possible because SSL/TLS uses a compression algorithm called DEFLATE, which eliminates duplicate strings, as we saw above sầu.

The attack code can"t read the session cookie included in the requests because of security mechanisms in the browser. However, it can control the path of every new request & can insert different strings into lớn it in an attempt to lớn match the value of the cookie.

Session cookie values can be quite long and are made up of uppercase letters, lowercase letters & digits. As a result, the CRIME attaông chồng code has khổng lồ initiate a very large number of requests in order to decrypt them, which can take several minutes. However, the researchers have sầu developed some algorithms that make the attaông chồng more efficient. 

How lớn prevent session hijacking attacks

It is important to remember that it is possible for an attacker lớn steal and reuse session identifiers or other sensitive cookie values when they"re stored or transmitted insecurely. While providing 100% protection can be difficult, encryption is the main defense. When a user authenticates, SSL and a secure cookie should be mandatory. When authenticated users visit one or more secure pages, they should continue lớn be forced khổng lồ use HTTPS.

Xem thêm: Gớm! Cái Đứa Gớm Nào Phỏng Vấn Thằng Checker Là Gì, Nghĩa Của Từ Checker

Intrusion Detection Systems (IDS) & Intrusion Prevention Systems (IPS) can also be very useful in defending your network from session hijaông chồng attacks. While implementing these devices can be difficult, the benefits far outweigh the steep implementation costs. IDS/IPS systems look at the data that enters the network & compares it khổng lồ an internal database of known attack signatures. If the packet is matched against an entry in the IDS/IPS database, the IDS will generate an alert, và the IPS will blochồng the traffic from entering the database.