Although any computer session could be hijacked, session hijacking most commonly applies to browser sessions and web applications. The attack relies on the attacker’s knowledge of the victim’s session cookie and is also called cookie hijacking or cookie side-jacking.
In most cases when you log into a web application, the server sets a temporary session cookie in your browser to remember that you are currently logged in and authenticated. HTTP is a stateless protocol and session cookies attached to every HTTP header are the most popular way for the server to identify your browser or your current session.
To perform session hijacking, an attacker needs to know the victim’s session ID (session key). This can be obtained by stealing the session cookie or persuading the user to click a malicious link containing a prepared session ID. In both cases, after the user is authenticated on the server, the attacker can take over (hijack) the session by using the same session ID for their own browser session. The server is then fooled into treating the attacker’s connection as the original user’s valid session.
What Can Attackers Do After Successful Session Hijacking?
If successful, the attacker can then perform any actions that the original user is authorized to do during the active session. Depending on the targeted application, this may mean transferring money from the user’s bank account, posing as the user to buy items in web stores, accessing detailed personal information for identity theft, stealing clients’ personal data from company systems, encrypting valuable data and demanding ransom to decrypt them – and all sorts of other unpleasant consequences.
One particular danger for larger organizations is that cookies can also be used to identify authenticated users in single sign-on systems (SSO). This means that a successful session hijack can give the attacker SSO access to multiple web applications, from financial systems and customer records to line-of-business systems potentially containing valuable intellectual property. For individual users, similar risks also exist when using external services to log into applications, but due to additional safeguards when you log in using your Facebook or Google account, hijacking the session cookie generally won’t be enough to hijack the session.
What Is the Difference Between Session Hijacking and Session Spoofing?
While closely related, hijacking and spoofing differ in the timing of the attack. As the name implies, session hijacking is performed against a user who is currently logged in and authenticated, so from the victim’s point of view the attack will often cause the targeted application to behave unpredictably or crash. With session spoofing, attackers use stolen or counterfeit session tokens to initiate a new session and impersonate the original user, who might not be aware of the attack.
What Are the Main Methods of Session Hijacking and How Do They Work?
Attackers have many options for session hijacking, depending on the attack vector and the attacker’s position. The first broad category are attacks focused on intercepting cookies:
For example, attackers may distribute emails or IM messages with a specially crafted link pointing to a known and trusted website but containing HTTP query parameters that exploit a known vulnerability to inject script code. For an XSS attack used for session hijacking, the code might send the session key to the attacker’s own website, for instance:
Akshobh Giridharadas” data-reactid=”22″>Akshobh Giridharadas
Given the prevalence of security breaches today, IT admins need to be on their toes when it comes to keeping their organization’s identities safe. By law, many companies are required to comply with certain regulations which are considered security baselines. As such, some wonder, “Can compliance stem security breaches?” It’s a question that ultimately affects everyone in an organization.
Doctors who treated the victims of a military test explosion have accused Russian authorities of carelessly exposing them to radiation and then forcing them to keep silent.
Cybersecurity and digital forensics are instrumental in creating effective defense, analysis and investigation of cybercrime. While both focus on the protection of digital assets, they come at it from two different angles.
A core security challenge confronts just about every company today.
Alireza Miryousefi” data-reactid=”18″>Alireza Miryousefi
TechCrunch has learned of a safety issue and a number of product reliability questions being raised about a modular computer made by a London edtech startup that’s intended for children to learn coding and electronics.
New study reveals 42 percent of organisations are concerned about cloud security but many fail to carry out any security testing on the environment
There is a deepening awareness that cyberthreats can never be eliminated completely, and digital resilience is an absolute necessity – and this is true for both private and public sector organizations and agencies. With this understanding, the UK Government created its G-Cloud Framework, which has transformed the way that public sector organizations can purchase information and communications technology in order to better build secure digital foundations. The program allows public bodies to buy commodity-based, pay-as-you-go cloud services through government-approved, short-term contracts via the Digital Marketplace. This procurement process supports the UK Government’s Cloud First policy, as well as its desire to achieve a “Cloud Native” digital architecture.
A lack of visibility into the app could expose business users to compliance risks and security threats, the company says.
When Mike Fitzsimmons went out to raise his seed round, he negotiated with all the usual suspects. The second-time founder needed a few million to get his cloud SaaS hiring tool, Crosschq, off the ground. And as a repeat CEO, he had options.
Alex Williams is the founder and publisher of The New Stack, which publishes explanations and analysis of at-scale, distributed technologies for developers, DevOps and other IT professionals. More posts by this contributor
- Neo4j, A Graph Database For Building Recommendation Engines, Gets A Visual Overhaul
- Billionaire Jewelry King Launches TaskWorld, A Management Tool All About Performance
Once considered the most boring of topics, enterprise software is now getting infused with such energy that it is arguably the hottest space in tech.
Written by Shannon Vavra
U.S. Army Cyber Command could soon have a new identity.
A Russian security researcher, Vasily Kravets, has found a second zero-day vulnerability in the Steam gaming platform, in a span of two weeks. The researcher said he reported the first Steam zero-day vulnerability earlier in August, to its parent company, Valve, and tried to have it fixed before public disclosure. However, “he said he couldn’t do the same with the second because the company banned him from submitting further bug reports via its public bug bounty program on the HackerOne platform,” ZDNet reports.
When Airbnb hosts sign up with the service to let people stay at their homes, the company takes an important step to protect their privacy and safety: Their exact address isn’t publicly listed, and is only shared with people who actually book a stay with them.
Harry had been raising hell for about ten minutes already. He had a habit of finding fault in everything, from the signature in a letter not following the template to papers being stacked improperly. But today, in fairness, his complaints had some merit: John had failed to send a draft report yesterday. Nevertheless, he didn’t have to yell. After all, no one would have been around to open it the previous evening.
As I didn’t get to attend Blackhat, BsidesLV, Defcon this year, I’ve been reading up on writeups from people that did attend to catch up on all the good knowledge that was shared.