What Is Session Hijacking: Your Quick Guide to Session Hijacking Attacks

Although any computer session could be hijacked, session hijacking most commonly applies to browser sessions and web applications. The attack relies on the attacker’s knowledge of the victim’s session cookie and is also called cookie hijacking or cookie side-jacking.

In most cases when you log into a web application, the server sets a temporary session cookie in your browser to remember that you are currently logged in and authenticated. HTTP is a stateless protocol and session cookies attached to every HTTP header are the most popular way for the server to identify your browser or your current session.

To perform session hijacking, an attacker needs to know the victim’s session ID (session key). This can be obtained by stealing the session cookie or persuading the user to click a malicious link containing a prepared session ID. In both cases, after the user is authenticated on the server, the attacker can take over (hijack) the session by using the same session ID for their own browser session. The server is then fooled into treating the attacker’s connection as the original user’s valid session.

Note: The related concept of TCP session hijacking is not relevant when talking about attacks that target session cookies. This is because cookies are a feature of HTTP, which is an application-level protocol, while TCP operates on the network level. The session cookie is an identifier returned by the web application after successful authentication, and the session initiated by the application user has nothing to do with the TCP connection between the server and the user’s device.

What Can Attackers Do After Successful Session Hijacking?

If successful, the attacker can then perform any actions that the original user is authorized to do during the active session. Depending on the targeted application, this may mean transferring money from the user’s bank account, posing as the user to buy items in web stores, accessing detailed personal information for identity theft, stealing clients’ personal data from company systems, encrypting valuable data and demanding ransom to decrypt them – and all sorts of other unpleasant consequences.

One particular danger for larger organizations is that cookies can also be used to identify authenticated users in single sign-on systems (SSO). This means that a successful session hijack can give the attacker SSO access to multiple web applications, from financial systems and customer records to line-of-business systems potentially containing valuable intellectual property. For individual users, similar risks also exist when using external services to log into applications, but due to additional safeguards when you log in using your Facebook or Google account, hijacking the session cookie generally won’t be enough to hijack the session.

What Is the Difference Between Session Hijacking and Session Spoofing?

While closely related, hijacking and spoofing differ in the timing of the attack. As the name implies, session hijacking is performed against a user who is currently logged in and authenticated, so from the victim’s point of view the attack will often cause the targeted application to behave unpredictably or crash. With session spoofing, attackers use stolen or counterfeit session tokens to initiate a new session and impersonate the original user, who might not be aware of the attack.

What Are the Main Methods of Session Hijacking and How Do They Work?

Attackers have many options for session hijacking, depending on the attack vector and the attacker’s position. The first broad category are attacks focused on intercepting cookies:

  • Cross-site scripting (XSS): This is probably the most dangerous and widespread method of web session hijacking. By exploiting server or application vulnerabilities, attackers can inject client-side scripts (typically JavaScript) into web pages, causing your browser to execute arbitrary code when it loads a compromised page. If the server doesn’t set the HttpOnly attribute in session cookies, injected scripts can gain access to your session key, providing attackers with the necessary information for session hijacking.

For example, attackers may distribute emails or IM messages with a specially crafted link pointing to a known and trusted website but containing HTTP query parameters that exploit a known vulnerability to inject script code. For an XSS attack used for session hijacking, the code might send the session key to the attacker’s own website, for instance:


Can Compliance Stem Security Breaches?

Given the prevalence of security breaches today, IT admins need to be on their toes when it comes to keeping their organization’s identities safe. By law, many companies are required to comply with certain regulations which are considered security baselines. As such, some wonder, “Can compliance stem security breaches?” It’s a question that ultimately affects everyone in an organization. 

Veracode Now Available on the Digital Marketplace G-Cloud UK

There is a deepening awareness that cyberthreats can never be eliminated completely, and digital resilience is an absolute necessity – and this is true for both private and public sector organizations and agencies. With this understanding, the UK Government created its G-Cloud Framework, which has transformed the way that public sector organizations can purchase information and communications technology in order to better build secure digital foundations. The program allows public bodies to buy commodity-based, pay-as-you-go cloud services through government-approved, short-term contracts via the Digital Marketplace. This procurement process supports the UK Government’s Cloud First policy, as well as its desire to achieve a “Cloud Native” digital architecture.

The fight for seed

When Mike Fitzsimmons went out to raise his seed round, he negotiated with all the usual suspects. The second-time founder needed a few million to get his cloud SaaS hiring tool, Crosschq, off the ground. And as a repeat CEO, he had options.

Enterprise software is hot — who would have thought?

Alex Williams is the founder and publisher of The New Stack, which publishes explanations and analysis of at-scale, distributed technologies for developers, DevOps and other IT professionals. More posts by this contributor

Once considered the most boring of topics, enterprise software is now getting infused with such energy that it is arguably the hottest space in tech.

Security researcher publicly releases second Steam zero-day after being banned from Valve’s bug bounty program

A Russian security researcher, Vasily Kravets, has found a second zero-day vulnerability in the Steam gaming platform, in a span of two weeks. The researcher said he reported the first Steam zero-day vulnerability earlier in August, to its parent company, Valve, and tried to have it fixed before public disclosure. However, “he said he couldn’t do the same with the second because the company banned him from submitting further bug reports via its public bug bounty program on the HackerOne platform,” ZDNet reports.

The People Paid to Dox Airbnb Addresses

When Airbnb hosts sign up with the service to let people stay at their homes, the company takes an important step to protect their privacy and safety: Their exact address isn’t publicly listed, and is only shared with people who actually book a stay with them.

How a simple office prank can lead to serious damage

Harry had been raising hell for about ten minutes already. He had a habit of finding fault in everything, from the signature in a letter not following the template to papers being stacked improperly. But today, in fairness, his complaints had some merit: John had failed to send a draft report yesterday. Nevertheless, he didn’t have to yell. After all, no one would have been around to open it the previous evening.

Rocking IT

As I didn’t get to attend Blackhat, BsidesLV, Defcon this year, I’ve been reading up on writeups from people that did attend to catch up on all the good knowledge that was shared.