You can categorize a session hijacking attack as either an active attack or a passive attack. Let’s look at both.
Active Attack A session hijacking attack is considered active when the attacker assumes the session as their own, thereby taking over the legitimate client’s connection to the resource. In an active attack the attacker is actively manipulating and/or severing the client connection and fooling the server into thinking they are the authenticated user. Additionally, active attacks usually involve a DoS result on the legitimate client. In other words, they get bumped off and replaced by the attacker. Figure 1 shows what this kind of attack looks like.
F I G U R E 1. Active attack
Passive Attack A passive attack focuses on monitoring the traffic between the victim and the server. This form of hijacking uses a sniffer utility to capture and monitor the traffic as it goes across the wire. A passive attack doesn’t “molest” the session in any way. Unlike an active attack, the passive attack sets the stage for future malicious activity. An attacker has a strategically advantageous position when in a passive session hijack; they can successfully capture and analyzeb all victim traffic, and progress to an active attack position with relative ease. Figure 2 shows a passive attack.
F I G U R E 2. Passive attack