Session hijacking relies, in part, on many of the prerequisites needed to successfully sniff a network. For instance, session hijacking attacks increase in complexity for external and switched networks. In other words, sitting on the local LAN (for example, as a disgruntled employee) is a much better strategic position for an attack than sitting outside the gateway. Aside from its relationship with sniffing, let’s take a look at methods you can use to help prevent session hijacking:
- Encrypting network traffic is a viable and effective preventive technique against hijacking attacks, both from internal and external sources.
- Using network-monitoring appliances such as an IPS or IDS can help in detecting and preventing network anomalies such as ARP broadcast traffic. These anomalies can be indicators of potential session hijacking attacks in progress.
- Configure the appropriate appliances, such as gateways, to check and filter for spoofed client information such as IP addresses.
- Be aware of local browser vulnerabilities such as extended history logs and cookies. Clearing temporary browsing information can help in preventing the use of old session IDs.
- Stronger authentication systems such as Kerberos will provide protection against hijacking.
- The use of technologies such as IPSec and SSL will also provide protection against hijacking.
- Defense-in-depth, or the use of multiple defensive technologies to slow or deter an attacker, provides protection as well.
Pen testing to discover vulnerability to session hijacking depends on the defensive strategies of the client. Encryption should be implemented for sensitive network traffic to resources such as servers. Additionally, implementing policies that limit the generation of unique session tokens to intranet resources can reduce the probability of an attacker’s stealing an active session. Putting protective network appliances such as IPSs and IDSs to the test exposes critical weaknesses in identifying and preventing successful session hijacking attempts.