Session hijacking is synonymous with a stolen session, in which an attacker intercepts and takes over a legitimately established session between a user and a host. The user-host relationship can apply to access of any authenticated resource, such as a web server, Telnet session, or other TCP-based connection. Attackers place themselves between the
user and host, thereby letting them monitor user traffic and launch specific attacks. Once a successful session hijack has occurred, the attacker can either assume the role of the legitimate user or simply monitor the traffic for opportune times to inject or collect specific packets to create the desired effect. Figure 1 illustrates a basic session hijack.
F I G U R E .1 Session hijack
In its most basic sense, a session is an agreed-upon period of time under which the connected state of the client and server are vetted and authenticated. This simply means that both the server and the client know (or think they know) who each other are, and based on this knowledge, they can trust that data sent either way will end up in the hands of the appropriate party.
If a session hijack is carried out successfully, what is the danger? Several events can take place at this point, including identity theft and data corruption. In other situations session hijacks have made for a perfect mechanism through which someone can sniff traffic or record transactions.
Understanding what constitutes a session makes it easy to see how session hijacking can be extremely effective when all supporting factors are set up correctly. Many of the prerequisite setup factors involved in session hijacking have already been discussed in previous chapters. For example, a specific form of hijacking involves using a sniffer both
prior to and during an attack.
An attacker carrying out a session hijack is seeking to take over a session for their own needs. Once they have taken over a session they can then go about stealing data, issuing commands, or even committing transactions that they wouldn’t be able to otherwise.
Session hijacks are easy to launch. TCP/IP is vulnerable, and most countermeasures, except for encryption, do not work. The following also contribute to the success of session hijacking:
■ No account lockout for invalid session IDs
■ Insecure handling
■ Weak session ID generation algorithm
■ Indefinite session expiration time
■ Cleartext transmission
■ Small session ID
Session hijacking typically can be broken down into one of three primary techniques:
Brute-Forcing an ID This is done by guessing an ID; usually the attacker already has some knowledge of the range of IDs available. The attacker may be aided by the use of HTTP referrers, sniffing, cross-site scripting, or malware.
Stealing an ID If they can manage it, an attacker will steal an ID by using sniffing or other means.
Calculating an ID An attacker will attempt to calculate a valid session ID simply by looking at an existing one and then figuring out the sequence.