wisemonkeys logo
FeedNotificationProfileManage Forms
FeedNotificationSearchSign in
wisemonkeys logo

Blogs

SESSION HIJACKING

profile
42_Ramesh Yadav
Sep 14, 2023
0 Likes
0 Discussions
81 Reads

What is a Session?

A session is a series of interactions that take place within a single connection between two communication endpoints. A web application does not require authentication for every click since, HTTP is stateless, which means designers need to automate tracking the state of multiple connections from the same user. When a user logs into an application, a session is created on the server to ensure subsequent requests are synchronized.

The application uses sessions to keep track of parameters that are unique to the user. As long as the logged-in user remains, the session is kept “alive” on the server. After a certain period of inactivity, a session is destroyed immediately upon the user logging out of the system. Data belonging to the user should be deleted from the allocated memory space whenever a session terminates.

What is Session Hijacking?

An attacker hijacks a user session to gain control over it. A session starts when you log in and out of a service, like your bank’s application. A cookie hijack or cookie side-jacking is an attack that relies on an attacker knowing your session cookie. Session hijacking is commonly associated with web browsers and web applications, yet it can happen with any application.

Difference Between Session Hijacking And Spoofing

Session hijacking and spoofing are closely related, but the timing of their attacks differs. Session hijacking occurs when an attacker hijacks a user’s login and authentication credentials. And from the victim’s point of view, it often results in unpredictability or crashes of the targeted application.

When spoofing occurs, attackers use stolen or counterfeit tokens to initiate a new session that appears to be set by the original user.

Session Hijacking Techniques

To hijack a user’s session, an attacker can use several techniques, depending on the attacker’s position. Examples of session hijack attacks include:

Cross-site scripting session hijacking (XSS):-

When an attacker exploits vulnerabilities within a server or application, he injects Java scripts into a user’s web page, causing the browser to run arbitrary code. Moreover, injected scripts will be able to access your session key if the server does not set HTTP. Only in session cookies, thus, giving attackers the information required for session hijacking.

Session Side Jacking:-

An attacker can intercept the session cookies of a user after he or she authenticates them by using packet sniffing. By using SSL/TLS only for its login pages, the website takes the easy route and the attacker can steal the session key and impersonate the user to operate the web application.

Generally, this happens with an unsecured WiFi Hotspot, as the attacker can access the network, monitor the traffic, and then set up their access points to conduct the attack.

Session Fixing:-

Using a session key, attackers gain access to the server by spoofing the user’s credentials. Due to stateless protocols, there is a threat of session hijacking. It is these limitations that make the protocols vulnerable to attacks.

An SSL connection uses Secure Sockets Layers, which protect any personal information required to pass between the two systems. Thus, it reduces the risk of criminals reading and modifying the messages sent over the internet. Transport Layer Security (TLS) is simply an updated, more secure version of SSL.

How can an Attacker take Advantage of a Successful Session Hijack?

After the attacker has gained access, they can perform any actions authorized by the original user while the session is active. If the targeted application involves financial theft, the attacker may demand ransom to release data from the encrypted form, steal the users’ sensitive personal information from company systems, or steal money directly from their bank account.

In large organizations, cookies may be used to identify authenticated users within SingleSign-on (SSO) Systems. An attacker who successfully hijacks a session can gain access to various web applications, from financial databases and customer records to line-of-business applications containing valuable intellectual property.

When you log in using your Facebook account, or Google account, there are more safeguards in place, meaning that hijacking a session cookie won’t be enough to hijack your session.

Session Hijacking Example

Sessions are attacks that exploit data leaks in TLS request compression ratios. The attackers could then use the login cookies to hijack the user’s session. An organization known as CRIME used session hijackers to breach an organization’s website in September 2012.

After hijacking the website’s session by decrypting HTTPS cookies and logging in as users with brute force, CRIME was able to siphon off an enormous amount of data.


Comments ()


Sign in

Read Next

UniProcessor Scheduling

Blog banner

Is Pursuing a Dance Career in India Worth it?

Blog banner

Modern Operating Systems.

Blog banner

How to Add Super Seeds to Your Everyday Meals: Easy & Healthy Ideas

Blog banner

Health is Wealth

Blog banner

Cloud Computing: Threats and Vulnerabilities

Blog banner

Deadlock and Starvation

Blog banner

Privacy-Enhancing Computation Techniques

Blog banner

Swiggi

Blog banner

WHAT IS TWITTER AND HOW DOES IT WORK

Blog banner

Types of E-Commerce

Blog banner

Dal Bafla Recipe

Blog banner

Memory Partitioning

Blog banner

Session Hijacking

Blog banner

Memory input output management

Blog banner

differentiate thinking humanly and rationally

Blog banner

Deadlock and Starvation

Blog banner

Ransomware

Blog banner

Some facts about Technology

Blog banner

Understanding Regression Analysis

Blog banner

Hypothesis Testing in Data Science

Blog banner

Business Intelligence v/s Big Data

Blog banner

Zomato's Secret Digital Marketing Techniques!

Blog banner

THE ROLE OF CYBER FORENSICS IN CRIMINOLOGY

Blog banner

Cyber-crime Investigation and Future Directions

Blog banner

The Evolution of the Microprocessor ~ Aditya Pai

Blog banner

Data Visualization – Importance and tools (Tableau, Power BI)

Blog banner

26/11 The Black Day Of Mumbai

Blog banner

Privacy LAWs in IT

Blog banner

Different types of scam Fraud

Blog banner

Memory Hierarchy

Blog banner

Pilgrimage at LOC: A privilege and a paradox

Blog banner

PERSONALITY DEVELOPMENT

Blog banner

Shoulders

Blog banner

Multicore and Multithreading

Blog banner

Video games

Blog banner

STARVATION

Blog banner

Process and Threading

Blog banner

The Bold Digital Marketing Moves That Made Durex India’s Second-Largest Condom Brand

Blog banner

ZOHO

Blog banner

How to Manage Employees and Tasks in One System (Without Excel)

Blog banner

Is Social Media Marketing The Next Wave Of Digital Marketing?

Blog banner