What is Session Hijacking?
A session is the period of time when you as a user are actively accessing an application, website, or other online service. Each user session begins when you log into a website or app and ends when you log out of it. For example, when you type your username and password into a banking application, that begins your session on that online application.
When you log into an online application, for example, amzon.com, their server typically generates a temporary session cookie in your browser. This cookie tells your browser that you are logged in and have been authenticated on the server by Amazon. Each temporary session cookie is marked by a unique session ID, or key. If a hacker is able to access your unique session ID, they can access your session.
Let us take the example of Facebook.
For example, when you log into Facebook, a session begins. This allows you to keep using Facebook (even if you close and reopen the web browser) until you click on ‘log out’ and end the session.
If the session wasn’t created, you would need to keep logging in every time you wanted new data. For example, if you wanted to leave your Facebook news feed and view a friend’s profile page, you will be logged out of Facebook and would need to enter your credentials again to log in and view the friend’s profile.
This is why sessions are needed. It keeps you logged in so that you can continue to browse through different web pages and navigate the website.
What’s important to note here is that every session generates a set of cookies. We can call these session cookies. And each session cookie has a unique session ID. Cookies store all sorts of information – from ad preferences of a customer to login credentials and credit card information. Cookies are used widely across the internet and it’s scary just how often they get stolen. That's why Session hijacking, is also called “cookie hijacking.”
Session Hijacking can follow several patterns.
One method, cross-site scripting, or XSS, essentially works like this. An attacker implants a script into the web server itself the victim is trying to access. The victim then authenticates their presence on the tampered-with server, creating a unique session ID that includes the attacker’s script. The server returns the page code with the attacker’s script to the victim, whose own browser enacts the script, sending the victim’s unique session cookie to the attacker. The attacker is then granted access to the user’s session, meaning they can witness any interaction taking place there and steal any sensitive information revealed in the session.
Malvertising is another current “hot” technique that induces a victim to click on an ad infected with malicious code that snags the session ID, thus granting the hacker access to the victim’s unique session key. Here again, the victim is authenticated on the server and the hacker can hijack the victim’s session. All the attacker has to do is input the victim’s session ID on their own browser, tricking the server into reading the hacker’s browser connection as the victim’s already authenticated session.
There is a flood of session-hijacking attacks out there, particularly in these times of Covid-19. Most users are preferring to make purchase on online-platforms. They are on shopping-spree to buy items, gifts during recent festival/holiday times of the year.
Large many, in fact, millions of employees are staying in house and working remotely. Frequently they are collaborating using services such as Zoom for official meetings. As the office meeting has been replaced with video conference calls, session hijackers have managed to get in on the action, giving rise to a whole new type of attack
Zoombombing. Those who don’t implement cybersecurity best practices run the risk of losing session control. Once a hacker has gained remote control of a conference call attendee’s desktop, they can kick out other call attendees, impersonate users to write unwanted messages, end meetings, and more.
-
How to avoid Session Hijacking if you are a user?
1. First of all, avoid logging into secure sites on PUBLIC NETWORKS (e.g. coffee shop, restaurants, airports, etc.). Public Wi-fi networks are especially vulnerable to “session sniffing,” in which hackers intercept web traffic, seeking out and recording cookies as they appear on the network connection. Plus, with broader access to the same network, public Wi-fi servers are harder to secure.
2. Next, employ a quality ad-blocker on your browser and devices to prevent ads that may contain malicious software and links. Browser extension ad blockers can protect your personal web server while standalone ad blockers intercept potentially malicious software from entering any stream on your device, thereby protecting your entire system.
3. Then, regenerate your session ID after you login. Hackers can often use “brute force” to try to access your unique session key. This can sometimes be accomplished simply by guessing; session ID’s often contain easy to predict numerical chains, such as your IP address and the time and date of login. By changing your session ID after login, you can confuse and frustrate attempts at access.
4. You can clear your cookies regularly to get rid of any sensitive information stored in browsers like Google Chrome.
5. Only accept session IDs from trusted servers. Time out inactive sessions, ensuring that you don’t stay logged in for longer than you need to. And, importantly, log out of your session when you are done.
6. VPNs can also be used to encrypt everything, not just the traffic to the webserver using personal VPN solution tools.
-
COUNTERMEASURES FOR A SECURITY PROFESSIONAL
However, if you are a cybersecurity professional, then you should deploy the following countermeasures to stop Session Hijacking:
1. End-to-end encryption between the user’s browser and the web server using secure HTTP or SSL, which prevents unauthorized access to the session ID. Without SSL, this data (cookies) is sent in plain text. If a hacker intercepts this data, they can simply read it. So if it contains login credentials, it will be exposed. SSL (Secure Sockets Layer) will encrypt the data before it’s transferred. So even if a hacker manages to steal it, they can’t read the data. Preferably, use HSTS (HTTP Strict Transport Security) to guarantee that all connections are encrypted.
2. Set the HttpOnly attribute using the Set-Cookie HTTP header to prevent access to cookies from client-side scripts. This prevents XSS and other attacks that rely on injecting JavaScript in the browser. Specifying the Secure and SameSite directives is also recommended for additional security.
3. Web servers can generate long and random session cookies, which reduces the chances of an adversary guessing or predicting what a session cookie could be.
4. Session ID monitors can also be used to monitor if these IDs are being used, and utilities such as Blacksheep can be used to send fake session IDs to the network and monitor if an intruder is trying to use the session ID.
5. There should be an automatic log off if a session ends in use, and the client should be required to re-authenticate using a different session ID. Additionally, a server can be
directed to delete a session cookie from the client’s computer to minimize the amount of time a session cookie is being exposed in the network.
6. Install right kind of Security Plugin on your website. For example, you can keep a security plugin such as MalCare active on your website if it is built upon WordPress platform. These will prevent hack attempts on your website and block malicious IP addresses.
7. You must scan your site regularly and get alerted if any malicious code has been entered by a hacker therein. You can clean up your website instantly. This will help you detect and delete such hack attempts immediately before they cause any harm.
8. Always keep your website up to date, this includes the WordPress/Joomla/Drupal/Magneto installation, themes, and plugins. Running on outdated software opens many vulnerable spots on your website that hackers can exploit. Ensure you update your site as and when a new update is available. These updates not only carry new features and bug fixes, but they also fix security flaws from time to time. These Web frameworks offer highly secure and well-tested session ID generation and management mechanisms. Use them instead of inventing your own session management.
9. Regenerate the session key after initial authentication. This causes the session key to change immediately after authentication, which nullifies session fixation attacks – even if the attacker knows the initial session ID, it becomes useless before it can be used.
10. Perform additional user identity verification beyond the session key. This means using not just cookies, but also other checks, such as the user’s usual IP address or application usage patterns. The downside of this approach is that any false alarms can be inconvenient or annoying to legitimate users. A common additional safeguard is a user inactivity timeout to close the user session after a set idle time.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM