In session hijacking (TCP hijacking), attackers steal a web user's active session by acquiring their unique session ID. This lets them impersonate the user, accessing data or performing actions as if they were the legitimate user. The breach disrupts the session and poses significant risks to personal and organizational data security.
A session hijacking attack allows bad actors to gain access to a server without authentication. After the session is hijacked, the attacker no longer needs to authenticate as long as the session remains active. This grants the attacker an equivalent level of server access as the compromised user, given that the user had previously undergone server authentication prior to the attack.
TLS Machine Identity Management for Dummies
What is a session?
Because HTTP operates in a stateless manner, developers had to devise a method to maintain continuity across multiple connections by the same user, rather than prompting the user to authenticate with each interaction in a web application. This led to the concept of a "session," which represents a sequence of exchanges between two communication points within a single connection. When a user logs into an application, the server establishes a session to preserve the user's context for subsequent requests made by that user..Applications use sessions to store user-specific parameters and information. These sessions remain active on the server for the duration of the user's login session. The session gets terminated when the user logs out or after a predefined period of user inactivity. Upon session termination, any user data stored in the allocated memory space should be removed as well.
A session ID is a unique identification code, typically long, randomized alpha-numeric string. It serves as a means of communication between the client and the server. These session IDs are often stored in various places such as cookies, URLs, and concealed fields within web pages.
In addition to their practical uses, session IDs come with a set of security challenges. Frequently, websites generate session IDs using algorithms that rely on easily foreseeable factors like time or IP addresses. This predictability can lead to session IDs becoming guessable. Furthermore, when encryption, typically in the form of SSL, is not employed, session IDs are sent in an unencrypted format, making them vulnerable to interception by eavesdroppers.
How does session hijacking work?
Session hijacking is often executed by various methods, and some of the most common culprits include:
- Session Sniffing: One of the most basic methods for application layer session hijacking, attackers employ sniffers (i.e. Wireshark) or proxies, such as OWASP Zed, to intercept and "sniff" session data as it is transmitted between the user and the server. This allows them to use a token to capture valuable session information.
- Predictable Session Token ID: When websites generate session token IDs using easily predictable patterns or variables, it becomes easier for attackers to guess or deduce these IDs, gaining unauthorized access.
- Man-in-the-Browser: This type of attack is similar to a man-in-the-middle attack but requires the initial infection of the victim's computer with a Trojan. Once installed, the malware waits for the victim to visit a targeted site. It can covertly modify transaction details and initiate additional transactions without the user's knowledge. Since the requests originate from the victim's device, detecting fraudulent requests becomes challenging for the web service.
- Cross-Site Scripting (XSS): The attacker takes advantage of weaknesses within web applications to inject malicious scripts into web pages visible to other users. This can result in the theft of session details and subsequent session hijacking.
- Session Sidejacking: In this scenario, attackers intercept session data while it's in transit, often exploiting weak encryption or lack of encryption to gain access to the user's session.
- Session Fixation: Attackers trick users into using a predetermined session ID, enabling them to take control of the session once the user logs in.
Session hijacking attacks are typically targeted at networks that experience heavy traffic, where numerous communication sessions are active simultaneously. The abundance of ongoing sessions not only offers the attacker a multitude of opportunities to carry out their exploits but can also provide a cloak of concealment for the attacker amidst the bustling activity on the server.
What Do Attackers Gain from Session Hijacking?
Once cybercriminals successfully hijack a session, they gain the capability to perform nearly all the actions that the legitimate user was permitted to do while their session was active. In the most severe cases, this can encompass activities like transferring funds from the user's bank account, making purchases on online stores, accessing personally identifiable information (PII) for identity theft, and even theft of data from a company's systems.
CRIME: Setting the stage for session hijacking attacks
In April 2022, The Recorded Future Platform detected a total of 14,905 instances where criminal underground posts made references to keywords such as "cookies," "session cookies," and "session hijacking" within the past year. Notably, it observed a consistent rise in the number of such references from April 2021 to April 2022.
In September 2012, security experts Thai Duong and Juliano Rizzo unveiled a technique known as CRIME. This attack cleverly exploits a vulnerability related to the compression ratio of TLS requests, serving as a side channel. By doing so, it grants them the ability to decipher the requests transmitted from the client to the server. Consequently, they gain access to the user's login cookie, enabling them to seize control of the user's session and assume the user's identity on critical platforms like banks or e-commerce websites.
The demonstration showed how an attacker could employ this method to retrieve the headers of an HTTP request. As HTTP headers store cookies, and cookies are the principal means of web application authentication, particularly post-login, this poses a substantial security threat.
CRIME employs a method of brute force to decrypt HTTPS cookies that websites use to remember authenticated users. The attack code compels the victim's browser to send strategically created HTTPS requests to a targeted site. It then scrutinizes the changes in request length after compression to deduce the value of the victim's session cookie. This becomes possible because SSL/TLS utilizes a compression algorithm known as DEFLATE, which removes duplicate strings, as we discussed earlier.
While the attack code cannot directly read the session cookie in the requests due to browser security measures, it gains control over the request path. Consequently, it can insert various strings into these requests in an attempt to match the cookie's value.
Session cookie values tend to be lengthy and comprise uppercase letters, lowercase letters, and digits. Consequently, the CRIME attack code must initiate a substantial number of requests to decrypt them, a process that can take several minutes. Nonetheless, the researchers have developed algorithms to enhance the efficiency of the session hijacking attack.
What are other examples of session hijacking attacks?
In addition to CRIME, there are several new models that show what cybercriminals can accomplish in a session hijacking attack. Here are some prominent examples:
- CookieCadger: An open-source utility designed to detect "information leakage" from web applications. CookieCadger can monitor both wired ethernet and unsecured Wi-Fi networks to identify unencrypted data, including session cookies. This graphical tool marked a significant milestone as the first open-source penetration testing tool developed for intercepting and replaying specific insecure HTTP GET requests in a web browser. The widespread adoption of SSL/TLS for web transactions has now largely prevented cookie data from leaking over wired Ethernet or insecure Wi-Fi connections.
- DroidSheep: This open-source Android security testing tool is capable of hijacking active sessions conducted over shared wireless networks. While originally intended for demonstrating network security weaknesses, DroidSheep can potentially be misused by cybercriminals to engage in "packet sniffing" and capture session cookies and other unprotected data from Wi-Fi web browsing sessions.
- FireSheep: Initially launched as a browser extension for Firefox, FireSheep employed packet sniffing to intercept unencrypted session cookies from websites. Its purpose was to highlight the vulnerability of session hijacking for visitors to websites that did not encrypt cookies generated during the login process. However, it could also be exploited by cybercriminals to locate and copy unencrypted session cookies for use in session hijacking attacks. The adoption of HTTPS by most websites significantly reduced this threat.
- Zoombombing: During the surge in video conferencing usage amid the COVID-19 lockdowns, video conferencing platforms, especially Zoom, became targets for session hijacking, resulting in what became known as "zoombombing." In these attacks, cybercriminals infiltrate a teleconferencing session and introduce inappropriate or offensive content. Zoom responded by implementing enhanced security measures, including password requirements, seating restrictions, and host approval for attendees.
- Slack Attack: In 2019, a researcher identified an HTTP Request Smuggling vulnerability in Slack that could potentially redirect users to open malicious links, leading to the theft of sensitive user session cookies. Cybercriminals could exploit this to compromise Slack customer accounts and sessions. Slack swiftly addressed the vulnerability within 24 hours, even before it became public, ensuring user safety.
- GitLab Vulnerability: During a routine penetration test, researchers discovered a vulnerability in GitLab that exposed users to session hijacking attacks. This vulnerability was rooted in the use of short-lived tokens susceptible to brute-force attacks. Furthermore, these tokens never expired and lacked role-based access control, allowing simple copying and pasting to grant access to GitLab user dashboards, account details, individual projects, and website code. GitLab remedied the vulnerability by revising token usage and storage practices.
How to prevent session hijacking attacks
It's crucial to bear in mind that attackers have the potential to pilfer and subsequently employ session identifiers or other confidential cookie data if these are stored or transmitted without adequate security measures. Although achieving absolute protection can be challenging, encryption stands as the primary defense.
When a user undergoes authentication, SSL and secure cookies should be obligatory. Furthermore, once authenticated users access one or more secure web pages, they should consistently be compelled to employ HTTPS.
There are several actions you can undertake to enhance the prevention of session hijacking:
- Steer clear of public Wi-Fi networks. Whenever feasible, refrain from utilizing public Wi-Fi, particularly for critical activities such as banking, online shopping, or accessing private email or social media accounts. There's a possibility that a nearby cybercriminal might be employing packet sniffing techniques to intercept your session cookies.
- When in doubt, opt for a VPN. If you find yourself needing to connect via a public Wi-Fi network, employing a virtual private network (VPN) can significantly enhance your security. A VPN conceals your IP address and maintains the confidentiality of your online actions by establishing a secure "private tunnel" through which all your online activity securely traverses. This safeguards your sessions and keeps cybercriminals at bay.
- Keep your security software up to date. Install reputable security software on your devices and make sure to update it regularly. Security software can protect you from the malware that cybercriminals hijack sessions.
- Keep an eye out for potential scams. Session hijackers can send you an email with a link to click. Unless you have verified an email is from a legitimate sender, avoid clicking on any links that it may contain. Malicious links can download and install malware on your device or take you to a login page where you may inadvertently sign in to a site that is using a session ID created by the cybercriminal.
- Check for website security. When you find yourself on an unfamiliar website or online shop, it's prudent to remain vigilant as their security measures may not be
To thwart session hijacking attacks, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) serve as invaluable guardians. While introducing these safeguards may present some complexities during setup, the benefits far surpass the initial implementation expenses.
IDS/IPS systems diligently examine incoming data, comparing it against an internal library of well-known attack patterns. When a data packet corresponds to an entry within the IDS/IPS database, the IDS promptly issues an alert, and the IPS steps in to thwart any flagged traffic from breaching the network's defenses.
Enhance Your Network Security with Venafi Control Plane
Protecting your network from session hijacking is paramount in today's cyber landscape. With Venafi's cutting-edge security solutions, you can fortify your organization's defenses against session hijacking threats. The Venafi Control Plane is designed to safeguard your digital certificates and cryptographic keys, providing robust encryption and authentication mechanisms. Don't leave your network vulnerable to cybercriminals. Take proactive steps to secure your sessions with Venafi's industry-leading solutions. Learn more about how Venafi can empower your security efforts and fortify your defenses today.
(This post has been updated. It was originally published on April 12, 2021.)