Session Hijacking is an act, where an attacker takes the control of an existing network or application session between two systems and gets the access to un-authorized information from the session. The end users who own the systems whose session has been hijacked are not aware that their session has been hijacked.
Types of Session Hijacking
Active Session Hijacking is where the attacker actively establishes the session with the two systems trying to establish the connection. The session goes through the attacker’s system and thus attacker has the access to the information flowing through the session.
Passive Session Hijacking is where the attacker passively listens to a session using passive sniffing technique and captures session IDs. The attacker uses the session ID to establish session with the target and gets the access to the information from the session.
The following are the types of Session Hijacking based in which layer the attack happens:
Network Session Hijacking happens at the Network and Transport Layer of OSI Layer where the attacker hijacks the network connection between client and server.
Techniques used in Network Layer Session Hijacking
TCP/IP Hijacking – The attacker sniffs network traffic at the Transport and Network Layer of the OSI by connecting their system to switch or hub where the target client and server are connected and monitors the TCP/IP traffic between client and server. For every packet, a TCP header added. TCP is connection-oriented protocol and uses Sequence (SEQ) and Acknowledgement (ACK) numbers for tracking each TCP segment sent between the client and server. The attacker captures the TCP traffic and understands the pattern of Sequence and Acknowledgement numbers used. The attacker desynchronizes the connection between the client and server and knocks the client out. The attacker spoofs the client IP address and starts a connection with the server using the predicted Sequence and Acknowledgement numbers.
IP Spoofing – The attackers spoofs the IP address of a legitimate client and initiates the connection to the server exploiting the trust the server on the legitimate IP address.
Application Session Hijacking happens at the Application Layer of OSI Layer where the attacker hijacks the application session between client and server mostly which is HTTP application. The Session Hijacking is done by obtaining the Session ID. A Session ID is a unique identifier that identifies client that initiates the application session to the server. The server assigns a unique Session ID to each client connecting to it. HTTP is stateless meaning it doesn’t maintain the history of old sessions and details of the client connecting to it. The Session ID makes the session stateful. When initially the client connects to the server after successful authentication, the server generates a Session ID and provides it to the client. The session ID has information of unique parameters that identifies the client like username of the user who initiated the session and other parameters like session timeout etc. For further sessions and communications with server, the session ID will be used as an authenticator by the client and the server will recognize the client and accept the session.
Phases of Application Session Hijacking
The following are the stages of a Session Hijacking attack:
Phase 1 – Getting the Session ID – The attacker gets the Session ID by Sniffing or predicting the Session ID.
Sniffing – The attacker’s machine is connected to the switch or hub and attacker sniffs the session between the targets systems (client and server). By sniffing the session, the Session ID is captured. Using the Session ID, the attacker initiates and connects the target server.
Prediction – The attacker predicts the session ID by understanding the server’s methodology of generating the Session ID.
Brute Force – The attacker uses Brute Force by trying multiple combinations of Session IDs. The sessions ID usually has the username and attacker tries various permutations of usernames.
Guessing – The attacker guesses the Sessions IDs by getting to know the target environment by social engineering and other methods to guess the parameters used in Session IDs like the user IDs or usernames.
Phase 2 – Desynchronize the existing Session – The attacker desynchronizes the existing session between the client and server. A usual method is that the attacker will try to send TCP Reset to the server using spoofed address of the client.
Phase 3 – Take the control over session – The attacker uses the Session ID to initiate the session with the server.
Phase 4 – Perform the attack objective – Once the control over the session is obtained, the attacker progresses towards the objective which can be getting information, injecting data for manipulation etc.
The following are the techniques used for Session Hijacking
Techniques used in Application Layer Session Hijacking
Session Fixation – In this method, the attacker fixes the Session ID for another user who has successfully logged into the server. The attacker connects with the target web server and gets a legitimate session ID. Now the attacker sends a link to the victim which when clicked is redirected to the server with the session ID that the attacker got from the server. The server authenticates the victim using the same session ID. The attacker now resumes the connection with the session ID as the authentication was successfully done by the victim.
Sniffing – The attacker sniffs the existing session between the client and server. From the session, the attacker gets the session ID.
Prediction – The attacker predicts the session ID which can be done by monitoring multiple sessions with the target and getting the pattern. Also, if the server is using a weak algorithm, the attacker can predict the pattern of Session ID generation.
Brute Force – The attacker does brute force and generate multiple combinations of Session IDs.
Man-In-The-Middle (MITM) – The attacker splits the session between the client and server into two sessions. A session exists between client and attacker and another is between attacker and server. But the client and server aren’t aware that the attacker is in between and session is going through the attacker’s system. The attacker listens to the traffic and gets the Session ID.
Man-In-The-Browser – The attacker installs trojan horse in the client’s system (victim) which has the connection with the server. Through the Trojan Horse, the attacker gets the Session ID.
Cross-site Scripting (XSS) – The attacker injects malicious script in the web applications hosted on the server. When the clients visit the web application, the script is executed and attacker gets the Session IDs
Session Replay – The attacker listens to existing session and captures the Session ID after which the attacker replays to the server.
Session Donation – The attacker connects to the server and gets the Session ID. Then the attacker donates the Session ID by giving link and lures the victim to click it.
References