What is session hijacking in cyber security?
When a user authenticates himself to a web server, the session is maintained with an HTTP cookie. The cookie is placed on the user’s computer. Session hijacking is an attack in which an attacker exploits a valid session of a user and gets unauthorized access to the web server for malicious purposes.
How does the session hijacking attack work?
There are a couple of methods using which session hijacking is done:
Session Fixation
In the session fixation attack, an attacker sets a user’s session ID to a known value. For example, a user may be assigned a session ID before login. The user may log in to the vulnerable web application server, and the same session ID may be assigned to the user even after the login. The attacker can take advantage of this vulnerability of the web application server for malicious purposes.
The session fixation attack usually follows these steps:
- The attacker first visits the website and gets a session ID.
- An attacker uses social engineering techniques and sends the victim a link containing the predefined session ID.
- The victim clicks on the link, and a login screen pops up. When the victim logs in to the server, the server assigns the same session ID to the victim (because of vulnerabilities in the web application) even after the authentication.
- But, this session ID is known to the attacker. So, the attacker now logs in to the server and impersonates the victim.
Session Sidejacking
In this attack, the attacker does packet sniffing and reads the network traffic between the victim’s machine and the server to steal the session cookie.
It usually follows these steps:
- The victim logs in to the server and starts communication.
- The attacker uses a packet sniffer and reads the network traffic between the user’s computer and the server.
- The attacker steals the session cookie.
- The attacker uses the same session cookie to log in to the server and impersonate the victim.
Cross-Site Scripting or XSS
In this attack, the attacker injects client-side scripts into the web pages of …
0 Comments