Luckily, there are some ways to spot session hijacking attacks when they happen, and to limit your vulnerability to them. Below, we’ll take you through some of these.
Understanding session hijacking first means you need to know what ‘sessions’ are, and how your computer (or tablet or smartphone) works with them.
A session is a fundamental part of the way IT security works and sessions have been around for almost as long as computers themselves. At a basic level, a session is a temporary and interactive state that exists between two devices that want to communicate, or between a user and a computer.
Sessions are established using various types of authentication protocols that ensure that two communicating parties know who each other are. Once established, a session permits the two parties to communicate with each other, and is typically implemented in a way that allows information regarding their interaction to be tracked and stored. Once the necessary communication has been completed, a session is ‘torn down’: brought to an end.
How sessions work in the real world is more complex and depends on the type of connection made between the two communicating parties. Session hijacking attacks most often affect HTTP sessions, for example, and so to understand this type of attack it is necessary to understand the way the HTTP sessions work.
HTTP is actually an unusual type of communication protocol because it is "stateless." This means that neither of the communicating parties automatically stores information about the "state" of the other. Without a workaround, this makes using most websites pretty tricky, because Amazon (for instance) needs to remember what you have stored in your online ‘basket' and to track you as you move around the site so that you can add more items.
This is achieved using an HTTP "cookie," a small file that contains information about your communication with the server that hosts the site you are visiting. Cookies can be used to store all kinds of information, and when you visit a big site like Amazon, you will typically receive dozens of them. For session hijacking, though, there is one cookie that is more important than all the rest, and it's the "session cookie."
The session cookie contains a number that identifies you as a user. When you first visit a site, or when you log in to one, you will be given a session cookie. When you move around the site, the server it sits on will continually ask your device to identify itself by sending this session cookie. This allows the server to correlate the information it has stored under that number (such as the items in your shopping basket) with you as a user, and to provide a seamless experience.
Session hijacking, also known as cookie side-jacking, is a form of a man-in-the-middle attack that allows an attacker to gain full control of your online accounts.
It works by exploiting the way that websites identify their users using session cookies, as we've described above. Because the server you are communicating with relies on this session cookie to identify your device if the session cookie is stolen an attacker can easily pretend to be you.
The most prized session cookies, of course, are those that are given to users when they log in to highly secure sites. The way that Facebook or Twitter identify you as a user, for example, makes use of the same session cookie system as more basic sites. When you successfully enter your login details into these sites, they will send a session cookie. When you log out (if you ever do!), this cookie will be invalidated, and you will have to enter your details again to regain access.
Attackers can steal a session cookie in a number of ways. The most common is to infect a victim's device with malware that monitors session data and sends session cookies to an attacker. Another way is to use cross-site scripting (CSS) attacks: small scripts that sit on popular websites and force a user’s computer to send session cookies to a server controlled by the attacker.
Another approach, albeit one that everyday users cannot do anything about, is to exploit security holes in the servers themselves. If a site has set up their security incorrectly, for instance, it can sometimes be possible to guess the contents of a session cookie.
No matter what approach is taken, the outcome is the same. If your session cookie gets stolen, an attacker can log in to sites as though they are you. This means they can steal any information that is visible when you are logged in and even perform tasks such as purchases or money transfers.
The basic principle of session hijacking is simple enough. When you are online, your device typically makes use of a number of different, changing, TCP connections. However, the servers you are communicating with need a way of identifying you.
This is normally achieved using a session token, which can be contained in the URL of the site, the header of the HTTP code as a cookie, or in another part of the HTTP that sits behind the site you are visiting. Once you have this token, the server you are communicating with can use it to identify you, and maintain a stable session.
The quickest and easiest way of hijacking your session is to steal this token. This is referred to as ‘session sniffing’, and to execute this kind of an attack a hacker will use a specialized piece of software called a ‘session sniffer’. This will identify and intercept your session token, allowing an attacker to pose as you.
In this method, some lines of code are injected into a trusted website, commonly by using the scripts that run adverts on large sites. When a victim's device runs these scripts, they are trusted because they appear to come from the trusted site rather than a third party. The script will ask for the session cookie, seemingly to identify the user, but once it obtains this, it will send it on to the attacker.
More generally, many types of malware aim to steal session cookies from infected devices. Because the session cookie is stored, unencrypted, on a users’ computer or smartphone, any malware that grants access to storage media can be used to steal this cookie.
A more detailed look at the way that session hijacking works can be broken down into the four main methods used by attackers to implement this type of attack.
Session Fixation is a technique that actually works in the opposite way to most other session hijacking attacks. Instead of stealing a session cookie from a user, in this method, an attacker already has a session cookie, either stolen from another user or created for an attack. The attacker can now manipulate the user to login to the target site in a way that their session has the same identifier. This can be done by sending the user a link to login to the site which contains the same session identifier. The victim will follow the link, log in, and the attacker gains access to their session.
Session "Sidejacking" is another common attack method. During this type of attack, a packet sniffer is used to intercept network traffic between a victim and a server. If the victim is logged into a website, this traffic will contain the session cookie, and so the attacker can steal it.
This type of attack exploits a security flaw that is still common across many sites. Though users may need a password to login to a website, and though this password will be encrypted when it is sent after a user has authenticated themselves data is transmitted entirely unencrypted. If you think that sounds dangerous, you are right. Since the unencrypted data includes the session cookie, this can be easily stolen.
Session "Sidejacking" is most common across unsecured, public Wi-Fi networks because anyone sharing this type of network will be easily able to see the information transmitted between other users and remote servers.
IP Spoofing is another way of hijacking a session. In IP Spoofing, an attacker will pose as a legitimate server, and intercept all of the information that you send. It will appear as though you are on a trusted website, but in fact you are on a page completely controlled by an attacker.
Once a hacker executes an IP Spoofing attack, they can intercept your session tokens, and use them to impersonate you.
A more direct way of performing a session hijacking attack is to perform a blind attack on your session. If a hacker cannot intercept your session tokens, they will be forced to try and guess the content of these tokens.
In a blind attack, a hacker will use a brute-force method to try and guess the content of your session token, trying hundreds (or perhaps millions) of different tokens a second. If they do manage to guess it, they can take control of your session.
Though session hijacking has been around for many years, it seems to be in a period of a resurgence at the moment. In part, this is due to the availability of easy-to-use tools to implement this type of attack. Using these tools, some of which can just be downloaded from the Android app store, almost anyone can start to intercept session cookies.
Even if you don’t want to start a new career as a hacker, you should be aware of these exploits. Let’s take a look at a few of them.
Firesheep - is a tool that allows anyone to attack users of unsecured public Wi-Fi. It was offered as an add-on to Mozilla Firefox back in October 2010 and led to a certain degree of panic within the tech security community. In retrospect, this seems quite funny, because everyone had known for years that unencrypted Wi-Fi networks were extremely vulnerable to session hijacking attacks. What Firesheep did was to make session hijacking easy. Attackers could scan the network traffic, and steal all the session cookies, automatically.
In the end, Firesheep did us all some good. Worried that they would lose users, Facebook and Twitter responded by offering and later requiring, HTTPS across each site.
WhatsApp Sniffer - was a similar app, offered via Google Play in 2012. It allowed users to see all the WhatsApp messages sent across (unencrypted) networks that they were connected to. Though WhatsApp itself uses powerful end-to-end encryption, it seemed that some people were using wholly unsecured Wi-Fi networks to send messages to their friends and colleagues.
Droidsheep - was a more powerful tool but was still offered over consumer platforms, appearing on Google Play in 2012. It works in much the same way as Firesheep, listening for HTTP packets being sent over Wi-Fi networks. It can then extract session cookies from this traffic and delivers them to an attacker to be used in a session hijacking attack.
What makes Droidsheep more dangerous than similar apps is that it deploys more sophisticated techniques to capture session cookies. It can, of course, steal these from unsecured Wi-Fi networks, because that is easy. However, it is also able to deploy ARP Spoofing techniques to decrypt session cookies sent using WEP, and even WPA2 if this is not further secured with AES.
Given how easy it is to implement a session hijacking attack, you might be wondering what you can do to protect yourself against them. Don’t worry, we’ve got you covered.
Session hijacking is one of the most potent types of cyber-attacks out there, and one of the hardest to detect. At least, that is, until an attacker has locked you out of your social media feeds, or paid themselves a fat bonus from your online banking accounts.
Protecting yourself against session hijacking, or in fact, any other kind of attack is all about making your devices more difficult to hack than the next person. Even using small extra security measures can mean that a potential attacker moves on to the next person, who takes online security a lot less seriously than you.
At a technical level, there are plenty of things that website owners could do to make their services more secure: using longer or more dynamic session cookies would be a great start. Unfortunately, as users, we have little control of that side of things. That doesn't mean, though, that we are powerless.
As you might have gathered from the above, by far the best way to protect yourself against session hijacking is never to use unsecured Wi-Fi networks. Hijacking your session becomes a lot easier if you are sending all your session cookies, unencrypted, across an open network.
If you are forced to use unsecured networks, then never send sensitive information over unencrypted networks. You should also be extremely careful about the websites that your device is logged into without you being aware of it. This is especially true when it comes to smartphones, which typically stay signed into a vast variety of services such as Facebook and email. You should either manually log out of these networks when you connect to an unencrypted network or use mobile data on your phone because this is much more secure than Wi-Fi.
Beyond these basic tips, there is one solution to preventing session hijacking that is so effective I'll cover it in a separate section.
By far the most effective way of preventing session hijacking and many related attack types is to encrypt all the data you send over the networks you are connected to. This means that an attacker will not be able to decipher your session cookie, even if they intercept it from an unsecured public Wi-Fi network.
Encryption also defeats the exploits I've written about above. It's amazing that people only started encrypting the information they exchange with Facebook and Twitter after those sites forced their users to use HTTPS as standard. There were plenty of ways of users encrypting this data for themselves before that point, and it would have stopped their session being hijacked.
A Virtual Private Network (VPN) provides you with this encryption in an easy-to-use package. Because the best VPNs also make use of end-to-end encryption, you can be sure that no-one, except you and your intended recipient, will be able to access your data, and this includes your session cookies. As a result, using a good quality VPN essentially defeats any reasonable form of session hijacking attack.
Protecting yourself against this type of attack is all about cultivating good habits. Don’t use public Wi-Fi networks any more than you need to, and be careful about what you send over them. And finally, make sure you encrypt everything you do when online using a quality VPN. It’s better to be safe than sorry.