Session hijacking, also known as cookie side-jacking, is a form of a man-in-the-middle attack that allows an attacker to gain full control of your online accounts.
It works by exploiting the way that websites identify their users using session cookies. Because the server you are communicating with relies on this session cookie to identify your device if the session cookie is stolen an attacker can easily pretend to be you.
A session is a temporary and interactive state that exists between two devices that want to communicate, or between a user and a computer.
Sessions are established using various types of authentication protocols that ensure that two communicating parties know who each other are. Once established, a session permits the two parties to communicate with each other, and is typically implemented in a way that allows information regarding their interaction to be tracked and stored. Once the necessary communication has been completed, a session is ‘torn down’: brought to an end.
A session cookie contains a number that identifies you as a user. When you first visit a site, or when you log in to one, you will be given a session cookie. When you move around the site, the server it sits on will continually ask your device to identify itself by sending this session cookie. This allows the server to correlate the information it has stored under that number (such as the items in your shopping basket) with you as a user, and to provide a seamless experience.
The basic principle of session hijacking is simple enough. When you are online, your device typically makes use of a number of different, changing, TCP connections. However, the servers you are communicating with need a way of identifying you.
This is normally achieved using a session token, which can be contained in the URL of the site, the header of the HTTP code as a cookie, or in another part of the HTTP that sits behind the site you are visiting. Once you have this token, the server you are communicating with can use it to identify you, and maintain a stable session.
The quickest and easiest way of hijacking your session is to steal this token. This is referred to as ‘session sniffing’, and to execute this kind of an attack a hacker will use a specialized piece of software called a ‘session sniffer’. This will identify and intercept your session token, allowing an attacker to pose as you.
In this method, some lines of code are injected into a trusted website, commonly by using the scripts that run adverts on large sites. When a victim's device runs these scripts, they are trusted because they appear to come from the trusted site rather than a third party. The script will ask for the session cookie, seemingly to identify the user, but once it obtains this, it will send it on to the attacker.
More generally, many types of malware aim to steal session cookies from infected devices. Because the session cookie is stored, unencrypted, on a users’ computer or smartphone, any malware that grants access to storage media can be used to steal this cookie.
A more detailed look at the way that session hijacking works can be broken down into the four main methods used by attackers to implement this type of attack.
Session Fixation is a technique that actually works in the opposite way to most other session hijacking attacks. Instead of stealing a session cookie from a user, in this method, an attacker already has a session cookie, either stolen from another user or created for an attack. The attacker can now manipulate the user to login to the target site in a way that their session has the same identifier. This can be done by sending the user a link to login to the site which contains the same session identifier. The victim will follow the link, log in, and the attacker gains access to their session.
Session "Sidejacking" is another common attack method. During this type of attack, a packet sniffer is used to intercept network traffic between a victim and a server. If the victim is logged into a website, this traffic will contain the session cookie, and so the attacker can steal it.
This type of attack exploits a security flaw that is still common across many sites. Though users may need a password to login to a website, and though this password will be encrypted when it is sent after a user has authenticated themselves data is transmitted entirely unencrypted. If you think that sounds dangerous, you are right. Since the unencrypted data includes the session cookie, this can be easily stolen.
Session "Sidejacking" is most common across unsecured, public Wi-Fi networks because anyone sharing this type of network will be easily able to see the information transmitted between other users and remote servers.
IP Spoofing is another way of hijacking a session. In IP Spoofing, an attacker will pose as a legitimate server, and intercept all of the information that you send. It will appear as though you are on a trusted website, but in fact you are on a page completely controlled by an attacker.
Once a hacker executes an IP Spoofing attack, they can intercept your session tokens, and use them to impersonate you.
A more direct way of performing a session hijacking attack is to perform a blind attack on your session. If a hacker cannot intercept your session tokens, they will be forced to try and guess the content of these tokens.
In a blind attack, a hacker will use a brute-force method to try and guess the content of your session token, trying hundreds (or perhaps millions) of different tokens a second. If they do manage to guess it, they can take control of your session.
A Virtual Private Network (VPN) provides you with this encryption in an easy-to-use package. Because the best VPNs also make use of end-to-end encryption, you can be sure that no-one, except you and your intended recipient, will be able to access your data, and this includes your session cookies. As a result, using a good quality VPN essentially defeats any reasonable form of session hijacking attack.
Protecting yourself against this type of attack is all about cultivating good habits. Don’t use public Wi-Fi networks any more than you need to, and be careful about what you send over them. And finally, make sure you encrypt everything you do when online using a quality VPN. It’s better to be safe than sorry.