A session is the time-frame during which the authentication of a user on a site is valid. Sessions are created because asking for user credentials at each request will be very unproductive(since a single page can make 10s of requests for user-specific resources). Sessions are implemented through cookies or other request parameters, these are to be submitted whenever a user-specific content is requested by the browser. The currently used method is to give an identifier string to a user. This identifier is called a session token .Session Management is highly sensitive as it is also an authentication mechanism.
Using session tokens of a user to gain unauthorized access to their account is referred to as “session hijacking”. Since web servers generally do not have a way of knowing which request containing a valid token is genuine and which one is unauthorized, it is hard to detect such an attack. Session hijacking can lead to leakage or loss of personal /sensitive data. This is why understanding the general methods used by hackers to hijack sessions is essential for end-users as well as developers.
Session Hijacking through insecure transfer:
Just like passwords, transmitting session identification data over HTTP is unsafe. An attacker can carry out a man in the middle(MITM) attack to view cookies and other sensitive data being used for maintaining the user’s session. This data can be immediately used by the attacker to create a duplicate session. The attacker will stay logged in until the user logs out. Whether or not the attacker will continue to have access to the victim’s account after the victim has logged out, depends on the implementation of session management. For example, if the site is vulnerable with session fixation( same cookies for multiple sessions) then the attacker will have persistent access to the user’s account.
Session Hijacking through XSS:
Some websites give a session cookie to every user including guest users. The user session is tracked through the state of that cookie. Once a user logs in from a browser, the cookie issued to that browser is associated with the session of that user. In this case, if an XSS vulnerability is present, the attacker can insert its guest cookie into the user’s session. Once the user logs in, the attacker is also logged in.
Session Hijacking through Session Fixation:
Session Fixation is a vulnerability where a single set of cookies is used across many sessions for a single user. An attacker having physical access to the user’s device can copy the cookies when the user is logged out. The attacker can then edit the cookies on his browser by using an intercepting proxy like BurpSuite . When the user logs in again, the cookies will give the attacker full access to the user’s account.
Session Hijacking through CSRF/XSRF:
Cross site request forgery is an attack that takes advantage of HTTP’s native feature of submitting cookies of a website to all the requests to that website irrespective of their origin. CSRF can be exploited to reset a user’s password to a password specified by the attacker. This leads to the user losing access to his account. If proper recovery measures are not put in place by the website then such an attack could lead to the user losing access to his account permanently.
Session Hijacking through rogue WiFi AP:
A fake WiFi access point matching the SSID of a genuine WiFi access point can be created by an attacker to fool the users into connecting to the AP and using it to log in to websites. The attacker controls the DNS server of the AP. The attacker can then easily modify the DNS entries for a website the user visits leading the user to a fake login page. This attack can also be delivered by luring the users through “Free High-Speed WiFi”.
Tips for Users:
There is not much a user can do to prevent their sessions from getting compromised apart from the regular security precautions. These precautions are: not using public WiFi for sensitive work, logging out of sensitive sites immediately after use, avoiding reuse of passwords, etc.
Tips for Developers: Since session hijacking is mostly done by exploiting a vulnerability on the site, developers can do a lot in preventing such attacks. Developers should:
- Use CSP(Content Security Policy) and XSS protection headers.
- Using server-side cookie invalidation on logout.
- Avoiding cookie reuse.
- Using HTTPS and HSTS on their site.
- Using strong anti-CSRF tokens on sensitive actions like password change.