What are Types of Session Hijacking ?

Session Hijacking is a Hacking Technique. In this, the hackers (the one who perform hacking) gain the access of a target’s computer or online account and exploit the whole web session control mechanism. This is done by taking over an active TCP/IP communication session by performing illegal actions on a protected network. Normally, the web sessions are managed by the session token. The Session Hijacker has access over everything which the actual user has. For Example, shopping in an online store or paying your electricity bills, the session hijackers attack over web browsers or web application sessions.

 

Types of Session Hijacking:

Session Hijacking is of Three types: 

1. Active Session Hijacking : An Active Session Hijacking occurs when the attacker takes control over the active session. The actual user of the network becomes in offline mode, and the attacker acts as the authorized user. They can also take control over the communication between the client and the server. To cause an interrupt in the communication between client and server, the attackers send massive traffic to attack a valid session and cause a denial of service attack(DoS).
2. Passive Session Hijacking : In Passive Session Hijacking, instead of controlling the overall session of a network of targeted user, the attacker monitors the communication between a user and a server. The main motive of the hacker is to listen to all the data and record it for the future use. Basically, it steals the exchanged information and use for irrelevant activity. This is also a kind of man-in-middle attack (as the attacker is in between the client and the server exchanging information.  
3. Hybrid Hijacking : The combination of Active Session Hijacking and Passive Session Hijacking is referred to as Hybrid Hijacking. In this the attackers monitors the communication channel (the network traffic), whenever they find the issue, they take over the control on the web session and fulfill their malicious tasks.

To perform these all kinds of Session Hijacking attacks, the attackers use various methods. They have the choice to use a single method or more than one method simultaneously to perform Session Hijacking. Those methods are:

1. Brute-forcing the Session ID
2. Cross-Site Scripting (XSS) or Misdirected Trust
3. Man-in-the-browser
4. Malware infections
5. Session Fixation
6. Session side-jacking

These all Session Hijacking methods can be elaborated as:

1. Brute-forcing the Session ID : As the name suggests, the attack user uses guessing and trial method to find Session ID depending on its length.  This is due to lack of security and shorter length. The introduction of a strong and long session key made this method increase in a slow rate. 
2. Cross-Site Scripting (XSS) or Misdirected Trust :  In Cross-Site-Scripting, the attacker tries to find out the flaws and the weak point in the web server and injects its code into that. This activity of the attacker will help the attacker to find out the Session ID.
3. Man-in-the-browser : Man-in-the-browser uses a Trojan Horse (program that uses malicious code) to perform its required action. The attacker puts themselves in the communication channel of a server and a client. The main purpose of performing this attacks by the attacker is to cause financial fraud.
4.  Malware infections :  In Malware Infections, attacker can deceive the user to open a link that is a malware or Trojans program which will install the malicious software in the device. These are programmed to steal the browser cookies without the user’s knowledge. 
5. Session Fixation : Attackers create a duplicate or another disguised session in Session Fixation. It simply motivates or trick the user into authenticating the vulnerable server. This can be done by sending an email to the user, which on clicking directs to the attacker session.
6.  Session side-jacking : In Session side-jacking, the attackers tries to get access over a session using the network traffic. This becomes easy when the user is using an insecure Wi-Fi. The reading of network traffic and stealing of session cookie is done by packet sniffing. Packet Sniffing is a technique by which the data flowing across a network is observed.