Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
One of the important types of cyber attack is the session hijacking attack, which we also call session hacking or session stealing. TCP session hijacking is defined as the totality of operations in which a hacker takes over a TCP session between two machines. The aim is to seize the valid TCP data transmission between two computers that are communicating. Since authentication only takes place at the beginning of the TCP session, the hacker can insert themselves into the communication flow and take control of the session. By listening to traffic in TCP sessions, cyber attackers can carry out many attacks. A person remotely logging into a server is one example we can give at this point. After a connection is established with the host, the hacker can take over that session — thus using session hijacking to gain access to the target machine.
Session hijacking attacks are a popular method. Source-routed IP packets can also be used in this method. A hacker’s computer A on the network can arrange for traffic to pass through their machine by manipulating IP packets, and can then carry out a session hijacking attack. Session hijacking attacks are divided into two types: active and passive.
In an active session hijacking attack, the attacker finds an active session and takes it over. In a passive session hijacking attack, the attacker hijacks a session, but rather than taking it over actively, they monitor and record all traffic.
TCP session hijacking takes advantage of how TCP connections work. When a TCP connection is established, the client and server exchange SYN, SYN-ACK, and ACK packets in what is known as the three-way handshake. Each packet contains a sequence number that both parties use to keep track of the communication. Once authenticated at the start of the session, the connection is considered trusted.
An attacker who can predict or obtain the correct sequence numbers can inject packets into the session that appear to come from one of the legitimate parties, effectively inserting themselves into the communication. This can allow the attacker to send commands to the server as if they were the authenticated client, or to intercept data intended for the client.
Sniffing is one of the most common techniques. The attacker uses a packet sniffer to monitor network traffic and capture session tokens or authentication credentials transmitted in unencrypted form. This is particularly effective on shared networks.
Source routing involves manipulating the IP routing path of packets so that they pass through the attacker’s machine, giving the attacker visibility into and control over the traffic.
Blind hijacking occurs when the attacker cannot see the responses from the server but can inject data into the communication by predicting sequence numbers. While limited in what it can achieve, it can be used to inject commands.
Man-in-the-middle (MitM) attacks involve the attacker positioning themselves between the client and server, intercepting and potentially modifying all traffic in both directions.
Cross-site scripting (XSS) can be used to steal session cookies by injecting malicious JavaScript into a page viewed by the victim, causing their browser to send the session token to the attacker.
Using encryption is one of the most effective defences. By encrypting all communication between client and server — for example by using HTTPS / TLS — an attacker who manages to capture network traffic will be unable to read the session token or other sensitive data within it.
Long and unpredictable session IDs make it much harder for attackers to guess or brute-force a valid token. Session IDs should be generated using a cryptographically secure random number generator.
Regenerating the session ID after a user authenticates (logs in) is important to protect against session fixation attacks, where the attacker tries to force the victim to use a session ID that the attacker already knows.
Setting short session timeouts and invalidating session tokens on logout reduces the window of opportunity for an attacker to use a stolen token.
Using the HttpOnly and Secure flags on session cookies prevents JavaScript from reading the cookie and ensures the cookie is only sent over encrypted connections, respectively.
You May Be Interested In These
