In this age of digital era, everything happens over the net from business to shopping, from banking to education; as the internet grows wider, we are witnessing a growth in Cyber threats and attacks.
Every web user demands a basic need to be assured that their data, money, or communications are safe and trustworthy. So security plays a prominent role in each facet of digital communication or transaction that happens over the web.
There are numerous security threats that occur on the internet starting from man-in-middle attack, Denial-of-Service attack, IP spoofing etc., thus it becomes a tedious task for each system administrator and information security professionals to be competent enough to implement various defensive mechanisms to handle uncertain attacks and protect users data.
This Article will attempt to address one of the most effective security attack known as Session Hijacking and additionally offer some effective defense measures.
What is Session Hijacking?
Session hijacking refers to the exploitation of a legitimate session IDs. where a Hacker takes over a session between two computers. The attacker steals a legitimate session ID used for logging into the system and extract the information.
For an example, TCP session hijacking means taking control over a TCP session exchanged between two computers, which it is meted out through source-routed IP packets. Here an attacker who is logged on to a system will participate in the conversation of other users on different systems by diverting packets to his or her system.
Steps in session hijacking:
- Tracking the connection
- De-synchronize the connection
- Injecting the attacker's packet
Factors for Successful Session Hijacking
All the below-mentioned factors play a crucial role in the success of Session Highjacking:
- Weak session ID generation algorithm: Most websites are using linear algorithms based on easily predictable values such as time or IP address for generation of session ID.
- Indefinite session expiration time: The session ID's that have an indefinite expiration time provides an attacker ample time to guess a legitimate session ID.
- Clear text transmission: The session ID is often sniffed across a network easily if the SSL is not being employed while the cookie is transmitted to and from the browser.
- Small Session ID: Although cryptographically a robust algorithm is used, a legitimate session ID may be determined easily if the length of the string is small.
- Insecure Handling: An attacker will retrieve the stored session ID information by misleading the user into visiting a malicious website. Later the attacker can exploit the information before that session expires.
- No account lockout for invalid session Ids: If account lockout function is not implemented on the website, the attacker can try a number of attempts with varying session Ids until the actual session ID is determined.
Key Session Hijacking techniques
There are three key strategies to perform session hijack attack:
- Brute Forcing: Brute forcing session IDs involves creating thousands of requests exploiting all available session ID's till the attacker gets succeeded, this method is comprehensive however a time-consuming process.
- Stealing: The attacker uses various techniques to steal a legitimate session ID. The techniques used could be installing Trojans on client PC's, Sniffing network traffic, HTTP referrer header and cross-site scripting attacks.
- Calculating: The attacker tries to predict the valid session ID using non-randomly generated IDs. The number of attempts that is required for retrieving the valid session ID depends on the key space of session ID.
Spoofing VS Hijacking
Many times, spoofing and hijacking are considered to be a similar issue. Actually, they're entirely different from each other.
- Spoofing: A hacker can impersonate himself to gain access. unlike hijacking, it actually creates a new session using target stolen credentials instead of using existing session.
- Hijacking: In contrast to spoofing, Hijacking takes over existing active session. it will depend upon some legitimate user for authentication and establish a valid connection.
Types of Session Hijacking
Depending on the degree of involvement by the attacker, Session hijacking can be either active or passive in nature
- A passive attack uses sniffers on the network allowing attackers to gather information, The attacker will later use this data to log on as a legitimate user and take over privileges. Password sniffing is the simplest attack which will be performed once raw access to a network is obtained.
- An active attack, Here the attacker takes over an existing session by either demolishing the connection at one end of the conversation or by actively participating as the man-in-the-middle.
The major difference between an active and passive hijack is that; when an active hijack takes over an existing session, whereas a passive hijack just monitors the ongoing session.
Session hijacking in the OSI model
Session hijacking within the OSI model is often conducted at two levels; the network and application level.
Application-level hijacking involves either exploiting the current session or creating a new one based on the stolen information. Application-level hijacking occurs when HTTP sessions are hijacked by obtaining the respective valid session IDs.
Various ways in which application-level session hijacking are often accomplished are as follows:
- Predictable session token
- Man-in-the-middle attacks
- Man-in-the-browser attacks
- Session sniffing
Network-level hijacking is enforced on the data flow of the protocol shared by all internet applications. Attacks on network-level sessions provide critical data that an attacker would use for application-level hijacking. Network-level hijacking includes:
- TCP/IP hijacking
- IP spoofing: source routed packets
- RST hijacking
- Blind hijacking
- Man-in-the-middle: packet sniffer
- UDP hijacking
Defense against Session Hijacking
The following are some of the ways to safeguard against session hijacking:
- Use secure shell (SSL) to create a secure communication channel
- Use encrypted protocols that are offered at OpenSSH suite
- Pass authentication cookies over the HTTPS secure connection
- Implement the log-out functionality for each user to invalidate the session
- Generate different session ID after each successful login and logout
- Always pass the encrypted information between the users and the web servers
- Use string or long random variables as a session key
- Use different username and password for each account
- Configure the suitable internal and external spoof rules on gateways
- Do not transport session ID within the query string
- Limit incoming connections and Minimize remote access
Session hijacking could be a serious threat to network and web applications as most of the systems are compromised because of insecure handling, weak session IDs and mostly no account lockout implementations. Thus researching all these aspects, it can be concluded that it is successful as a result of unawareness in users regarding security measures. Although above explanation and countermeasures can offer some insight to safeguard the organization's network, They should also be pen-tested and monitored continuously in order to make them impenetrable by the intruders.