What is session hijacking and how does it work?
Logging into websites or portals is a daily part of using the internet for most people. Every time you log in to a website, a session is created. A session is the communication between two systems, which remains active until the user ends the communication. Starting a session is essential for communication to occur over the internet – but also opens up the risk of session hijacking. Read on to learn more about session hijacking, how it works, and how to protect yourself.
What is session hijacking?
Session hijacking – sometimes called cookie hijacking, cookie side-jacking, or TCP session hijacking – occurs when an attacker takes over your internet session. This might happen when you’re shopping online, paying a bill, or checking your bank balance. Session hijackers usually target browser or web applications, and their aim is to take control of your browsing session to gain access to your personal information and passwords.
Session hijackers fool websites into thinking they are you. This type of attack can have serious consequences for application security because it allows attackers to gain unauthorized access to protected accounts (and the data they contain) by masquerading as a legitimate user.
What is a session?
Every time a user accesses a website or application through an HTTP connection, the service authenticates the user (for example, via a username and password) before opening the line of communication and providing access. However, HTTP connections on their own are ‘stateless’, which means that each action a user takes is viewed independently. As a consequence, if we relied solely on HTTP, users would have to re-authenticate themselves for each action they take or page they view.
Sessions overcome this challenge. A session is created on the server hosting the website or application once a user logs in and then serves as a reference for the initial authentication. Users can remain authenticated for as long as a session stays open on the server and can end a session by logging out of the service. Some services end a session after a set period of inactivity.
Many services create these sessions by issuing a session ID, a string of numbers and letters stored in temporary session cookies, URLs, or hidden fields on the website. In some but not all cases, these session IDs are encrypted. Often, session IDs are based on predictable information, such as a user’s IP address.
How does session hijacking work?
Here is a hypothetical example of how session hijacking might work:
Step 1: An internet user logs into an account as normal.
This might be their online bank or credit card account, an online store, an application, or portal. The application or website installs a temporary session cookie in the user’s browser. That cookie contains information about the user that allows the site to keep them authenticated and logged in and to track their activity during the session. The session cookie remains in the browser until the user logs out (or is automatically logged out after a set period of inactivity).
Step 2: A criminal gains access to the internet user’s valid session.
Cybercriminals use various methods to steal sessions. Often, session hijacking involves stealing the user’s session cookie, locating the session ID within the cookie, and using that information to take over the session. The session ID is also known as a session key. When the criminal obtains the session ID, they can take over the session without detection.
Step 3: The session hijacker gets a payoff for stealing the session.
Once the original internet user has continued their online journey, the hijacker can use the ongoing session to commit various malicious acts. This can include stealing money from the user’s bank account, purchasing items, grabbing personal data to commit identity theft, or encrypting important data and then demanding a ransom for its return.
Session hijack attacks are usually carried out against busy networks with a high number of active communication sessions. This provides the attacker with a large volume of sessions to exploit and gives the attacker a measure of protection – because the number of active sessions on the server makes them less likely to be detected.
Types of session hijacking
A cross-site scripting attack involves cybercriminals exploiting security weak spots in a web server or application. Cross-site scripting involves an attacker injecting scripts into web pages. These cause your web browser to reveal your session key to the attacker so they can take over the session.
Session side jacking (also known as session sniffing)
In this type of attack, a criminal needs access to a user’s network traffic. They may gain access when the user uses unsecured Wi-Fi or by engaging in man-in-the-middle attacks. In session side jacking, a criminal uses ‘packet sniffing’ to monitor an internet user’s network traffic to search for sessions. This allows the attacker to obtain a session cookie and use it to take over the session.
In a session fixation attack, the criminal creates a session ID and tricks the user into starting a session with it. This might be achieved through sending an email to the user with a link to a login form for the website the attacker wants to access. The user logs in with the fake session ID, giving the attacker a foot in the door.
This is similar to a man-in-the-middle attack, but the attacker must first infect the victim's computer with a Trojan. Once the victim is deceived into installing malware onto the system, the malware waits for the victim to visit a targeted site. The man-in-the-browser malware can invisibly modify transaction information and can also create additional transactions without the user knowing. Because the requests are initiated from the victim's computer, it is very difficult for the web service to detect that the requests are fake.
Predictable sessions token ID
Many web servers use a custom algorithm or predefined pattern to generate session IDs. The more predictable a session token, the weaker it is. If attackers can capture several IDs and analyze the pattern, they may be able to predict a valid session ID. (This approach can be compared to a brute force attack.)
How does session hijacking differ from session spoofing?
Session hijacking and session spoofing share similarities but are not the same type of attack. The main difference between the two is that session hijacking occurs when a legitimate user is already logged in to a web session. By contrast, session spoofing occurs when attackers impersonate a user to launch a new web session (which means that the user does not have to be logged in at the time).
This distinction means that legitimate users experience the attacks differently. With session hijacking, an attacker interrupting the session may cause the website or application to behave unusually or even crash for the victim. However, because the user isn’t actively logged in during a session spoofing attack, they won’t experience any disruption during their next session.
Impact of session hijacking attacks
There are many risks associated with not taking steps to prevent session hijacking. Some of these dangers include:
By gaining unauthorized access to sensitive personal information saved in accounts, attackers can steal a victim’s identity beyond the confines of the hacked website or application.
Through session hijacking, attackers can gain the ability to carry out financial transactions on behalf of the user. This might involve transferring money from a bank account or making purchases with saved payment information.
If a hacker can steal a user’s session ID, they may also be able to infect the user’s computer with malware. This can allow them to gain control of the target’s computer and steal their data.
Denial-of-Service (DoS) attacks
A hacker who gains control of a user’s session could launch a DoS attack against the website or server to which they’re connected, disrupting service, or causing the site to crash.
Access to additional systems through SSO
SSO stands for ‘single sign on’. Attackers can also gain unauthorized access to additional systems if SSO is enabled, further spreading the potential risk of a session hijacking attack. This risk is particularly important for organizations, many of which now enable SSO for employees. Ultimately, this means that even highly protected systems with stronger authentication protocols and less predictable session cookies, such as those housing financial or customer information, may only be as protected as the weakest link in the entire system.
Session hijacking attack examples
During the Covid-19 pandemic, the world turned to video conferencing apps like Zoom. These apps became a popular target of session hijackers, even earning the nickname ‘zoom bombing’. There were news reports of session hijackers joining private video sessions, in some cases shouting profanities, hateful language and sharing pornographic images. In response, Zoom introduced greater privacy protections to minimize the risk.
In 2019, a researcher on a bug bounty platform identified a vulnerability in Slack which allowed attackers to force users into fake session redirects so they could steal their session cookies. This gave attackers access to any data shared within Slack (which for many organizations, can be significant). Slack was quick to respond and patched the vulnerability within 24 hours of the researcher highlighting it.
In 2017, a security researcher identified a vulnerability in GitLab where users’ session tokens were available directly in the URL. Further investigation revealed that GitLab also used persistent session tokens that never expired, which meant that once an attacker obtained one session token, they could use it without the worry of expiration. This combination of open exposure and persistent tokens presented a serious risk, opening users to various severe attacks through session hijacking via a brute force attack. GitLab fixed the vulnerability by changing how it used and stored those tokens.
How to prevent session hijacking
Follow these session hijacking prevention tips to increase your online security:
Avoid public Wi-Fi
Avoid carrying out important transactions like banking, online shopping, or logging into your email or social media accounts on public Wi-Fi. There may be a cybercriminal nearby who is using packet sniffing to try to pick up session cookies and other information.
Use a VPN
If you do need to use public Wi-Fi, use a Virtual Private Network (VPN) to maximize your safety and keep session hijackers out of your sessions. A VPN masks your IP address and keeps your online activities private by creating a private tunnel through which all your online activity travels. A VPN encrypts the data you send and receive.
Be alert to phishing and other online scams
Avoid clicking on any link in an email unless you know it is from a legitimate sender. Session hijackers may send you an email with a link to click. The link may install malware on your device or take you to a login page that will log you into a site using a session ID prepared by the attacker.
Be aware of site security
Reputable banks, email providers, online retailers, and social media sites have safeguards in place to avoid session hijacking. Look out for websites whose URL starts with HTTPS – the S stands for ‘secure’. Using questionable online shops or other providers that may not have robust security can leave you vulnerable to a session hijacking attack.
Use antivirus software
Install reputable antivirus software which can easily detect viruses and protect you from any type of malware (including the malware attackers use to perform session hijacking). Keep your systems up to date by setting up automatic updates on all your devices.