Table of contents
- What is session hijacking?
- How session hijacking works
- Types of session hijacking
- Active session hijacking
- Passive session hijacking
- Session hijacking techniques
- How to prevent session hijacking
- Final thoughts
What is session hijacking?
A web session is a set of user interactions between two endpoints (for example, the user and the website) over a period of time. A session lasts for as long as the connection remains between the two endpoints and is defined by a session ID.
Session hijacking means one of these sessions is taken over (usually by a hacker or virus) by pretending to be an authorized user. To hijack a session, the attacker must discover the session ID which can be used to masquerade as the authorized user.
The person who has taken over the session is then able to perform any action that the user is authorized to do on that network.
How session hijacking works
Session hijacking is when an attacker convinces a server or website that they are an authorized user. There are several session hijacking types, but they generally go something like this:
- An authorized user logs into an online account (for example, their bank account). The site then loads a “session cookie” in the user’s browser. This contains the user’s session ID which keeps the user authenticated and enables them to interact with the website like normal.
- While the user is connected to the site, an attacker steals their session ID. They then use this session ID to sign themselves into the website as the authenticated user without being detected.
- The attacker can then steal money from the user’s bank account. On other sites, an attacker might be able to purchase something, steal their identity, or steal and encrypt data for a ransom.
Types of session hijacking
There are two main categories of session hijacking: Active session hijacking and passive session hijacking.
Active session hijacking
Active session hijacking is when an attacker actively takes over a user’s session by forcing them offline and preventing them from communicating with the server. The attacker can then perform any action they like, such as stealing money from a bank account.
Passive session hijacking
Passive session hijacking is when an attacker simply monitors traffic between a user and a server. This lets them discover passwords or other valuable information they can use to masquerade as the user or ransom their personal information.
Session hijacking techniques
There are several different types of session hijacking, including:
- Session-side jacking. Session-side jacking or cookie sniffing involves using an application or proxy to steal network traffic between a website and the user. This contains the session ID token that can be used to masquerade as the authorized user.
- Cross-site scripting. This is when an attacker makes use of weaknesses in a website’s security to inject their own malicious links. When a user clicks those links, cross-site scripts activate which allow the attacker to see your session ID. This is one reason why it’s a good idea to disable cross-site tracking.
- Brute force. Brute force attacks involve an attacker guessing your session ID to hijack the session. Often, session IDs are created by algorithms. If an attacker can find several session IDs, they may be able to determine the algorithm and predict a usable session ID.
- Session fixation. This is when the attacker creates a session ID and convinces the authorized user to start a session with it. For example, the attacker might send them a fake email with a link to a login form. When the user logs in using that session ID, the attacker then has access.
- Malware injection. Attackers often try to trick users into installing malware which will monitor their activity and steal their data. This malware is able to find and steal your session ID so that the attacker can hijack your session.
How to prevent session hijacking
There are several things you can do to prevent session hijacking and protect your data and identity online, including:
- Use a VPN. A high-quality VPN can mask your IP address and keep your online activity private and secure.
- Avoid public or unsecure Wi-Fi networks. Because public Wi-Fi requires no authentication to connect, a hacker is able to position themselves between you and the connection point. This enables them to monitor and steal your information.
- Avoid scams. The main way you can avoid scams is by never clicking on a link in an email unless you’re sure it’s from a trusted source.
- Use security software. Security software like a high-quality antivirus can act as a last line of defense between you and malicious actors online. If you accidentally click a link, it might be the only thing that prevents malware from being installed.
- Make sure you only connect to secure sites. Older sites and small sites run by owners who aren’t very security savvy will often have several security loopholes. For this reason, it’s important to only load sites from reputable, trusted companies. The most secure sites now use HTTPS (rather than the older HTTP), so keep an eye out for this in your address bar.
With so many scams and viruses circulating the internet, it can be hard to avoid falling victim to a session hijacking attack. That’s why it’s vital that users are aware of the risks and make every effort to avoid them. One of the best ways to do this is by using Clario’s all-in-one web protection app.