The attacker could also direct the victim to a legitimate-looking fake login page that would actually log the victim into the legitimate website but using the attacker’s session ID. Again, if the victim logs in, the attacker can hijack the session.
Malware
Malware is another common way to obtain session cookies for session hijacking attacks. Once the malware is installed, it will scan the victim’s web traffic from the inside and report the victim’s session IDs back to the attacker. Or, depending on the malware in question, it could access the victim’s cookies directly from the browser’s local storage.
Brute force
Session IDs are strings of characters that are generated by the server. Suppose the server uses simple sequential patterns to generate its users’ session IDs [user0001, user0002, user0003, etc]. In that case, there’s a good chance the attacker could “guess” [using software programs to cycle through thousands of possibilities quickly] the user’s session ID.
This was a big issue in the past, but today, most websites generate long and random session IDs, rendering brute force attacks impractical.
Session hijacking attack examples
Firesheep
Firesheep is a Mozilla Firefox extension, released in 2010, that provided an easy way to extract private information, including session cookies, from users of unencrypted WiFi networks. Sites like Twitter and Facebook were vulnerable to Firesheep until they enabled HTTPS throughout their respective websites.
DroidSheep
DroidSheep is an Android app that enables session hijacking, previously available on Google Play. It scans HTTP packets and extracts the session cookies’ session ID. DroidSheep supports unencrypted WiFi networks, WEP-secured WiFi networks, and even WPA/WPA2-encrypted networks, as long as they use a pre-shared key [PSK].
FaceNiff
FaceNiff is another Android app used for session hijacking on public WiFi networks. But this one never made it on Google Play, and your phone must be rooted in order to use the app. The app works by sniffing the traffic on the network and systematically searching for login credentials to large websites, such as Facebook, Youtube, and more. Once FaceNiff finds interesting packets, it analyzes them and then provides the attacker with the victim’s login credentials in a friendly user interface.
How can you prevent session hijacking attacks?
How to defend against session hijacking attacks depends on which side of the attack you find yourself: the user-side or the server-side. We’ll start with tips for the server-side before moving on to client-side defenses.
Server-side defenses
These are measures that site administrators can implement to mitigate session hijacking attacks.
- Use HTTPS across the entire website to wrap all traffic in SSL/TLS encryption. This way, an attacker cannot intercept session IDs in plain text, even if they monitor the victim’s traffic. If possible, you should also use HSTS [HTTP Strict Transport Security] to make sure that all connections are encrypted and to prevent man in the middle [MitM] attacks.
- Set the HttpOnly attribute using the Set-Cookie HTTP header to bar client-side scripts from accessing cookies. This measure will also protect your web site/application from cross-site scripting [XSS] and other JavaScript injection attacks. Adding the Secure and SameSite directives is also recommended.
- Use well-established web frameworks for session ID generation and management rather than using a homegrown solution.
- Use long random numbers or strings as the session ID. This will limit your vulnerability to brute force attacks.
- Regenerate the session ID after the user has been authenticated. This will close the door on session fixation attacks because the session ID changes before the attacker has a chance to use it. Also, consider changing the session ID with every user request. This would significantly reduce the amount of time an attacker would have to exploit a compromised session ID.
- Don’t rely solely on the session ID for user authentication. Validate the identity of your users by other means as well. This could be the user’s usual IP address or their application usage patterns.
- Set a user inactivity timeout to close the user session after a certain amount of idle time.
Client-side defenses
The client-side defenses are simply common-sense measures that any internet user should follow.
- Use a firewall – All major operating systems have a built-in incoming firewall, and all commercial routers on the market have a built-in NAT firewall. Make sure to enable them.
- Never click on pop-ups.
- If your browser displays a warning about a website you are trying to access, you should pay attention and get the information you need elsewhere.
- Disable JavaScript in your web browser, either natively or using a browser extension, such as NoScript.
- Only open email attachments if you trust the sender and you’re sure that you can verify their identity – viruses do come in the mail, and that’s why it’s always a good idea to scan all your incoming mail with an antivirus program.
- Keep your programs up to date. Malware and viruses typically try and exploit security flaws found in outdated software.
- Make sure to log out of websites when you’re done.
- If you receive an email asking for information while claiming to be from an official organization with which you have a relationship, read it very carefully before doing anything. Does it have spelling and grammar mistakes? Does it have an air of urgency? These are classic signs of a phishing attempt. And remember that your bank or the government will never ask you to send them sensitive information by email.
- Don’t click links [URLs] in emails unless you know exactly who sent the URL and where it links to. And even then, scrutinize the link. Is it an HTTP or an HTTPS link? Most legitimate sites use HTTPS today. Does the link contain spelling errors [gooogle instead of google]? If you can get to the destination without using the link, do that instead.
What else can I do to protect my privacy and security?
See our list of recommended privacy and security tools;
- Best VPNs
- Best antivirus
- Best password managers
- Best identity theft protection
See also:
- 300+ Cybercrime statistics
- Common phishing scams and how to avoid them
- 70+ Online scams used by cybercriminals
- Cyber threats to businesses in 2022