Session Hijacking - How Attackers Steal Logins
About 2 min read
Session hijacking is an attack in which an attacker steals a user's session ID and impersonates that user to access a service. A session ID is an identifier issued by the server after login, and if it is stolen, the service can be used in an authenticated state without even knowing the password. OWASP research lists improper session management as one of the major vulnerabilities in web applications.
Real-World Use Cases
"During a vulnerability assessment, we found that the session ID was not being regenerated after login. Because this poses a risk of session fixation attacks, we have requested a fix to issue a new session ID upon successful authentication."
The Session Theft Flow
Attack Techniques
These include stealing the session ID from cookies using XSS (cross-site scripting), intercepting network communication to steal the session ID, and session fixation attacks that force the use of a session ID prepared in advance.web security books on Amazon let you learn about attack techniques and countermeasures.
Concrete Damage Scenarios
A common misconception is that "logging out makes you safe." In reality, a logout process that does not invalidate the session on the server side may leave a stolen session ID still valid. For example, if you log in to online banking over a cafe's public Wi-Fi and your session ID is intercepted through a man-in-the-middle attack, the attacker can use that session to check balances or perform transfers. "Cookie theft," in which malware extracts cookies stored in the browser so that the attacker can access the account in a logged-in state from another device, is also on the rise.
Countermeasures
The basic countermeasures are using HTTPS, setting the Secure and HttpOnly attributes on cookies, and periodically regenerating the session ID. If you set a unique, strong password for each service and enable two-factor authentication, additional authentication will be required for important operations even if a session is hijacked, which mitigates the damage.web development security books (Amazon) are also helpful references.
Was this article helpful?