Information on Session Hijacking
Also referred to as cookie hijacking, session hijacking is the process by which one can hijack the valid session of a computer and thus be able to use the resources and system of the computer. Using this cookie hijacking process, one can access and maintain the session on a website so that they access the rest of the computer.
The History of HTTP
- Session Side Jacking; this method requires the use of packet sniffing to read the traffic between any two parties. After this, the hijacker can go ahead and steal the session cookie. This method is among the most used but will only work if there are two parties communicating.
- Session Fixation; this method requires the party hijacking the session to set the session id of the user to the one they know about. It will often take the form of an email message to the potential victim with the link to the new session id. When the victim logs in, the hijacker will have all the power to carry out a session hijacking.
- Malware; the use of malware and other unwanted pieces of software can be used to perform various activities on another person’s device without their knowledge. Malware can be used to hijack the session and even install or uninstall programs from the victim’s devices without their knowledge. One needs to be careful with the type of software on their devices.
- Cross-site Scripting; in this type of attack, the hijacker will often trick the victim’s computer into running code deemed to be legitimate but it is all a trick to enter the device and hijack the session in question. It is strictly used by most modern programming hackers as it is effective and difficult to detect that such an issue is going on.
Session Hijacking Exploits
- Whatsapp Sniffer; in 2012, an app called Whatsapp sniffer was introduced on the Google Play Store and could be used to read any WhatsApp messages of the people that were connected to the same network. This exploit was used for a while until WhatsApp messenger decided to do away with the issues of its security. It no longer works.
- Firesheep; Firesheep was an extension on the popular Mozilla Firefox browser that was launched in 2010. The program could allow for the hijacking of a session in the same way other session hijacking program do. It would especially allow for the hijacking of Facebook sessions without the knowledge of the actual users of the social network. It was brought down too.
- CookieCadger; this is a Java app which allows one to side jack the active session of another user without their knowledge. It can be used to replay any insecure HTTP GET requests with ease. Although most browsers of today have patched up their faults thus making it difficult to use this exploit, it can at times find its way into user’s browsers and stay active
- DroidSheep; DroidSheep is used in the hijacking of the web session of another Android It is among the most sued tools to hijack Android devices and has been around for a while now. It does this by stealing the user ID and sending it to the hacker who then uses it to their advantage.
- Encryption; encryption can be used to make sure that session hijacking is stopped in its tracks. The best methods to encrypt data traffic would be using either TLS or SSL and both of these methods have been used widely to keep users safe in today’s world. Without encryption, it will take but a few minutes for a hacker to hijack a session.
- Complex Session Keys; if you are in the habit of using simple numbers as session keys, then you are setting yourself up for disappointment side it means that you will have session hijackers easily stealing your sessions and making it difficult to use your sessions well. Make it as long and as complex as you can.
- Session id Regeneration; the moment you log in, have the session id regenerated to ensure your potential hacker dare thrown off the trail and made to wonder how to pinpoint your sessions key. It will also prevent session fixation which has been cited as the most used tool by hijackers of web sessions.
- Secondary checks; the secondary checks will ensure that the IP address of the user is always the same after logging into a session. This will prevent the likelihood of having another person log in to your session while the computer thinks it is still your session. For this task, pieces of software can be installed to do a background check while you are logged into your session.
- Cookie Change; you can also have some service which takes care of the value of the cookie by changing it as quickly as possible to make it difficult for a potential hacker to pinpoint its value. The little window between the changes of the cookie value is not enough to allow for the hijacking of a session when logged in by the user.