14 Feb, 2023

Session Hijacking

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Session hijacking is a type of cyber attack in which an attacker attempts to gain unauthorized access to a user’s session on a web application or network service. The attacker does this by intercepting or stealing the user’s session token, which is typically a small data file or string of text that identifies the user’s session.

Once the attacker has gained access to the session, they can then perform actions on behalf of the user, such as making purchases, accessing sensitive information, or changing account settings. This type of attack can be particularly dangerous if the user is engaged in a secure session, such as online banking, as the attacker can gain access to sensitive financial information.

There are several techniques that attackers can use to hijack a user’s session, including packet sniffing, cross-site scripting (XSS), and man-in-the-middle attacks. To prevent session hijacking, web application developers and network administrators can implement various security measures, such as using secure cookies, encrypting traffic, and regularly changing session tokens. Additionally, users can protect themselves by avoiding unsecured public Wi-Fi networks and using two-factor authentication whenever possible.

Example of vulnerable code on different programming languages:

• PHP:

				
					session_start();

$session_id = session_id();

echo "Your session ID is: ".$session_id;

				
			

This code is vulnerable to session hijacking attacks because it simply echoes the current session ID, which can be easily stolen by an attacker if they have access to the user’s browser or network traffic.

• Python:

				
					import requests

session = requests.Session()

response = session.get("https://example.com")

print("Your session ID is: "+session.cookies.get_dict()["session_id"])

				
			

This code is also vulnerable to session hijacking attacks because it exposes the session ID in plaintext in the response.

• JavaScript:

				
					var session_id = localStorage.getItem("session_id");

console.log("Your session ID is: "+session_id);

				
			

This code is vulnerable to session hijacking attacks because it retrieves the session ID from local storage, which can be easily accessed by an attacker who has access to the user’s browser.

• Ruby:

				
					require 'sinatra'
require 'sinatra/reloader'

enable :sessions

get '/' do
  session_id = request.cookies['session_id']
  puts "Your session ID is: #{session_id}"
end

				
			

This code is vulnerable to session hijacking attacks because it simply logs the current session ID, which can be easily stolen by an attacker if they have access to the user’s browser or network traffic.

Examples of exploitation Session Hijacking vulnerabilities

Session hijacking is a type of cyber attack that involves taking control of an existing user session by stealing the session identifier (often called a session token or session ID). Here are a few examples of exploitation of session hijacking vulnerabilities:

  1. Cookie theft: An attacker can steal a user’s session identifier by intercepting the communication between the user’s browser and the server. This can be achieved through various techniques such as Man-in-the-Middle (MITM) attacks, where the attacker intercepts and modifies the data transmitted between the user and the server.

  2. URL manipulation: An attacker can manipulate the URL of a web application to access a victim’s session ID. For example, an attacker can change the session ID in the URL to access the session of another user.

  3. Predictable session IDs: If an application generates predictable session IDs, an attacker can easily guess the session ID of a user and access the user’s session.

  4. Cross-Site Scripting (XSS): An attacker can inject malicious code into a web application that is executed by the user’s browser. This can be used to steal the user’s session identifier and hijack the session.

  5. Network sniffing: An attacker can use network sniffing tools to intercept the communication between the user and the server. This can be used to steal the user’s session identifier and hijack the session.

Privilege escalation techniques for Session Hijacking vulnerabilities

Session hijacking can also be used as a stepping stone for privilege escalation attacks, which involve gaining higher-level privileges than the attacker currently has within a system. Here are a few examples of privilege escalation techniques for session hijacking vulnerabilities:

  1. Session Fixation: An attacker can use session fixation to control the session ID of a victim by forcing them to use a session ID chosen by the attacker. Once the victim logs in with the fixed session ID, the attacker can use the same ID to gain access to the victim’s account and their privileges.

  2. Session Poisoning: An attacker can use session poisoning to modify the session data of a victim, including their privileges. For example, the attacker could change the session data to give themselves admin-level privileges, allowing them to perform actions that they would not otherwise be authorized to do.

  3. Cross-Site Request Forgery (CSRF): An attacker can use CSRF to exploit the victim’s existing session and perform actions on the victim’s behalf. For example, an attacker could use a CSRF attack to modify the victim’s account settings and elevate their privileges.

  4. Session Replay: An attacker can capture and replay the session data of a victim to gain access to their account and privileges. The attacker could use a tool to capture the session data of the victim, replay it on their own system, and then gain access to the victim’s account and privileges.

  5. Session Hijacking with Malware: An attacker could install malware on the victim’s system that steals the session ID and sends it back to the attacker. The attacker could then use the session ID to gain access to the victim’s account and their privileges.

General methodology and checklist for Session Hijacking vulnerabilities

  1. Identify the type of session identifier used by the web application (e.g., cookies, URL parameters, hidden form fields).

  2. Check if the session identifier is transmitted over an insecure channel (e.g., unencrypted HTTP, vulnerable TLS configuration).

  3. Check if the session identifier is predictable or can be easily guessed (e.g., sequential numbers, dictionary words, common patterns).

  4. Check if the session identifier is long enough and contains enough entropy to resist brute-force attacks.

  5. Check if the session identifier is properly invalidated when the user logs out or the session expires.

  6. Check if the session identifier is properly tied to the user’s authentication credentials, preventing attackers from using stolen or intercepted session identifiers.

  7. Check if the web application enforces strict transport security (HSTS) to prevent downgrade attacks that could lead to session hijacking.

  8. Consider using session cookies with the HttpOnly and Secure flags to prevent client-side attacks such as cross-site scripting (XSS) and cookie theft.

  9. Implement mechanisms to detect and prevent session hijacking attacks, such as IP address validation, user agent validation, and session expiration monitoring.

  10. Regularly audit and review session management functionality to identify potential vulnerabilities and ensure that security best practices are being followed.

Tools set for exploiting Session Hijacking vulnerabilities

Manual Tools:

  1. Burp Suite – A web application security testing tool that includes a proxy, scanner, and various other tools to test and identify vulnerabilities.

  2. OWASP ZAP – An open-source web application security scanner and proxy that helps to identify vulnerabilities in web applications.

  3. Fiddler – A web debugging proxy tool that logs all HTTP(S) traffic between a computer and the internet, allowing users to analyze, inspect, and debug web traffic.

  4. Charles Proxy – A cross-platform proxy tool that allows users to analyze, intercept, and modify HTTP and HTTPS traffic between a web application and the internet.

  5. Wireshark – A network protocol analyzer that captures and displays network traffic in real-time and allows users to analyze and troubleshoot network issues.

  6. Tamper Data – A browser plugin that allows users to intercept and modify HTTP/HTTPS requests sent between a web application and the internet.

  7. Hackbar – A browser plugin that allows users to modify HTTP/HTTPS requests sent between a web application and the internet.

  8. Paros Proxy – A Java-based proxy tool that allows users to intercept and modify HTTP/HTTPS traffic between a web application and the internet.

  9. WebScarab – A Java-based proxy tool that allows users to intercept and modify HTTP/HTTPS traffic between a web application and the internet.

  10. Live HTTP Headers – A browser plugin that allows users to view and modify HTTP headers sent between a web application and the internet.

Automatic Tools:

  1. Nessus – A vulnerability scanner that helps to identify vulnerabilities in a network, web application, or operating system.

  2. OpenVAS – An open-source vulnerability scanner that helps to identify vulnerabilities in a network, web application, or operating system.

  3. Nikto – A web server vulnerability scanner that helps to identify vulnerabilities in web servers and web applications.

  4. Vega – An open-source web application vulnerability scanner and testing platform that helps to identify vulnerabilities in web applications.

  5. Arachni – An open-source web application security scanner that helps to identify vulnerabilities in web applications.

  6. AppScan – A web application vulnerability scanner that helps to identify vulnerabilities in web applications.

  7. Acunetix – A web application security scanner that helps to identify vulnerabilities in web applications.

  8. QualysGuard – A cloud-based vulnerability management tool that helps to identify vulnerabilities in a network, web application, or operating system.

  9. Netsparker – A web application security scanner that helps to identify vulnerabilities in web applications.

  10. Skipfish – An automated web application security scanner that helps to identify vulnerabilities in web applications.

Average CVSS score of Session Hijacking vulnerabilities

The average CVSS score of Session Hijacking vulnerabilities varies depending on several factors, such as the severity and impact of the vulnerability, the type of web application, and the attack vectors used by the attacker. Generally, Session Hijacking vulnerabilities are classified as high or critical severity because they can allow attackers to gain unauthorized access to sensitive information or perform actions on behalf of legitimate users. As a result, the average CVSS score of Session Hijacking vulnerabilities is typically above 7, which is considered a high severity vulnerability. However, it’s important to note that the CVSS score should not be the only factor considered when evaluating the risk of a vulnerability, as other factors such as the business impact, the exploitability, and the mitigations available should also be taken into account.

The Common Weakness Enumeration (CWE)

  • CWE-613: Insufficient Session Expiration – This weakness occurs when a web application does not properly expire user sessions, allowing an attacker to use a session ID after the user has logged out.

  • CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute – This weakness occurs when a web application sends sensitive information, such as session IDs or authentication credentials, in an unencrypted cookie over an HTTPS connection without the ‘Secure’ attribute.

  • CWE-522: Insufficiently Protected Credentials – This weakness occurs when a web application stores or transmits user credentials in an insecure manner, such as in cleartext, making it easier for attackers to steal or reuse them.

  • CWE-207: Information Exposure Through Error Messages – This weakness occurs when a web application reveals sensitive information, such as session IDs, in error messages that could be used by attackers to hijack user sessions.

  • CWE-798: Use of Hard-coded Credentials – This weakness occurs when a web application uses hard-coded credentials, such as default usernames and passwords, making it easier for attackers to gain unauthorized access.

  • CWE-384: Session Fixation – This weakness occurs when a web application does not properly generate new session IDs after a user logs in, allowing attackers to obtain and use a valid session ID to hijack the user’s session.

  • CWE-290: Authentication Bypass by Capture-replay – This weakness occurs when a web application does not properly protect against capture-replay attacks, allowing attackers to hijack user sessions.

  • CWE-330: Use of Insufficiently Random Values – This weakness occurs when a web application generates session IDs or other random values using insufficiently random values or predictable algorithms, making it easier for attackers to guess or predict them.

  • CWE-319: Cleartext Transmission of Sensitive Information – This weakness occurs when a web application sends sensitive information, such as session IDs or authentication credentials, in cleartext over an unencrypted channel, making it easier for attackers to intercept and hijack user sessions.

Session Hijacking vulnerabilities exploits

  1. Sniffing: An attacker can use network sniffing tools like Wireshark to capture unencrypted network traffic and obtain session IDs or sensitive information that can be used to hijack user sessions.

  2. Cross-site Scripting (XSS): An attacker can inject malicious scripts into a web application, which can be executed by unsuspecting users, allowing the attacker to steal session IDs and hijack user sessions.

  3. Session Fixation: An attacker can use a session fixation attack to trick a user into using a session ID that has been previously created by the attacker. This can be done by providing the user with a link to a vulnerable page that sets the session ID or by using social engineering tactics.

  4. Session Sidejacking: An attacker can use session sidejacking tools like Firesheep to capture unencrypted session cookies and use them to hijack user sessions.

  5. CSRF (Cross-Site Request Forgery): An attacker can use CSRF attacks to trick a user into performing an action on a vulnerable web application, which can be used to hijack the user’s session.

  6. Man-in-the-Middle (MitM): An attacker can use MitM attacks to intercept network traffic and obtain sensitive information, including session IDs, that can be used to hijack user sessions.

  7. Brute-forcing: An attacker can use brute-force attacks to guess session IDs or credentials and obtain access to user sessions.

For study Session Hijacking vulnerabilities

If you are interested in studying session hijacking vulnerabilities, there are many resources available to help you learn more about this topic. Here are some suggestions:

  1. OWASP: The Open Web Application Security Project (OWASP) is a non-profit organization that provides free and open-source resources for web application security. Their website provides information on various security vulnerabilities, including session hijacking, as well as guidelines for testing and mitigating these vulnerabilities.

  2. Books: There are several books available on web application security that cover session hijacking vulnerabilities in detail, such as “The Web Application Hacker’s Handbook” by Dafydd Stuttard and Marcus Pinto.

  3. Online Courses: There are many online courses available that focus on web application security and session hijacking vulnerabilities. Some popular platforms include Udemy, Coursera, and Pluralsight.

  4. Conferences and Events: Attending security conferences and events can be a great way to learn more about session hijacking vulnerabilities and other security-related topics. Some popular events include Black Hat, DEF CON, and OWASP conferences.

Books with review of Session Hijacking vulnerabilities

  1. “The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto: This book is a comprehensive guide to web application security and covers various topics, including session hijacking vulnerabilities. The book provides real-world examples and practical techniques for identifying and exploiting security flaws in web applications.

  2. “OWASP Testing Guide v4” by The Open Web Application Security Project (OWASP): This book is a free and open-source resource that provides guidelines for testing web applications for security vulnerabilities, including session hijacking. The guide provides detailed information on various testing methodologies, tools, and techniques, as well as recommendations for remediation and mitigation.

  3. “The Tangled Web: A Guide to Securing Modern Web Applications” by Michal Zalewski: This book is a comprehensive guide to web application security and covers various topics, including session hijacking vulnerabilities. The book provides a detailed analysis of the different web technologies, protocols, and attack vectors that can be exploited by attackers, as well as recommendations for mitigation.

  4. “Hacking Exposed Web Applications: Web Application Security Secrets and Solutions” by Joel Scambray, Vincent Liu, and Caleb Sima: This book provides a comprehensive overview of web application security, including session hijacking vulnerabilities. The book provides practical examples and case studies of real-world attacks, as well as recommendations for remediation and mitigation.

List of payloads Session Hijacking vulnerabilities

Session Sniffing

In the example, as we can see, first the attacker uses a sniffer to capture a valid token session called “Session ID”, then they use the valid token session to gain unauthorized access to the Web Server. 

Session sniffing

Cross-site script attack

The attacker can compromise the session token by using malicious code or programs running at the client-side. The example shows how the attacker could use an XSS attack to steal the session token. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker. The example in figure 3 uses an XSS attack to show the cookie value of the current session; using the same technique it’s possible to create a specific JavaScript code that will send the cookie to the attacker

Code Injection

				
					<SCRIPT>

alert(document.cookie);

</SCRIPT>
				
			

How to be protected from Session Hijacking vulnerabilities

  1. Block suspicious incoming traffic: Configure the firewall to block incoming traffic from suspicious IP addresses or sources that may be trying to initiate a Session Hijacking attack.

  2. Monitor session cookies: Monitor session cookies for unusual activity, such as multiple logins from different IP addresses or locations. This can help detect and prevent Session Hijacking attacks.

  3. Implement two-factor authentication: Implement two-factor authentication to strengthen the security of user accounts and prevent Session Hijacking attacks.

  4. Use encrypted connections: Use encrypted connections, such as HTTPS or SSL, to prevent Session Hijacking attacks that attempt to intercept unencrypted data.

  5. Monitor user activity: Monitor user activity and behavior to detect any unusual or suspicious activity that may be indicative of a Session Hijacking attack.

Conclusion

In conclusion, Session Hijacking is a serious vulnerability that can compromise the security of your system and the data it contains. It is important to implement appropriate security measures to prevent and detect Session Hijacking attacks, such as monitoring user activity, using encrypted connections, implementing two-factor authentication, and blocking suspicious traffic. By taking these steps, you can help ensure the safety and security of your system and the data it contains.

Other Services

Ready to secure?

Let's get in touch