Logging into websites or portals are part of many people’s daily routines. Every time you log into one of these websites, a session is created. In the simplest way possible, a session is defined as the communication of two systems taking place. This will remain active until the user ends the communication. This can be referred to as a user-initiated session.
The start of a session is vital for any communication to occur over the internet. That being said, there is a constant threat of session hijacking looming. This article will talk about what session hijacking actually is, how it happens, and what can be done to prevent it.
What is Session Hijacking?
Session hijacking is as the term suggests. A user in a session can be hijacked by an attacker and lose control of the session altogether, where their personal data can easily be stolen. After a user starts a session such as logging into a banking website, an attacker can hijack it.
In order to hijack a session, the attacker needs to have substantial knowledge of the user’s cookie session. Although any session can be hacked, it is more common in browser sessions on web applications.
How is a session hijacked?
Attackers have a number of options to hijack a user’s session, depending on the attacker’s position and vector. Here are some of the ways a session can be hijacked:
- Cross-site scripting (XSS): Attackers exploit vulnerabilities within servers or applications to inject client-side Java scripts into the users’ web pages, causing your browser to execute arbitrary code when it loads a compromised page. If the server doesn’t set the HTTPOnly in session cookies, injected scripts can gain access to your session key, providing attackers with the necessary information for session hijacking.
- Session side jacking: By using packet sniffing, an attacker can monitor the traffic within the network and intercept the user's session cookies after they have authenticated it. If the website takes the cheap route of using SSL/TLS encryption for its login pages only, the attacker can use the session key they have derived from packet sniffing to hijack the user's session and impersonate them to perform actions in the web application. This can usually happen in case of an unsecured WiFi Hotspot in order to gain access to the network, monitor the traffic and set up their own access points to perform the attack.
- Session fixation: Attackers supply a session key and spoof the user into accessing a vulnerable server.
The threat of session hijacking exists due to stateless protocol. These protocols have limitations, which is why they are vulnerable to attacks.
Role of Encryption
In order to protect a user's session from getting hijacked, organizations can incorporate certain encryptions. These encryptions are necessary to protect your consumers' sessions and are in the form of certificates.
- SSL: SSL stands for Secure Sockets Layer and, in short, it's the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details.
- TLS: TLS (Transport Layer Security) is just an updated, more secure, version of SSL.
Example of Session Hijacking
A session attack takes advantage of data leaks in the compression ratio of TLS requests. This then gives them access to users’ login cookies which can be used to hijack the users session. One such incident occurred in September, 2012, when an organization of session hijackers called CRIME breached an organization's website.
CRIME ended up hijacking the session by decrypting HTTPS cookies set by the website and authenticated themselves as users by brute force, siphoning a considerable amount of data.
How to Prevent Session Hijacking
In order to protect yourself from being hijacked while in a session, you need to strengthen the mechanisms in web applications. This can be done through communication and session management. Here are a few ways you can reduce the risk of session hijacking:
- HTTPS: The use of HTTPS ensures that there is SSL/TLS encryption throughout the session traffic. Attackers will be unable to intercept the plaintext session ID, even if the victim’s traffic was monitored. It is advised to use HSTS (HTTP Strict Transport Security) to guarantee complete encryption.
- HTTPOnly: Setting up an HTTPOnly attribute prevents access to the stored cookies from the client-side scripts. This can prevent attackers from deploying XSS attacks that rely on injecting Java Scripts in the browser.
- System Updates: Install reputable antivirus software which can easily detect viruses and protect you from any type of malware (including the malware attackers use to perform session hijacking). Keep your systems up to date by setting up automatic updates on all your devices.
- Session Management: In order to offer sufficient security, website operators can incorporate web frameworks, instead of inventing their own session management systems.
- Session Key: It is advised to regenerate session keys after their initial authentication. This renders the session ID extracted by attackers useless as the ID changes immediately after authentication.
- Identity Verification: Perform additional identity verification from the user beyond the session key. This includes checking the user's usual IP address or application usage patterns.
- Public Hotspot: Avoid using public WiFi to protect the integrity of your sessions and opt for secure wireless networks.
- VPN: Use a Virtual Private Network (VPN) to stay safe from session hijackers. A VPN masks your IP and keeps your session protected by creating a “private tunnel” through which all your online activities will be encrypted.
- Phishing Scam: Avoiding falling for phishing attacks. Only click on links in an email that you have verified to have been sent from a legitimate sender.
Session hijacking is a real threat and users are at a constant threat of being compromised. There are several ways that a website manager can mitigate these risks by implementing security protocols. These security protocols mainly involve deep encryption within entire web applications to close out all entry points for attackers to hijack the user’s session.
With data vastly increasing online and more and more people using the web on a daily basis, it is paramount for organizations to make their websites secure. Failure to do so could result in heavy fines under global data privacy regulations.
Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.