In
computer science
Computer science is the study of computation, automation, and information. Computer science spans theoretical disciplines (such as algorithms, theory of computation, information theory, and automation) to Applied science, practical discipli ...
, session hijacking, sometimes also known as cookie hijacking, is the exploitation of a valid
computer session—sometimes also called a ''
session key
A session key is a single-use symmetric key used for encrypting all messages in one communication session. A closely related term is content encryption key (CEK), traffic encryption key (TEK), or multicast key which refers to any key used for en ...
''—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a
magic cookie
In computing, a magic cookie, or just cookie for short, is a token or short packet of data passed between communicating programs. The cookie is often used to identify a particular event or as "handle, transaction ID, or other token of agreement be ...
used to authenticate a user to a remote server. It has particular relevance to
web developers, as the
HTTP cookie
HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's w ...
s
used to maintain a session on many websites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer (see
HTTP cookie theft). After successfully stealing appropriate session cookies an adversary might use th
Pass the Cookie techniqueto perform session hijacking. Cookie hijacking is commonly used against client authentication on the internet.
Modern web browsers use cookie protection mechanisms to protect the web from being attacked.
A popular method is using
source-routed IP packets. This allows an attacker at point ''B'' on the network to participate in a conversation between ''A'' and ''C'' by encouraging the IP packets to pass through ''B's'' machine.
If source-routing is turned off, the attacker can use "blind" hijacking, whereby it guesses the responses of the two machines. Thus, the attacker can send a command, but can never see the response. However, a common command would be to set a password allowing access from elsewhere on the net.
An attacker can also be "inline" between ''A'' and ''C'' using a sniffing program to watch the conversation. This is known as a "
man-in-the-middle attack
In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...
".
History of HTTP
HTTP protocol versions 0.8 and 0.9 lacked cookies and other features necessary for session hijacking. Version 0.9beta of Mosaic Netscape, released on October 13, 1994, supported cookies.
Early versions of HTTP 1.0 did have some security weaknesses relating to session hijacking, but they were difficult to exploit due to the vagaries of most early HTTP 1.0 servers and browsers. As HTTP 1.0 has been designated as a fallback for HTTP 1.1 since the early 2000s—and as HTTP 1.0 servers are all essentially HTTP 1.1 servers the session hijacking problem has evolved into a nearly permanent security risk.
The introduction of
supercookies and other features with the modernized HTTP 1.1 has allowed for the hijacking problem to become an ongoing security problem. Webserver and browser state machine standardization has contributed to this ongoing security problem.
Methods
There are four main methods used to perpetrate a session hijack. These are:
*
Session fixation, where the attacker sets a user's session id to one known to them, for example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in.
* Session side jacking, where the attacker uses
packet sniffing
A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or p ...
to read network traffic between two parties to steal the session
cookie
A cookie is a baked or cooked snack or dessert that is typically small, flat and sweet. It usually contains flour, sugar, egg, and some type of oil, fat, or butter. It may include other ingredients such as raisins, oats, chocolate chips, n ...
. Many websites use
SSL encryption for
login
In computer security, logging in (or logging on, signing in, or signing on) is the process by which an individual gains access to a computer system by identifying and authenticating themselves. The user credentials are typically some form ...
pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once
authenticate
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicatin ...
d. This allows attackers that can read the network traffic to intercept all the data that is submitted to the
server
Server may refer to:
Computing
*Server (computing), a computer program or a device that provides functionality for other programs or devices, called clients
Role
* Waiting staff, those who work at a restaurant or a bar attending customers and su ...
or web pages viewed by the client. Since this data includes the session
cookie
A cookie is a baked or cooked snack or dessert that is typically small, flat and sweet. It usually contains flour, sugar, egg, and some type of oil, fat, or butter. It may include other ingredients such as raisins, oats, chocolate chips, n ...
, it allows them to impersonate the victim, even if the password itself is not compromised.
Unsecured
Wi-Fi
Wi-Fi () is a family of wireless network protocols, based on the IEEE 802.11 family of standards, which are commonly used for local area networking of devices and Internet access, allowing nearby digital devices to exchange data by radio wave ...
hotspots
Hotspot, Hot Spot or Hot spot may refer to:
Places
* Hot Spot, Kentucky, a community in the United States
Arts, entertainment, and media Fictional entities
* Hot Spot (comics), a name for the DC Comics character Isaiah Crockett
* Hot Spot (Tra ...
are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the
access point.
*
Cross-site scripting
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may ...
, where the attacker tricks the user's computer into running code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations.
*
Malware
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
and
unwanted programs can use
browser hijacking
Browser hijacking is a form of unwanted software that modifies a web browser's settings without a user's permission, to inject unwanted advertising into the user's browser. A browser hijacker may replace the existing home page, error page, or se ...
to steal a browser's cookie files without a user's knowledge, and then perform actions (like installing Android apps) without the user's knowledge. An attacker with physical access can simply attempt to steal the
session key
A session key is a single-use symmetric key used for encrypting all messages in one communication session. A closely related term is content encryption key (CEK), traffic encryption key (TEK), or multicast key which refers to any key used for en ...
by, for example, obtaining the file or memory contents of the appropriate part of either the user's computer or the server.
After successfully acquiring appropriate session cookies an adversary might leverage th
Pass the Cookie techniqueto perform session hijacking.
Exploits
Firesheep
In October 2010, a
Mozilla Firefox
Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and a ...
extension called
Firesheep
Firesheep was an extension for the Firefox web browser that used a packet sniffer to intercept unencrypted session cookies from websites such as Facebook and Twitter. The plugin eavesdropped on Wi-Fi communications, listening for session cookies. ...
was released, and it provided an easy access point for session hijackers to attack users of unencrypted public Wi-Fi. Websites like
Facebook
Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin M ...
,
Twitter
Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...
, and any that the user adds to their preferences allow the Firesheep user to easily access private information from cookies and threaten the public Wi-Fi user's personal property. Only months later, Facebook and Twitter responded by offering (and later requiring)
HTTP Secure
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...
throughout.
WhatsApp sniffer
An app named WhatsApp Sniffer was made available on
Google Play
Google Play, also known as the Google Play Store and formerly the Android Market, is a digital distribution service operated and developed by Google. It serves as the official app store for certified devices running on the Android (operating sys ...
in May 2012. It was able to display messages from other
WhatsApp
WhatsApp (also called WhatsApp Messenger) is an internationally available freeware, cross-platform, centralized instant messaging (IM) and voice-over-IP (VoIP) service owned by American company Meta Platforms (formerly Facebook). It allows us ...
users connected to the same network as the app user. At that time WhatsApp used an
XMPP
Extensible Messaging and Presence Protocol (XMPP, originally named Jabber) is an open communication protocol designed for instant messaging (IM), presence information, and contact list maintenance. Based on XML (Extensible Markup Language), it ...
infrastructure with encryption, not plain-text communication.
DroidSheep
DroidSheep is a simple Android tool for web session hijacking (sidejacking). It listens for HTTP packets sent via a wireless (802.11) network connection and extracts the session id from these packets in order to reuse them. DroidSheep can capture sessions using the libpcap library and supports: open (unencrypted) networks, WEP encrypted networks, and WPA/WPA2 encrypted networks (PSK only). This software uses libpcap and arpspoof. The apk was made available on
Google Play
Google Play, also known as the Google Play Store and formerly the Android Market, is a digital distribution service operated and developed by Google. It serves as the official app store for certified devices running on the Android (operating sys ...
but it has been taken down by Google.
CookieCadger
CookieCadger is a graphical Java app that automates sidejacking and replay of HTTP requests, to help identify information leakage from applications that use unencrypted GET requests. It is a cross-platform open-source utility based on the
Wireshark
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 d ...
suite which can monitor wired Ethernet, insecure Wi-Fi, or load a packet capture file for offline analysis. Cookie Cadger has been used to highlight the weaknesses of youth team sharing sites such as Shutterfly (used by AYSO soccer league) and TeamSnap.
Prevention
Methods to prevent session hijacking include:
*
Encryption
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
of the data traffic passed between the parties by using
SSL/
TLS; in particular the session key (though ideally all traffic for the entire session). This technique is widely relied-upon by web-based banks and other e-commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack. In response, scientists from the
Radboud University Nijmegen
Radboud University (abbreviated as RU, nl, Radboud Universiteit , formerly ''Katholieke Universiteit Nijmegen'') is a public research university located in Nijmegen, the Netherlands. The university bears the name of Saint Radboud, a 9th century D ...
proposed in 2013 a way to prevent session hijacking by correlating the application session with the
SSL/
TLS credentials
* Use of a long random number or string as the
session key
A session key is a single-use symmetric key used for encrypting all messages in one communication session. A closely related term is content encryption key (CEK), traffic encryption key (TEK), or multicast key which refers to any key used for en ...
. This reduces the risk that an attacker could simply guess a valid session key through trial and error or brute force attacks.
* Regenerating the session id after a successful login. This prevents
session fixation because the attacker does not know the session id of the user after they have logged in.
* Some services make secondary checks against the identity of the user. For instance, a web server could check with each request made that the IP address of the user matched the one last used during that session. This does not prevent attacks by somebody who shares the same IP address, however, and could be frustrating for users whose IP address is
liable to change during a browsing session.
* Alternatively, some services will change the value of the cookie with each and every request. This dramatically reduces the window in which an attacker can operate and makes it easy to identify whether an attack has taken place, but can cause other technical problems (for example, two legitimate, closely timed requests from the same client can lead to a token check error on the server).
* Users may also wish to log out of websites whenever they are finished using them.
[''See also'' ] However this will not protect against attacks such as
Firesheep
Firesheep was an extension for the Firefox web browser that used a packet sniffer to intercept unencrypted session cookies from websites such as Facebook and Twitter. The plugin eavesdropped on Wi-Fi communications, listening for session cookies. ...
.
See also
*
ArpON
*
Cross-site request forgery
Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced ''sea-surf'') or XSRF, is a type of malicious exploit of a website or web application where unauthorized commands are submitt ...
*
HTTP cookie
HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's w ...
*
TCP sequence prediction attack
A TCP sequence prediction attack is an attempt to predict the sequence number used to identify the packets in a TCP connection, which can be used to counterfeit packets.
The attacker hopes to correctly guess the sequence number to be used by the ...
References
{{Reflist
Web security exploits