Session hijacking is an attack that consists of exploiting the web applications users' session control in order to impersonate other users who are using the application. The vulnerability is caused by one or more issues affecting the Session token, which represents the user's session itself.
An attacker could predict it, due to a weak session token generation mechanism, or obtain it by stealing it.
The following list contains a few examples of how a session token could be compromised:
Predictable tokens due to a weak generation mechanism
Stealing valid and active tokens by sniffing the communication (MITM, MITB, etc.)
Obtaining it by using client-side attack, e.g. any sort of XSS.
Why is session hijacking dangerous?
The session hijacking attack is dangerous due to the fact it lets a malicious actor impersonate other valid users who are authenticated to the application. In any case, this sort of attack is not a kind of phishing technique, but it could be used in phishing payloads to obtain session tokens in a very effective way.
How to prevent session hijacking?
Preventing web sessions (and users) from being hijacked is not as simple as applying a hotfix or patching a system.
The process requires a few steps and tips to be applied:
HTTPS has to be used for every communication between clients and servers, implementing strong SSL Encryption and forcing all the users to use this secure protocol.
Secure and HTTP Only flag on sessionID cookie, which protects them from being stolen via JS based client-side attacks.
Sessions Management and refresh.
Old session token should not be used after that a new one has been created.
This refresh action should happen after that the user authenticates.
Strong and unpredictable tokens creation.
Additional ID verification (e.g. user verification via IP address, User-Agent, or other recurring patterns)
If you like this blog post, find more content in our Glossary.