Session hijacking, also known as cookie hijacking or TCP session hijacking is the exploitation of a valid computer session, to gain unauthorized access to information or services in a computer system. The attacker can steal all information, conversations, history, passwords using Session hijacking.
A popular method is using source-routed IP packets. This allows an attacker at point B on the network to participate in a conversation between A and C by encouraging the IP packets to pass through B’s machine. The most common method of session hijacking is called IP Spoofing. when an attacker uses source-routed IP packets to insert commands into an active communication between two nodes on a network and disguising itself as one of the authenticated users. This type of attack is possible because authentication typically is only done at the start of a TCP session. Another type of session hijacking is known as a man-in-the-middle attack, where the attacker, using a sniffer, can observe the communication between devices and collect the data that is transmitted.
Methods of session hijacking
1. Session Fixation
where the attacker sets a user session id to one known to him for example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in on that link.
malware and unwanted programs can use internet browser hijacking to steal a browser cookie file without user knowledge, and then perform actions like installing Android apps without the user knowledge.
3. Session Sidejacking
unsecured Wi-Fi Hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access point. so avoid connecting with open Wi-Fi Hotspots.
it made easy for session hijackers to attack users of unencrypted public Wi-Fi. Websites like Facebook, Twitter, and any that the user adds to their preferences allow the Firesheep user to easily access private information from cookies and threaten the public Wi-Fi users’ personal property.
2. Whatsapp Sniffer
It is an app which able to display messages from other WhatsApp connected on the same network.
DroidSheep is a simple Android tool for web session hijacking (side jacking). It listens for HTTP packets sent via a wireless (802.11) network connection and extracts the session id from these packets in order to reuse them. but it has been taken down by Google.
Methods to prevent session hijacking
1. Encryption of data traffic by using SSL.
2. Use of a long random number or string as the session key. This reduces the risk that an attacker could simply guess a valid session key through trial and error or brute force attacks.
3. Regenerating the session id after a successful login.
4. Users may also wish to log out of websites whenever they are finished using them.