Understanding Session Hijacking 285
In its most basic sense, a session is an agreed-upon period of time under which the
connected state of the client and server are vetted and authenticated. This simply means
that both the server and the client know (or think they know) who each other are, and
based on this knowledge, they can trust that data sent either way will end up in the hands
of the appropriate party.
If a session hijack is carried out successfully, what is the danger? Several events can take
place at this point, including identity theft and data corruption. In other situations session
hijacks have made for a perfect mechanism through which someone can sniff traffic or
record transactions.
Understanding what constitutes a session makes it easy to see how session hijacking
can be extremely effective when all supporting factors are set up correctly. Many of
the prerequisite setup factors involved in session hijacking have already been discussed in
previous chapters. For example, a specific form of hijacking involves using a sniffer both
prior to and during an attack, and you learned about sniffers in Chapter 9. In Chapter 2,
“System Fundamentals,” you learned about the TCP three-way-handshake, which will
greatly aid your understanding of TCP session hijacking. Before we get too deep into the
details of each attack, let’s look at how session hijacking is categorized.
An attacker carrying out a session hijack is seeking to take over a session for their own
needs. Once they have taken over a session they can then go about stealing data, issuing
commands, or even committing transactions that they wouldn’t be able to otherwise. In
this chapter, we will explore the various forms session hijacking can take and identify the
methods you can use to thwart a session hijack.
Session hijacks are easy to launch. TCP/IP is vulnerable, and most countermeasures,
except for encryption, do not work. The following also contribute to the success of session
hijacking:
■ No account lockout for invalid session IDs
■ Insecure handling
■ Weak session ID generation algorithm
■ Indefinite session expiration time
■ Cleartext transmission
■ Small session IDs
Session hijacking typically can be broken down into one of three primary techniques:Brute-Forcing an ID This is done by guessing an ID; usually the attacker already has
some knowledge of the range of IDs available. The attacker may be aided by the use of
HTTP referrers, sniffing, cross-site scripting, or malware.
Stealing an ID If they can manage it, an attacker will steal an ID by using sniffing or
other means.
Calculating an ID An attacker will attempt to calculate a valid session ID simply by look-
ing at an existing one and then figuring out the sequence.