Understanding Session Hijacking 287
Active and Passive Attacks
You can categorize a session hijacking attack as either an active attack or a passive attack.
Let’s look at both.
Active Attack A session hijacking attack is considered active when the attacker assumes
the session as their own, thereby taking over the legitimate client’s connection to the
resource. In an active attack the attacker is actively manipulating and/or severing the client
connection and fooling the server into thinking they are the authenticated user. Addition-
ally, active attacks usually involve a DoS result on the legitimate client. In other words, they
get bumped off and replaced by the attacker. Figure 12.2 shows what this kind of attack
looks like.
Passive Attack A passive attack focuses on monitoring the traffic between the victim and
the server. This form of hijacking uses a sniffer utility to capture and monitor the traffic as
it goes across the wire. (Refer to Chapter 9 for a more in-depth description of sniffer use.)
A passive attack doesn’t “molest” the session in any way. Unlike an active attack, the pas-
sive attack sets the stage for future malicious activity. An attacker has a strategically advan-
tageous position when in a passive session hijack; they can successfully capture and analyze
all victim traffic, and progress to an active attack position with relative ease. Figure 12.3
shows a passive attack.
FIGURE 12.2 Active attack
Authenticated
ConnectionActive PacketInjectionVictim HostAttacker