288 Chapter 12 ■ Session Hijacking
Categorizing attacks as either active or passive is useful for helping you
understand the general operation of various attacks. Just keep the concepts
in mind as a reference for any specific attacks posed to you on the CEH exam.Session Hijacking and Web Apps
Session hijacking at the application level focuses on gaining access to a host by obtaining
legitimate session IDs from the victim. Essentially, a session ID is an identifier that
is applied to a user’s session that allows the server or web resource to identify the
“conversation” it is having with the client. So, for example, say that you’ve logged into a
merchant site and are browsing the site for a book. With each page you browse to, the web
server receives the request and forwards you to the next page without requiring you to
repeatedly log in. The server is able to do this because it has identified your session ID and
assumes it knows who you are at this point. Let’s take a look at session IDs in greater depth
to gain a better understanding of the part they play in hijacking applications.
Session IDs, for our purposes, come in three flavors:Embedded in a URL A web app uses the GET request to follow links embedded in a web
page. An attacker can easily browse through the victim’s browsing history and many times
gain access by simply entering the URL of a previously browsed web app.Embedded as a Hidden Field Forms for inputting user data many times include a hidden
field that is used for sending a client’s session ID. The ID is sent via the HTTP POST com-
mand when the information is submitted.FIGURE 12.3 Passive attackAuthenticated
ConnectionPacket CaptureOnlyVictim HostAttacker