issuhub.com

CEH

(Jeff_L) #1

Understanding Session Hijacking 289


Cookies Cookies have been a potential avenue of exploit for quite some time, and they
have recently taken the rap for privacy issues such as tracking shopping activity or storing
users’ sensitive data. An attacker can obtain session information from cookies residing on
the victim machine.


Vulnerabilities of lingering cookies or sessions from subpar coding or

easier customer access are something we’ve probably all seen at one

time or another. Consider, for instance, pulling up an “authenticated” web

page from your browser’s history, only to find that you’re conveniently still

logged in days later—something to be aware of for sure.

Types of Application-Level Session Hijacking


When attempting to hijack a session at the application level, a hacker can choose from
among handful of attacks: session sniffing, predicting session tokens, man-in-the-middle,
and man-in-the-browser. Let’s look at each.


Session Sniffing


Session sniffing is a variation of sniffing, which you learned about in Chapter 9. In this
variation, you have a specific target you are looking for, which is a session token (also
known as a session ID). Once you, as the attacker, have found this token, you use it to gain
access to the server or other resource. This is sort of like stealing the keys to a car that
someone else rented; they are the authorized driver, but since you have the keys you can
drive it, though unauthorized.


Predicting Session Tokens


The second way of getting a session ID is to predict or make an educated guess as to what a
valid one will be. How do you do this? Well, the easiest and most effective way is to gather
a few session IDs that have been used already.
In this list of URLs, you focus on the portion after the last slash:


http://www.ceh.net/app/spo22022005131020


http://www.ceh.net/app/spo22022005141520


http://www.ceh.net/app/spo22022005171126


http://www.ceh.net/app/spo22022005213111


Let’s assume these are all valid but expired session IDs that we have collected and we
want to predict or calculate a new one. If we look at them carefully we may be able to
determine a valid ID to use. In this case I made it easy—well, at least I think so. Can you
see the pattern? I’ll break each of them into four pieces, as shown in Table 12.1.

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.