Understanding Session Hijacking 291
In many cases the content that causes the attack to occur comes in the form of
JavaScript, but it is not restricted to this format. In fact, it could come in the form of
HTML, Flash, or another form of executable code. Because of the vast amounts of code
that can be executed by a web browser, the variations that this type of attack can assume
are almost boundless. Some of the most common goals include reading or stealing cookies,
interfering with session information, redirecting to a location of the attacker’s choosing, or
any number of other tasks.
Stored and reflected XSS attacks are the two main forms of this attack, so let’s take a
look at each:
Stored XSS Attacks These are attacks where the hacker will place code on a target server
where the victims they wish to target will access the content. When the victim makes a request
from the server, they will execute the script, which will in turn carry out its dirty work.
Reflected XSS Attacks These are a little more complicated attack in which injected code is
bounced or reflected off a web server in the form of something such as an error message or
other result. Typically these attacks make their way to the victim in the form of an e-mail,
or via a different web server. A user may be tricked into clicking a link in a web page or
message. Once clicked, the link would then cause the user to execute code.
XSS attack consequences typically are the same no matter the form the attack takes:
disclosure of the user’s session cookie, or allowing an attacker to hijack the user’s session
and take over the account. Other damaging attacks include disclosing end-user files,
installing Trojan horse programs, redirecting the user to another page or site, or modifying
presentation of content.
Getting Fixated
Another type of session hijack is the session fixation attack. This type of attack is targeted
specifically at web applications; it exploits vulnerabilities in the way these packages man-
age their session IDs. The vulnerability exists when an application fails to create a new
session ID when a new user authenticates to the application. The attacker must induce a
user to authenticate using a known session ID and then hijack the session.
There are several techniques to execute the attack, which vary depending on the applica-
tion. Here are some common techniques:
■ The session ID is sent to the victim in a hyperlink and the victim accesses the site
through the malicious URL.■ The victim is tricked into authenticating in the target web server, using a login form
developed by the attacker. The form can be hosted in the web server or directly in
HTML-formatted e-mail.■ The attacker uses code injection, such as the cross-site scripting (XSS), to insert
malicious code in the hyperlink sent to the victim and fix a session ID in its cookie.