292 Chapter 12 ■ Session Hijacking
FIGURE 12.4 SpoofingAuthenticated
ConnectionI’m 192.168.1.5!!!Victim
192.168.1.5HostAttacker■ Using the <META> tag is also considered a code injection attack, although it’s differ-
ent from the XSS attack, where undesirable scripts can be disabled or the execution
can be denied.
■ HTTP header response uses the server response to fix the session ID in the victim’s
browser. Including the parameter Set-Cookie in the HTTP header response, the
attacker is able to insert the value of the session ID in the cookie and send it to the vic-
tim’s browser.A Few Key Concepts
Here are a few concepts that come up in many session hijacking topic discussions:Blind Hijacking Blind hijacking describes a type of session hijack in which the attacker
cannot capture return traffic from the host connection. What this means is that the
attacker is “blindly” injecting malicious or manipulative packets without seeing confirma-
tion of the desired effect through packet capture. The attacker must attempt to predict the
sequence numbers of the TCP packets traversing the connection. The reason for this predic-
tion goes back to the basic TCP three-way handshake. We’ll dig more into this later in the
section “Network Session Hijacking.”IP Spoofing IP spoofing refers to an attacker’s attempt at masquerading as the legitimate
user by spoofing the victim’s IP address. The concept of spoofing can apply to a variety of
attacks in which an attacker spoofs a user’s identifying information. Let’s draw a line in
the sand here, and definitively agree that spoofing is a different approach and attack from
session hijacking; however, they are related in that both approaches aim at using an exist-
ing authenticated session to gain access to an otherwise inaccessible system. Figure 12.4
shows the spoofing approach.