302 Chapter 12 ■ Session Hijacking
Exploring Defensive Strategies
Session hijacking relies, in part, on many of the prerequisites needed to successfully sniff
a network. For instance, session hijacking attacks increase in complexity for external and
switched networks. In other words, sitting on the local LAN (for example, as a disgruntled
employee) is a much better strategic position for an attack than sitting outside the gateway.
Aside from its relationship with sniffing, let’s take a look at methods you can use to help
prevent session hijacking:
■ Encrypting network traffic is a viable and effective preventive technique against
hijacking attacks, both from internal and external sources. As you’ll recall from previ-
ous chapters, encryption hampers your legitimate efforts to monitoring your own
network traffic.
■ Using network-monitoring appliances such as an IPS or IDS can help in detecting and
preventing network anomalies such as ARP broadcast traffic. These anomalies can be
indicators of potential session hijacking attacks in progress.
■ Configure the appropriate appliances, such as gateways, to check and filter for spoofed
client information such as IP addresses.
■ Be aware of local browser vulnerabilities such as extended history logs and cookies.
Clearing temporary browsing information can help in preventing the use of old
session IDs.
■ Stronger authentication systems such as Kerberos will provide protection against
hijacking.
■ The use of technologies such as IPSec and SSL will also provide protection against
hijacking.
■ Defense-in-depth, or the use of multiple defensive technologies to slow or deter an
attacker, provides protection as well.
Pen testing to discover vulnerability to session hijacking depends on the defensive
strategies of the client. Encryption should be implemented for sensitive network traffic to
resources such as servers. Additionally, implementing policies that limit the generation
of unique session tokens to intranet resources can reduce the probability of an attacker’s
stealing an active session. Putting protective network appliances such as IPSs and IDSs
to the test exposes critical weaknesses in identifying and preventing successful session
hijacking attempts.Summary
In this chapter we focused on session hijacking and what constitutes an attack. You
learned the difference between active and passive hijacking and looked at network-level
and application-level attacks. We discussed TCP session hijacking and emphasized the