Session hijacking is a cyber-attack in which a computer session is stolen and a session is performed on behalf of the user. In other words, it is an act of unauthorized access by "spoofing".
When you hear “session hijacking,” I think that many people may find it difficult to prevent a cyberattack, but it is okay if you understand the meaning of each term and take appropriate measures.
In this article, I explained the cause of the attack and the countermeasures, so please take a look at it until the end.
What is session hijacking?
Web applications and browsers use individual session IDs and cookies to perform individual authentication and exchange communications in order to provide comfortable services to users.
Session hijacking is a cyber attack that steals this information by some means and communicates on behalf of the person himself. It's a "spoofing" act, so I think it's easy to imagine if you use a stolen license to do something wrong. Or it's like going abroad with your stolen passport to do something wrong.
What is a session?
A user who visits a Web page counts a series of actions performed on the page as one session. For example, if you enter a user name and password, authenticate, and log in, one session is the time from logging out and leaving the Web page.
What is a session ID?
The session ID is information given by a web server or a web application to uniquely identify a session of a user who has accessed a website or the like. Normally, it is given to the browser as a cookie, but in order to support users who have disabled cookies, it may be given as part of the request parameter of the URL.
Let's look at the causes of session hijacking, including such points.
What causes session hijacking?
The causes of session hijacking are mainly classified into the following three categories. Neither of them steals login passwords directly, so they are slightly different from other cyber attacks.
I'll explain it step by step, so let's check.
Guess session ID
I'll explain it step by step, so let's check.
Guess session ID
If the session ID is composed of highly vulnerable ones such as the date and registered name, an attacker can analyze the session ID with a legitimate route and infer a similar one and exploit it.
Also, if the ID configuration is relatively simple, it will be easily detected by a brute force attack using a tool without guessing.
Take session ID from user
It is a method of performing unauthorized access and intervening between the legitimate user and the Web service to obtain the session ID from the legitimate user.
For example, a cyberattack by cross-site scripting can be used to deceive users and fraudulently display session IDs and cookies on attacker sites.
Cyber attacks by fixing ID
This is also called a session fixation attack.
This is an act in which the attacker gets on his / her back after confirming that the user has logged in to the target website by using the legitimate session ID acquired by the attacker.
What is the session fixation?
One of the attacks on the session ID, which is information that is used for a certain period of time when accessing the Web such as page transitions and login status. Fixation is an attack technique that can be called `` fixation, '' or `` forced, '' in which the attacker is forced to use a session ID value that the attacker already knows and that user's access to the session is suppressed. Impersonate).
What happens if a session hijacking attack occurs?
Since session hijacking is a kind of “spoofing”, an attacker uses Web services on behalf of the user. Therefore, the following damages are generally expected and caution is required.
- Impersonate a legitimate user and steal confidential information
- Impersonate a legitimate client and infiltrate the server
- Unauthorized withdrawal of online bank
- Leakage or falsification of registered information
- Unauthorized use of credit cards
Even just looking at the above, you can expect great damage.
Examples of the damage include the following.
Damage example: "Apache" server unauthorized incident 2010
The server hosting Apache's bug tracking software, JIRA, was session hijacked.
When the administrator of the server stepped on the URL attached with the intention of performing XSS (Cross-site scripting), the cookie including the session was stolen and the administrator privilege was robbed of by the attacker.
At the same time, the careful criminal immediately launched a brute force attack (brute force) against the "JIRA login.JSP", attempting to steal the password for the JIRA account, which caused a great deal of fuss.
The damage was so severe that we were concerned about the leak of "hashed passwords for JIRA, Bugzilla, and Confluence users."
Measures to prevent session hijacking
There are several ways to avoid session hijacking attacks, but the root part is that the attacker cannot detect the session ID.
In order to take measures against session hijacking, it is necessary to review session management inevitably.
Do not include session id in the URL
It is the basic of basics. When exchanging the session ID, the website and the browser may include the session ID in the URL.
Of course, this method is good for session hijacking, so we recommend that you include the session ID in the cookie or switch to a method that exchanges the session ID in the hidden field on the form data.
Rely on session management tools
If you find it difficult to manage sessions, you can rely on management tools.
Many recent Web development platforms have a session ID management function, so we want to actively use it. It is much more stable than self-made management halfway.
Issuing a one-time session ID
This is a means to make the session ID one-time, making it harder to be attacked. It is very difficult to specify the one-time session ID because the session ID changes each time it is accessed.
If you are using a PHP environment, you can do it easily by using "session_regenerate_id function".
Conclusion
This time, I explained session hijacking. How was it? From the user's point of view, it is a hard-to-recognize takeover, so when you realize the threat, the damage has already occurred.
As a site owner, this is a very scary cyber attack, so be careful when managing session IDs.