Session Hijacking Attacks
Attackers’ use several session hijacking attacks to gain access to user sessions on a server, the most common of these attacks are listed and described below:
Session Prediction - http://cleverlogic.net/tutorials/what-session-prediction
Session Sidejacking - http://cleverlogic.net/tutorials/session-sidejacking-overview
Session Fixation - http://cleverlogic.net/tutorials/session-fixation-overview
Cross Site Scripting - http://cleverlogic.net/tutorials/cross-site-scripting-0
Using Proxy Servers - http://cleverlogic.net/content/using-proxy-servers-session-hijacking
Physical Access to Server
Preventing Session Hijacking
Since session hijacking is where the attacker steals a user's Session Identifier, to prevent this attack, we would need to prevent the user's Session Identifier. There are several things we can do to help to prevent this attack:
Use Secure Connections (Achieved through Secure Socket Layer(SSL) - http://cleverlogic.net/articles/secure-socket-layer-overview
) as much as possible, since SSL creates an encrypted connection between the client and server, any data the attacker steals during this transfer would be useless to them. However, SSL does not fully secure against this attack, and hackers can still use session hijacking even over HTTPS
Regenerate user's session identifier often, therefore, even though the attacker may manage to steal a user's session identifier, when it is regenerated, the Session Identifier he stole would be useless.
You can implement an IP Address Check to match a user's Session Identifier to his/her IP Address. However this may have its limitations.
For my final year project titled "Mitigating HTTP Session Hijacking" i built an application to help prevent this attack. more on this can be found here: http://cleverlogic.net/articles/kochure
. I would strongly advise implementing this application on your Web Server.
Another method is to use HTTP only cookies, these are cookies that claim to be inaccessible from the DOM, However, some hackers have claimed to gain access to HTTP only cookies through the dom. HTTP only cookies would still make it harder to gain access to cookies using most of the session hijacking attacks. However if session Sidejacking is used, These cookies can easily be stolen from over a LAN network. Session Sidejacking is spoofing cookies over a LAN network, More can be found on the session Sidejecking page linked to above.
More information about preventing each of the above listed Session Hijacking attacks can be found on the Attack's Page.
To get a better understanding of how this attack is carried out, a step-by-step tutorial can be found at http://cleverlogic.net/tutorials/session-hijacking-facebook-accounts
. Note this tutorial is only for informative purposes.