11.1 Understand session hijacking and session hijacking techniques
Exam Focus: Understand session hijacking and session hijacking techniques. Objective includes:



Understand what is session hijacking.
Identify types of session hijacking.
Identify key session hijacking techniques.
Session hijacking
Session hijacking refers to the exploitation of a valid computer session to gain unauthorized
access to information or services in a computer system. In particular, it is used to refer to the
theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance
to Web developers, as the HTTP cookies used to maintain a session on many Web sites can be
easily stolen by an attacker using an intermediary computer or with access to the saved cookies
on the victim's computer.
TCP session hijacking occurs when a hacker takes over a TCP session between two machines.
Since authentication only occurs at the start of a TCP session, it allows the hacker to gain access
to a machine. A popular method is using source-routed IP packets. This allows a hacker at point
A on the network to participate in a conversation between B and C by encouraging the IP packets
to pass through its machine. If source-routing is turned off, the hacker can use "blind" hijacking,
whereby it guesses the responses of the two machines. Thus, the hacker can send a command,
but can never see the response. However, a common command would be to set a password
allowing access from somewhere else on the net.
A hacker can also be "inline" between B and C using a sniffing program to watch the
conversation. This is known as a "man-in-the-middle attack". A common component of such an
attack is to execute a denial-of-service (DoS) attack against one end-point to stop it from
responding. This attack can be either against the machine to force it to crash, or against the
network connection to force heavy packet loss.
Session hijacking is successful due to the following reasons:






There is no account lockout for invalid session IDs.
Weak Session ID Generation algorithm is used.
There is indefinite session expiration time.
There is clear text transmission.
There are small session IDs.
This is insecure handling.
Types of session hijacking
The following are the types of session hijacking:

Active: This attack takes over an active session after finding it.

Passive: In this attack, an attacker hijacks a session by sitting back, and watching and
recording all the traffic sent forth.
Dangers posed by hijacking
The following dangers are posed by hijacking:





Unless encryption is used, most countermeasures do not work.
It is easy to launch hijacking.
Hijacking poses threat of identity theft, information loss, fraud, etc.
Most computers that use TCP/IP are vulnerable.
Unless another secure protocol is used, little can be done to protect against hijacking.
Key session hijacking techniques
The following are key session hijacking techniques:



Brute forcing: An attacker tries different IDs until he succeeds.
Stealing: An attacker steals session IDs by using different techniques.
Calculating: An attacker tries to calculate session IDs by using non-randomly generated
IDs.
Methods to perform session hijacking
There are four main methods used to perpetrate a session hijack:
1. Session fixation, where the attacker sets a user's session id to one known to him, for
example by sending the user an email with a link that contains a particular session id. The
attacker now only has to wait until the user logs in.
2. Session sidejacking, where the attacker uses packet sniffing to read network traffic
between two parties to steal the session cookie. Many Web sites use SSL encryption for
login pages to prevent attackers from seeing the password, but do not use encryption for
the rest of the site once authenticated. This allows attackers that can read the network
traffic to intercept all the data that is submitted to the server or Web pages viewed by the
client. Since this data includes the session cookie, it allows him to impersonate the
victim, even if the password itself is not compromised. Unsecured Wi-Fi hotspots are
particularly vulnerable, as anyone sharing the network will generally be able to read most
of the Web traffic between other nodes and the access point.
3. Alternatively, an attacker with physical access can simply attempt to steal the session key
by, for example, obtaining the file or memory contents of the appropriate part of either
the user's computer or the server.
4. Cross-site scripting, where the attacker tricks the user's computer into running code,
which is treated as trustworthy because it appears to belong to the server. This attack
allows the attacker to obtain a copy of the cookie or perform other operations.
11.2 Understand session hijacking process and session hijacking in the OSI Model
Exam Focus: Understand session hijacking process and session hijacking in the OSI Model.
Objective includes:


Understand session hijacking process.
Analyze session hijacking in the OSI Model.
Session hijacking process
The process to perform session hijacking is as follows:





Sniff: In this step, the attacker places himself between the victim and the target.
Monitor: The attacker monitors the flow of packets and predicts the sequence number.
Session DE synchronization: The attacker breaks the connection to the victim's
machine.
Session ID prediction: The attacker takes over the session.
Command injection: The attacker starts injecting packets to the target server.
Packet analysis of a local session hijack
The following is a packet analysis of a local session hijack:
Levels of the OSI model in which session hijacking works
In the OSI model, session hijacking can be performed at the following two levels:
1. Network Level: In this level of session hijacking, the attack is performed by the
interception of packets during the transmission between the client and the server in TCP
and UDP sessions.
2. Application Level: In this level of session hijacking, the attacker gains control on
HTTP's users' sessions by obtaining session IDs.
11.3 Understand the brute forcing attack, and HTTP referrer attack
Exam Focus: Understand the brute forcing attack and HTTP referrer attack. Objective includes:



Understand the brute forcing attack.
Understand the HTTP referrer attack.
Understand spoofing vs. hijacking.
Brute force attack
In a brute force attack, the attacker uses software that tries a large number of key combinations in
order to get a password. In order to prevent such attacks, passwords that are more difficult to
guess should be created. For example, create passwords using a minimum of six characters,
alphanumeric combinations, lower-upper case combinations, etc.
Http referrer attack
HTTP referrer is a phishing attack. The attacker sends a user to a Web page from which HTTP
request originated. From this web page, the attacker sends the user to a Web page where the
attacker can perform various malicious activities. The following steps describe how such
information can be used for a phishing attack:



A phisher sets up a URL rewriting reverse proxy, which is a generic phishing site. It seats
in the middle between the user and legitimate websites and logs all data supplied in web
forms and change all HTTPS traffic to plain HTTP.
The phisher sets up a website with some interesting content and linked to malicious
sources.
When the site is visited, it extracts URL from the referrer field and tricks the user into
thinking that he or she returned to the referring page.
Countermeasure of the HTTP referrer attack
The only countermeasure of the HTTP referrer attack is not passing referrer to visited sites.
Firefox and Opera have built-in plugins for it. For Chrome and Safari, the user has to use the
external extensions. IE does not provide any easy way to do it.
Difference between session hijacking and IP spoofing
In IP spoofing, the attacker artificially identifies the packets' source address. The packets' source
address is often fetched from sniffed network traffic.
However, session hijacking is an attack in which the attacker takes over the session by making
the user offline and uses his session.
11.4 Understand application level session hijacking, and discuss session sniffing
Exam Focus: Understand application level session hijacking, and discuss session sniffing.
Objective includes:


Understand application level session hijacking.
Discuss session sniffing.
Application level session hijacking
In application level session hijacking, an attacker obtains session IDs to gain control of the
HTTP user session. During this attack, the session hijacker can also try to create new sessions
using stolen data. Application level session hijacking is all about obtaining the session ID, since
web applications key off this value to determine identity. Some common methods for these types
of attacks are obtaining Session IDs, observation (sniffing), and brute forcing. There are different
ways to compromise a session token. The following are the most common ways:



Predictable session token
Session sniffing
Client-side attacks


Man-in-the-middle attack
Man-in-the-browser attack
Application level attacks
The following are various application level attacks:





Session sniffing: In the session sniffing attack, the attacker uses a sniffer to capture a
valid token session called "Session ID", and then he uses the valid token session to gain
unauthorized access to the Web Server.
Man-in-the-browser: In the Man-in-the-browser attack, the attacker uses a Trojan to
intercept the calls between the browser and its security mechanisms or libraries. Its main
aim is to manipulate transactions of Internet Banking system to cause financial
deceptions.
Predictable session token: In the predictable session token attack, the attacker predicts a
session ID or to impersonate a web site user. It is also known as session hijacking. The
attacker performs this attack by guessing the unique session value or deducing the session
ids. Custom algorithms or a predefined pattern are used to generate session IDs by most
of the webservers.
Client-side - XSS: In the XSS attack, the attacker compromises the session token by
sending malwares to the client-side programs.
Man-in-the-middle: The man-in-the-middle attack is used to intrude into an existing
connection between systems and to intercept messages being exchanged.
Attackers split the TCP connection into the following connections by using different
techniques:
o Client-to-attacker connection
o Attacker-to-server connection
An attacker can read, modify, and insert fraudulent data into the intercepted
communication after the successful interception of TCP connection. The TCP connection
between the client and the server becomes the target in case of an http transaction.

Session fixation: In the session fixation attack, the attacker tries to lure a user to
authenticate himself with a known session id. Once the attacker performs the first step, he
hijacks the user-validated session by the knowledge of the user session ID.
Session sniffing
In the session sniffing attack, the attacker uses a sniffer to capture a valid token session called
"Session ID", then he uses the valid token session to gain unauthorized access to the Web Server.
11.5 Describe man-in-the-middle, man-in-the-browser, Client-side, and cross-site script attacks
Exam Focus: Describe man-in-the-middle, man-in-the-browser, client-side, and cross-site script
attacks. Objective includes:





Describe man-in-the-middle attack.
Understand man-in-the-browser attack.
Examine steps to perform man-in-the-browser attack.
Understand client-side attacks.
Understand cross-site script attack.
Man-in-the-middle attacks
Man-in-the-middle attacks occur when an attacker successfully inserts the intermediary software
or program between two communicating hosts. Attackers can use the intermediary software or
program to listen to and modify the communication packets that pass between the two hosts. The
software intercepts the communication packets and then sends the information to the receiving
host. The receiving host presumes it to be the legitimate client and responds to the software. The
tools used for the man-in-the-middle attack are as follows:






dsniff: It is a tool used for SSH and SSL MITM attacks.
Cain: It is a Windows GUI tool that can perform MITM attacks, along with sniffing and
ARP poisoning.
Ettercap: It is a tool used for LAN-based MITM attacks.
Karma: It is a tool that uses 802.11 Evil Twin attacks in order to perform MITM attacks.
AirJack: It is a tool that demonstrates 802.11-based MITM attacks.
wsniff: It is a tool for 802.11 HTTP, HTTPS-based MITM attacks.
Countermeasures of the man-in-the-middle attack
A user can follow various methods to mitigate the man-in-the-middle attack. To overcome these
attacks, use authentication techniques that are based on the following:





Public key infrastructures
Stronger mutual authentication
Secret keys (high information entropy secrets)
Passwords (low information entropy secrets)
Other criteria, such as voice recognition or other biometrics



Off-the-Record Messaging for instant messaging
Off-channel verification
Carry-forward verification
Man-in-the-browser (MitB) attack
Man-in-the-browser (MitB) is a Trojan that is used to infect a web browser. It is able to modify
pages, modify transaction content or insert additional transactions. This attack will be successful
irrespective of whether security mechanisms, such as SSL/PKI and/or Two or Three Factor
Authentication solutions are in place. The only way to counter this attack is by utilizing
transaction verification.
Performing man-in-the-browser attack
The following steps are taken to perform man-in-the-browser attack:
1. The Trojan infects the computer's software (OS or application) and then installs
malicious code (extension files) and saves it into the browser configuration.
2. The malicious code in the form of extension files is loaded after the user restarts the
browser.
3. For every visit to the webpage, the extension files register a handler.
4. The extension uses the URL and compares it with a list of known sites targeted for attack
when the page is loaded.
5. The user logs in securely to the website.
6. It registers a button event handler when a specific page load is detected for a specific
pattern and compares it with its targeted list.
7. The browser forwards the form and modified values to the server.
Client-side attack
A client-side attack uses the inexperience of the end-user for creating a foothold in the user's
machine, and therefore, the network. Client-side attacks are everywhere and hidden in plain
sight. Common hiding places are malicious Web sites and spam. A simple click of a link will
permit an attacker to enter.
Cross-site scripting (XSS) is a type of an injection attack. In this attack, the malicious scripts are
injected into the web sites. A malicious script can be embedded in a web page. It does not
produce any warning when the page is seen in any browser. In Trojan horse, the malicious code
is included inside apparently harmless programming or data in such a manner that it can get
control and cause damage.
Cross-site script attack
Cross-site script attack is focused on a specific victim website and the users who visit it. In this
attack, an attacker can send malicious code or programs to the client-side programs to
compromise the session token.
Suppose an attacker sends a crafted link to the victim with the malicious JavaScript. The
JavaScript will run and complete the instructions made by the attacker when the victim clicks on
the link. In this way, the attacker can use the XSS attack to steal the session token.
A specific JavaScript code such as <SCRIPT>alert(document.cookie) ;</SCRIPT> can be
created to send the cookie to the attacker by using the XSS attack. In this way, the attacker can
use the XSS attack to show the cookie value of the current session.
Things have to happen for cross site request forgery to succeed
The following are the things have to happen for cross site request forgery to succeed:
1. The attacker must target either a site that doesn't check the Referrer header (which is
common) or a victim with a browser or plugin bug that allows Referrer spoofing (which
is rare).
2. The attacker must find a form submission at the target site that does something useful to
the attacker (e.g., transfers money, or changes the victim's e-mail address or password).
3. The attacker must determine the right values for all the form inputs: if any of them are
required to be secret authentication values or IDs that the attacker can't guess, the attack
will fail.
4. The attacker must lure the victim to a Web page with malicious code while the victim is
logged in to the target site.
Since, the attacker can't see what the target Web site sends back to the victim in response to the
forged requests, unless he exploits a cross-site scripting or other bug at the target Web site.
Similarly, the attacker can only "click" any links or submit any forms that come up after the
initial forged request, if the subsequent links or forms are similarly predictable. (Multiple
"clicks" can be simulated by including multiple images on a page, or by using JavaScript to
introduce a delay between clicks).
Preventions from cross site request forgeries
Web sites can be prevented from cross site request forgeries (CSRF) by applying the following
countermeasures available:




Requiring authentication in GET and POST parameters, not only cookies.
Checking the HTTP Referer header.
Ensuring there's no crossdomain.xml file granting unintended access to Flash movies.
Limiting the lifetime of authentication cookies.
Requiring a secret, user-specific token in all form submissions prevents CSRF; the attacker's site
can't put the right token in its submissions. Individual Web users can do relatively little to
prevent cross-site request forgery. Logging out of sites and avoiding their "remember me"
features can mitigate CSRF risk; not displaying external images or not clicking links in "spam"
or unreliable e-mails may also help.
11.6 Understand session fixation attack, and describe network level session hijacking
Exam Focus: Understand session fixation attack, and describe network level session hijacking.
Objective includes:


Understand the session fixation attack.
Describe network level session hijacking.
Session fixation
Session fixation is a type of attacking technique that forces a user's session ID to an explicit
value. A number of techniques can be utilized to "fix" the session ID value depending on the
functionality of the target Web site. The techniques include cross-site scripting exploits and
peppering the Web site with previously made HTTP requests. Once a user's session ID has been
fixed, the attacker waits for them to login. After the user does so, the attacker uses the predefined
session ID value to assume their online identity.
Countermeasures of the session fixation attack
The following are countermeasures of the session fixation attack:









Do not accept session identifiers from GET / POST variables.
Ask for the identity confirmation from the user.
Store session identifiers in HTTP cookies.
Utilize SSL / TLS Session identifier.
Regenerate SID on each request.
Accept only server-generated SIDs.
Time-out old SIDs.
Destroy session if Referrer is suspicious.
Verify that additional information is consistent throughout session.
Network-level hijacking
Network-level hijacking is the interception of packets during transmission between a client and
the server in a TCP/UDP session. By attacking on network level sessions, an attacker can get
critical information to attack application level sessions. The following are included in networklevel hijacking:






TCP/IP hijacking
IP spoofing
RST hijacking
Blind hijacking
Man-in-the-middle
UDP hijacking
IP spoofing attack
An IP spoofing attack can be performed to hide the identity in the network. In computer
networking, the term IP address spoofing or IP spoofing refers to the creation of Internet
Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of
concealing the identity of the sender or impersonating another computing system. The basic
protocol for sending data over the Internet and many other computer networks is the Internet
Protocol ("IP"). The header of each IP packet contains, among other things, the numerical source
and destination address of the packet. The source address is normally the address that the packet
was sent from. By forging the header so that it contains a different address, the attacker can make
it appear that the packet was sent by a different machine. The machine that receives spoofed
packets will send a response back to the forged source address, which means that this technique
is mainly used when the attacker does not care about the response or the attacker has some way
of guessing the response.
Nonblind spoofing
Nonblind spoofing is a type of spoofing that occurs when a user can see the traffic being sent
between the host and the target. It is the easiest type of session hijacking, but it requires that a
user captures packets as they are passing between the two machines.
Blind spoofing
In blind spoofing, a user cannot see the traffic being sent between the host and the target. It is the
most difficult session hijacking because it is very difficult to guess the TCP sequence number
correctly.
RST hijacking
In RST hijacking, an authentic-looking reset (RST) packet is injected using a spoofed source
address and the acknowledgement number is predicted. The victim resets the connection as it
believes that the reset packet is actually sent by the source. RST hijacking can be performed
using a packet crafting toll such as Colasoft's Packet Builder and TCP/IP analysis tool such as
tcpdump. The ACK flag should be turned on to sniff the packets.
Blind hijacking
In blind hijacking, even if the source routing is disabled, the attacker can introduce the malicious
data or commands into the intercepted communications in the TCP session. Although the
attacker can send the data or comments, he has no access to see the response.
UDP hijacking
UDP hijacking works at the network level. As UDP does not use packet sequencing and
synchronizing, the attacker forges a server reply to the client UDP request before the server can
respond.
Man-in-the-middle attack using packet sniffer
The man-in-the-middle attack involves the use of the packet sniffer as an interface between the
client and the server. The following techniques are used to route the packets between the client
and the server through the hijacker's host:


Forged Internet Control Message Protocol (ICMP): It is an extension of IP for sending
error messages where attacker can fool the client and the server by sending messages.
Address Resolution Protocol (ARP) spoofing: ARP is used for mapping the local IP
address to hardware addresses or MAC addresses. In ARP, the ARP request is
broadcasted to fool the host and ARP tables are changed by sending the forged ARP
replies.
Source routed packets
The source routed packets technique is used to gain unauthorized access to the computer with the
assistance of the trusted host's IP address. The host's IP address spoofs the packet so that the
packets can be accepted by the server managing a session with the client. Before the client
responds, the hijacker injects the forged packets when the session is established. As the server
gets the packet with a different sequence number, the original packet is lost. The packets are
source-routed where the attacker can specify the patch to the destination IP.
Sequence numbers
Sequence numbers are required to provide a reliable communication. They are important for
hijacking a session. Sequence number is a 32-bit counter. Hence, the possible combinations can
be over 4 billion.
Sequence numbers are required to direct the receiving machine the order in which the packets
should move when they are received. Hence, an attacker should correctly sequence the numbers
to hijack a session.
Sequence number prediction
The server responds (SYN-ACK) with the chosen sequence number that must be acknowledged
by the client after a client sends a connection request (SYN) packet to the server. This sequence
number is predictable. The attacker first uses its own IP address to connect to a server, records
the sequence number chosen, and then opens a second connection from a forged IP address.
Although the attacker does not see the SYN-ACK or any other packet from the server, he can
guess the correct response.
11.7 Understand TCP/IP hijacking, session hijacking tools, and countermeasures of session
hijacking
Exam Focus: Understand TCP/IP hijacking, session hijacking tools, and countermeasures of
session hijacking. Objective includes:




Understand TCP/IP hijacking.
Identify session hijacking tools.
Identify countermeasures of session hijacking.
Understand session hijacking pen testing.
TCP/IP hijacking
TCP/IP hijacking uses spoofed packets in order to take over a connection between a victim and a
target machine. The connection of the victim hangs and the hacker is able to communicate with
the host's system. The following are the steps in TCP/IP hijacking:



In order to obtain ISN of the victim, the hacker sniffs the communication between the
victim and the host.
The hacker sends a spoofed packet from the victim's IP address to the host system using
ISN.
The host machine responds to the victim, assuming that the packet has arrived from it. It
increments the sequence number.
Session hijacking tools
The following are session hijacking tools:










Hamster
Hunt
Session Thief
JHijack
Surf Jack
TamperIE
Ettercap
Ferret
Paros
Firesheep
Hunt
Hunt is a tool that is used for exploiting well known weaknesses in the TCP/IP protocol. It is
primarily used to hijack connections but has many other features. It is a program that can be used
for intruding into a connection, watching it, and resetting it. Hunt operates on Ethernet; however,
it can do something even for hosts on another segment or switched ports. It can also be used to
perform hacking techniques: sniffing and session hijacking.
Paros
Paros is a man-in-the -middle proxy and application vulnerability scanner. It permits the attacker
to intercept, modify, and debug HTTP and HTTPS data on-the-fly between a web server and a
client browser. It is also useful in spidering, proxy-chaining, filtering, and application
vulnerability scanning.
Burp suite
Attackers use burp suite to inspect and modify traffic between the browser and the target
application. The burp suite tool is used to analyze all kinds of content. It automatically colorizes
the request and response syntax.
Firesheep
Firesheep is an extension for the Firefox web browser. The Firefox browser permits attackers to
steal a valid session ID in order to get into the system and snoop the data.
Countermeasures of session hijacking
The following are countermeasures of session hijacking:






Secure shell (SSL) should be used to create a secure communication channel.
The authentication cookies should be passed over HTTPS connection.
The log-out functionality should be implemented for user to end the session.
The session ID should be generated after successful login.
String or long random number should be used as a session key.
The encrypted data should be passed between the users and the webservers.
Measures taken to protect against session hijacking
The following measures are taken to protect against session hijacking:






Using encryption
Minimizing remote access
Educating the employees
Regenerating the session ID after login
Limiting incoming connections
Using a secure protocol
Methods to prevent session hijacking
Web developers should use the following methods to prevent session hijacking:



Reducing the life span of a session or a cookie
Expiring the session as soon as the user logs out
Regenerating the session id after a successful login in order to prevent fixation attack



Preventing eavesdropping within the network
Encrypting the data and session key that is transferred between the user and the web
servers
Creating session keys with lengthy strings or random number to make it difficult for an
attacker to guess a valid session key
Web users should use the following methods to prevent session hijacking:







Do not click on the links that are received via mails or IMs.
Prevent the malicious content from entering the network by using firewalls.
Restrict cookies by using firewalls and browser settings.
Ensure from certified authorities that the website is certified.
Ensure that after every confidential and sensitive transaction, history, offline content is
erased from your browser.
Prefer htttps when transmitting sensitive and confidential data. Https is a secure
transmission.
Click the logout button instead of closing the browser to logout from the browser.
Defending against session hijack attacks
The following actions should be taken against session hijack attacks:




Encryption protocols that are available at OpenSSH suite should be used.
Strong authentication, such as Kerberos or peer-to-peer VPNs should be used.
IDS products or ARPwatch should be used to monitor ARP cache poisoning.
The appropriate internal and external spoof rules should be configured on gateways.
Session hijacking remediation
Defense in depth is considered as a key component of a comprehensive security plan. It is also
required to protect a network from session hijack attacks.
Defense in depth involves using multiple security systems or technologies in order to prevent
network intrusions. If one countermeasure fails, additional levels of protection exist in order to
safeguard the network.
IPSec
IETF developed IPSec to securely exchange the packets at the IP layer. IPSec is deployed widely
in order to implement Virtual Private Networks (VPNs). The following are the benefits of IPSec:





It provides network-level peer authentication.
It provides replay protection.
It provides data confidentiality.
It provides data integrity.
It provides data origin authentication.
Modes of IPSec
The following are the modes of IPSec:


Transport mode: In this mode, two connected computers are authenticated and data
transfer can be encrypted. This mode is compatible with NAT.
Tunnel mode: This mode encapsulates packets that are transferred and encrypts the data
transfer. It is not compatible with NAT.
IPSec architecture
The following is the IPSec architecture:
IPSec authentication and confidentiality
The following security services are used by IPSec for authentication and confidentiality:


Authentication Header (AH): It is used to provide data authentication of the sender.
Encapsulation Security Payload (ESP): It is used to provide both data authentication
and encryption or confidentiality of the sender.
Components of IPSec
The following are the components of IPSec:

IPSec Policy Agent: It is a service of the Windows 2000. It collects IPSec policy settings
from the active directory and sets the configuration to the system at start up.




IPSec driver: It is software that performs protocol-level functions. Protocol-level
functions are needed to encrypt and decrypt the packets.
Internet Key Exchange (IKE): It is an IPSec protocol. It produces security keys for
IPSec and other protocols.
Oakley: It is a protocol that uses the Diffie-Hellman algorithm in order to create master
key and a key that is specific to each session in IPSec data transfer.
Internet Security Association Key Management Protocol: It is software that permits
the communication between two computers by encrypting data exchanged between them.
Session hijacking pen testing
The following actions should be taken during session hijacking pen testing:
1. Use tools such as Wireshark, CACE Pilot, Capsa Network Analyzer, Windump, etc. to
sniff session traffic between two machines.
2. Use proxy server Trojans. Proxy server Trojans changes the proxy settings in the victim's
browser.
3. Hijack session using automated tools such as Paros proxy, Burp suite, Webscarab, etc.
4. Crack the session ID if it is URL encoded, HTML encoded, Unicode encoded, Base64
encoded, or Hex encoded.
Chapter Summary
In this chapter, we learned about session hijacking, key session hijacking techniques, session
hijacking process, types of session hijacking, and session sniffing. This chapter focused on manin-the-middle, man-in-the-browser, client-side, cross-site script attacks, and countermeasures of
session hijacking.
Glossary
Brute force attack
In a brute force attack, the attacker uses software that tries a large number of key combinations in
order to get a password.
Client-side attack
A client-side attack uses the inexperience of the end-user for creating a foothold in the user's
machine, and therefore, the network.
Man-in-the-browser
Man-in-the-browser (MitB) is a Trojan that is used to infect a web browser.
Man-in-the-middle attacks
Man-in-the-middle attacks occur when an attacker successfully inserts the intermediary software
or program between two communicating hosts.
Network-level hijacking
Network-level hijacking is the interception of packets during transmission between a client and
the server in a TCP/UDP session.
Session fixation
Session fixation is a type of attack technique that forces a user's session ID to an explicit value.
Session hijacking
Session hijacking is the exploitation of a valid computer session sometimes also called a session
key to gain unauthorized access to information or services in a computer system. In particular, it
is used to refer to the theft of a magic cookie used to authenticate a user to a remote server.
Source routed packets
The source routed packets technique is used to gain unauthorized access to the computer with the
assistance of the trusted host's IP address.
TCP/IP hijacking
TCP/IP hijacking uses spoofed packets to take over a connection between a victim and a target
machine.