Before going forward with session hijacking, let's deep dive into what a session is. A session is a unique token which establishes a series of interactions between a client (browser) and server. A session is used to store the user’s information on the client side.
So, session hijacking is a form of attack where a cyber criminal or an attacker steals or manipulates the session token to gain unauthorized access to a user’s web session or services.
As most parts of the world rely on the internet for banking, shopping, social networking, healthcare and so on. By hijacking a user’s session of a particular website, the attacker can steal sensitive information, can do fraud and can leak information on the dark web.
Session hijacking involves an attacker using a session token with techniques such as brute force, manipulating the session id, by calculating the randomness of a session id or by reverse engineering the session id.
For example: an attacker can brute force the session tokens in a following URL,
Session 1 - https://www.xyz.com?session=abc123456ABC
Session 2 - https://www.xyz.com?session=bcd123456BCD
Some common techniques used by the attackers to achieve the session hijacking as follows:
Predictable session token / Session Fixation
Session sniffing / Session side jacking
Cross-site scripting (XSS) attack
Malware attack
Brute force
The result of session hijacking could lead an attacker to gain unauthorized access to the user account, steal sensitive information of a user, financial loss to a user and to an organization, and reputational damage to an organization.
Prevention against the session hijacking:
Use of long and random session tokens and cookies.
Implementing strong session management mechanisms.
Secure coding practice to mitigate XSSand other session related vulnerabilities.
Use of TLS/SSL certificates on the website.
Use of MFA, VPN and automatic logout from the application when not in use provides an extra layer of security.
Helpful resources: