In a world where Internet users are primed to be vigilant about numerous scams and cyberattacks, from Phishing to fake pop-up ads, a little-known problem is session hijacking.
Much like the name suggests, session hijacking involves someone taking over your website session, allowing them to act on your behalf and take over your online account. The possible repercussions are many; identity theft, fraudulent purchases, an empty bank account, or even stolen company data. Not good.
But how is session hijacking possible, and what can you do to prevent it from happening? Read on to find out how to prevent session hijacking, whether you’re a website owner or just browsing the web.
But first, let’s cover what a session actually is.
What is a session?
When you visit or log in to a website, something known as a session begins. A session tracks the user’s interactions with the site within a specific timeframe, whether that be browsing, making a purchase, or sending a message. These sessions provide website owners with useful data about user behavior and are a means to store individual user data against a unique Session ID. A session can either end after the person leaves or logs out of the site, or after a predefined length of time.
The downside of sessions is what can happen if someone gets their hands on your session ID. Having access to that information is how session hijacking is carried out.
How session hijacking works
Once a session begins, a temporary cookie is placed in the user’s browser for the duration. For someone to hijack your session, they must either steal this cookie to find out your session ID (which is why session hijacking is sometimes called cookie hijacking) or access your session ID in another way. Once the attacker has their hands on the Session ID, they can use it in their own browser and fool the website server into thinking that they are the user.
There are numerous ways for session hijacking to play out. Here are the three most common ways that malicious actors get their hands on session IDs:
- Cross-site scripting
The most widespread method of session hijacking, cross-site scripting involves injecting client (browser) side scripting into web pages by exploiting server vulnerabilities the website owner is likely unaware of. These scripts cause the browser to unknowingly execute a malicious code when loading a web page, because they think the data is coming from a trusted server. The attackers often trick users into visiting the malicious version of the web page via links in emails or instant messages. Once a user clicks the link, the attacker has access to their session ID.
- Session fixation
This method of session hijacking also involves the use of malicious links. For session fixation to work, the attacker needs to find a website with a vulnerable server on which they can “fixate” or set another user’s session ID. This kind of vulnerable server doesn’t assign a new session ID to a user but allows them to use an existing one. The attacker sends the user a hyperlink featuring the existing Session ID. When the user clicks on it, they will be authenticated with that Session ID, and the attacker can hijack the session using the same link.
- Session sniffing
If a website doesn’t have an SSL certificate, the connection between the user’s browser and the server is not encrypted, which means that all data sent between the two is in plaintext. In this instance, the attacker can easily access the session ID by using something known as a packet sniffer to capture data packets sent across the network connection. Packet sniffers can also be used on Public Wi-Fi networks that don’t have authentication measures in place.
How to prevent session hijacking
Preventing session hijacking isn’t rocket science. Common sense and good security can go a long way.
Here are a few best practices for website owners:
- Get an SSL certificate. Make sure your whole website is secured by an SSL certificate, and not just login and payment pages. By encrypting connections to your entire site, you can completely prevent session sniffing.
- Harden your back end and keep everything up-to-date: Use good antivirus and malware protection and update your website software regularly to protect your site and its users from any unexpected vulnerabilities. Check out this blog post for more advice.
- Make sure you issue long, random session IDs and that they regenerated after each session: Contact your systems administrator for assistance or follow this guide.
Regular web users can protect themselves by doing the following:
- Treat all links with suspicion: We’ve discussed phishing before on the SSLs blog, and much of the same advice applies here. If you receive an unexpected email allegedly from a known person or company asking you to login or make any changes to your account, approach with caution. Never log in via the link, but through the official website address.
- Install adequate malware protection: Some forms of session hijacking can occur through downloaded malware, so ensure your computer is protected.
Clear your browser cookies regularly: This will help prevent cookie stealing and session hijacking if any sites you visit are vulnerable.