Session hijacking: all you need to know

Mikaela Bray
Mikaela Bray | Contributing Writer
Last updated: January 5, 2021
masked person
Disclaimer: Affiliate links help us produce good content. Learn more.

Session hijacking may seem obscure and technical at first, but it’s a common form of cyber attack, and can be a devastating weapon for fraudsters, thieves, spoofers and malicious government agents alike. So it’s good to know a basic session hijacking definition and how these kind of attacks work.

Why should we care about the answer to what is session hijacking? Well, there are plenty of reasons. But the most important from a user’s perspective is simply security.

If you’ve ever had your Facebook, email login or Twitter accounts hacked mysteriously by an outside source, there’s a good chance that TCP session hijacking was to blame. And the without understanding a basic session hijacking definition, it could easily happen again, and again. So let’s get into more detail about what hijacking is, how attacks are mounted, and how we can protect ourselves online.

What is session hijacking?

Firstly, session hijacking involves taking over “sessions”. By this, we mean the connections established by websites and other online services with users’ computers or mobile devices. When you visit a website or start a stream, you technically initiate a session, where permission is granted to exchange information or allow access.

When you browse websites, this permission will often be negotiated through the use of session cookies, which contain information about your login details and user preferences. Your actual password may be encrypted by most sites, but information sent via cookies often isn’t. And when you use unsecured wi-fi networks, this information is pretty much free to exploit.

There are a couple of different ways to refer to session hijacking that are important to know about. Firstly, TCP session hijacking focuses on the Transmission Control Protocol, which deals with ordinary web page connections.

When a hijacker gains access to TCP sessions, they can basically imitate the user flawlessly, using their privileges to do anything the user could do, such as sending Twitter messages. This process is also often referred to as cookie hijacking, because TCP attacks target session ID cookies, which set up users’ connections with remote websites.

How do session hijackers carry out their attacks?

man programming binary code

Session hijacking itself is a technical process, but there’s no shortage of hackers around the world with the capabilities to carry it out successfully.

The core of most session hijacks is a practice known as “sniffing.” This uses special software tools to monitor packets being sent from hosts to clients and detects which packets contain session cookies. Tools like Wireshark are able to locate these cookies based around the inclusion of keywords like “GET”, but this is only half of the challenge.

The next phases in a cookie hijacking attack is to use the cookie information procured by sniffing. Sadly, this isn’t that difficult by using tools like Firesheep. These browser add-ons synch up to unsecured networks and tell users exactly who is connected to sites like Facebook nearby. After that, hackers can easily spoof these users’ identity and take on their roles.

What’s the difference between passive and active session hijacking?

Experts also often include the terms “active” and “passive” in their session hijacking meaning. In active attacks, hackers take direct control over clients’ computers, and can pose as the user on any network. Because this type of attack will generally be noticeable when the attacker has succeeded, they will often be accompanied by DoS (denial of service) attacks which render the targets unable to respond – not a nice place to be.

Hackers can build up profiles of individual users and plan future attacks wuth brutal precision.

Passive attacks involve the ability to eavesdrop and monitor the users’ online activity. With the information gathered from a passive attack, hackers can build up profiles of individual users and plan future attacks with brutal precision. Both forms of session hijacking can be devastating and are very hard to detect before it’s too late.

Understanding cross-site scripting

Sometimes, these forms of TCP session hijacking aren’t the problem. Instead, users can fall victim to a related but distinct exploit known as cross-site scripting or XSS.

XSS works by implanting malicious code known as client-side scripts into target websites. These “vectors” are able to carry out similar attacks to session hijacking, providing users click on relevant links, which can be delivered via phishing emails or search engine results. When malicious code is executed, it can access session cookies, delivering sensitive information straight into the hands of hackers.

Any page relying on heavy doses of JavaScript is thought to be extremely vulnerable to this form of hijacking.

However, not all websites are suitable targets for cross-site scripting. They have to include a degree of user input, whether that’s in the form of a search field or a MacroMedia Flash application or Java applet. In fact, any page relying on heavy doses of JavaScript is thought to be extremely vulnerable to this form of hijacking.

Can you prevent session hijacking?

As we’ve seen in our session hijacking meaning and exploration of cross-site scripting, both forms of attack pose serious online threats. So the natural response is to ask how we can reduce the risk of falling victim to these malicious hacking techniques?

The major source of vulnerability involves unsecured wi-fi networks.

With session hijacking, it’s important to understand that the major source of vulnerability involves unsecured wi-fi networks. If you regularly use coffee shop or library networks to work or surf the web, it’s vital to take extra security measures to prevent hijacking.

Part of this involves keeping your antivirus and anti-malware tools up to date as much as possible. But exercising caution when using social media on unsecured networks is also important.

Use HTTPS instead of pure HTTP, which adds an extra layer of encryption.

Website or network managers can also take steps to prevent session hijacking. For instance, they can use HTTPS instead of pure HTTP, which adds an extra layer of encryption on traffic passing to and from their sites. And they can brush up their SSL setup, adding certificates and tools like Force SSL to make sure all cookies are transferred via encryption.

Preventing cross-site scripting could involve techniques like SQL injection and blacklisting certain forms of code, as well as sanitizing user input. Basically, it requires being very, very careful about what code is passed to users, especially if user input is a major part of a site’s code. Static testing of websites can also help though, although this adds to costs and isn’t used routinely.

As we’ve seen, it’s not always possible to prevent session hijacking, but there are measures users and site managers can take to minimize the probability of TCP session hijacking being successful.

From a user’s perspective, there often isn’t much you can do about XSS or hijacking. But you can take steps to minimize risk, such as being careful when using unsecured networks.

At the end of the day, staying safe is a matter of exercising caution about the networks you use and the sites you visit. While updating virus checkers, using only best VPNs, checking site certificates can only go so far, they can make a big difference to how vulnerable you are in a dangerous online world.

Leave a Reply

Your email address will not be published.

  1. namemecuteness

    I was just wondering if WannaCry is classified as a seasonal hijacking.

  2. Clyde

    This really hit home for me because I often hang around coffee shops, writing and getting other work done. It’s easier for me to do things this way but I wasn’t aware there were so many dangers lurking online. I will do my best to reduce risks and improve security from now on. Thank you!

  3. Rapahel

    Does using a good VPN like Nord prevent this? Althogh I have never experienced it before

    1. avatar
      Mikaela Bray Author

      Yes, a good VPN, such as Nord, would indeed protect you from session hijacking.

  4. twentyonefive

    I’ve started using HTTPS for all my sites instead of pure HTTP. Most web hosts now enable it by default and it is totally free to go for https. I’ve never experienced a session hijacking though, Thankfully!

Table of Contents:
Thanks for your opinion!
Your comment will be checked for spam and approved as soon as possible.