paint-brush
Glossary of Security Terms: Session Hijackingby@mozilla
215 reads

Glossary of Security Terms: Session Hijacking

by Mozilla ContributorsSeptember 11th, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Mozilla (stylized as moz://a) is a free software community founded in 1998 by members of Netscape. In TCP session hijacking, an attacker gains access by taking over a TCP session between two machines in mid session. The attacker steals a valid session ID in order to break into the system and snoop data. This is because there are no account lockout for invalid session IDs or a weak session-ID generation algorithm. It is possible to create a secure communication channel with SSH (secure shell)

Company Mentioned

Mention Thumbnail
featured image - Glossary of Security Terms: Session Hijacking
Mozilla Contributors HackerNoon profile picture

Session hijacking occurs when an attacker takes over a valid session between two computers. The attacker steals a valid session ID in order to break into the system and snoop data.

Most authentication occurs only at the start of a TCP session. In TCP session hijacking, an attacker gains access by taking over a TCP session between two machines in mid session.

Session hijacking occurs because

  • no account lockout for invalid session IDs
  • weak session-ID generation algorithm
  • insecure handling
  • indefinite session expiration time
  • short session IDs
  • transmission in plain text

Session hijacking process

  1. Sniff, that is perform a man-in-the-middle (MITM) attack, place yourself between victim and server.
  2. Monitor packets flowing between server and user.
  3. Break the victim machine's connection.
  4. Take control of the session.
  5. Inject new packets to the server using the Victim's Session ID.

Protection against session hijacking

  • create a secure communication channel with SSH (secure shell)
  • pass authentication cookies over HTTPS connection
  • implement logout functionality so the user can end the session
  • generate the session ID after successful login
  • pass encrypted data between the users and the web server
  • use a string or long random number as a session key

Learn more

General knowledge

View Previous Terms: