Select any type of session hijacking attack and explain a wh

Select any type of session hijacking attack and explain a) what weakness makes the attack possible and b) how the attack can be prevented.

Solution

Session Hijacking:

Session hijacking is nothing but a type of security attack on any of the user session that is running on an internet network connection.

Sometimes this method of hijacking is also referred as cookie hijacking, where the hacker gains the access to the session key and performs the operation of spoofing reliably.

The most common method of session hijacking includes the TCP/IP session hijacking or also known as IP spoofing. In this process, the hacker makes the use of source routed IP packets, and thus insets the commands into a node of active communication.

The attackers enter into such communication network and form one of the authenticated users. As we all know that, in a TCP/IP session the authentication is the initial process of starting the communication.

So, in session hijacking the attackers gain their access through the authenticating process of TCP session and thereby continue the process of spoofing.

The hacker easily gains the complete access to the system and thus the sessions can be hijacked. This type of attack can either lead to crash your system or can go against the network connectivity and impel in the heavy packet loss.

Active Session Hijacking:

In an active session hijacking, an authenticated session is being hijacked. In this method, the user already remains logged into the active session of his profile or account.

The hackers try to steal the network cookies and thereby hijack the active session. The original user cannot further login into his/her profile and he is disconnected from the server.

Example :

Basically when the process of session hijacking is carried out over a network connection, the attackers will demand your session ID and perform their task using this ID.

The session ID is transferred via cookies. Thus, if the hacker gains the access of your cookies, he replaces his own cookie with yours and the session is then hijacked.

By the use of XSS attacks, you can gain the access of user’s cookie information. The session hijacking can hence be carried out on the active sessions.

Methods to prevent session hijacking :

1) Encryption of the data traffic passed between the parties by using SSL/TLS; in particular the session key (though ideally all traffic for the entire session.

This technique is widely relied-upon by web-based banks and other e-commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack.

2) Use of a long random number or string as the session key. This reduces the risk that an attacker could simply guess a valid session key through trial and error or brute force attacks.

3) Regenerating the session id after a successful login. This prevents session fixation because the attacker does not know the session id of the user after s/he has logged in.

4) Some services make secondary checks against the identity of the user.

For instance, a web server could check with each request made that the IP address of the user matched the one last used during that session. This does not prevent attacks by somebody who shares the same IP address, however, and could be frustrating for users whose IP address is liable to change during a browsing session.