There are many security concerns when it comes to client-side use of any web application just as there are for the business providing the online service. Session hijacking is just such an issue.
It is the malicious act of taking control of user session after successful generation or obtainment of an authentication session ID. Session hijacking typically involves use of captured, forced, or reversely engineered session Ids by the attacker. The goal: to take control of the session in progress from a legitimate user’s web application session.
Types of Session Hijacking
Session hijacking is split into two types, active and passive session hijacking. The main difference between these two types is the degree of hacker’s involvement in the attack. Another essential difference between the two types of session hacking are:
Active Session Attacks
The hacker finds and takes over an active session, i.e. the session is still in progress.
Passive Session Attacks
The hacker hijacks a session but sits back, observes and records incoming traffic.
There are a number of ways user-side web application session token could be compromised. The most common are:
- Session sniffing
- Predictable session token
- Client-side attacks (Trojans, malicious JavaScript codes, XSS, etc)
- Man-in-browser attacks
- Man-in-middle attacks
Following are some helpful techniques that can be used to avoid session hacking.
Side-jacking
SSL is used commonly to protect login pages by many websites today however applying a standard, unencrypted HTTP protocol after client’s authentication is also not a good idea. Why? Hacker can read the unencrypted HTTP traffic (passing between server and client) and steal its session cookie very easily. Of course the session hijacker must also have access to the same network as authenticated client’s or know/guess name of session cookie.
You must understand how this works and employ an effective strategy after consulting with Lean Security.
Network Security
Often the first and only line of defence against session hacking is network security. You know that all non-encrypted HTTP communications can easily be hijacked. Employ only trusted and reliable people for gaining access to oncoming and going traffic. This will significantly reduce the threat of session hijacking.
Another issue online businesses must look into is client’s connection with vulnerable points such as public networks. Anyone can connect and capture communication on unprotected private WLAN access points. Effective steps must be taken to ensure all access and connection points are secure.
Adopting a rigid and strict stance when it comes to your web application’s security is the only way forward. Session hijacking is an extremely grave cybercrime that adversely affects businesses and their reputations along with misuse of untold amounts of sensitive client data. Take the right steps towards better security by undergoing your web application through a security health check by Lean Security!