Session Management / Session Hijacking
Session Hijacking is a type of attack that allows a malicious user to gain access to a session between two or more parties, such as a web server and a user. It is classified as a form of Session Management vulnerability, according to the Common Weakness Enumeration (CWE) directory (CWE-384). It is often considered a subset of hijacking, as it involves taking control of a session between two parties and redirecting it to a malicious actor. This attack can be used to gain access to sensitive information or to carry out malicious activities. According to the OWASP Testing Guide, session hijacking is often used in conjunction with other attack methods, such as Cross Site Scripting (XSS) and SQL Injection.
Session hijacking is a serious vulnerability as it can be used to gain access to sensitive information or to carry out malicious activities. It is considered to be a high risk vulnerability and should be addressed as soon as possible. It is also important to note that session hijacking attacks can be difficult to detect as they often involve redirecting a legitimate session to a malicious actor.
The best way to mitigate session hijacking is to ensure that authentication is always used when establishing a session. This can be done by implementing multi-factor authentication, or by using strong passwords and other security measures. Additionally, it is important to ensure that all sessions are encrypted and that proper logging and monitoring is in place to detect any suspicious activity.
A common example of a session hijacking attack is the Cross-Site Request Forgery (CSRF) attack. This attack involves an attacker sending a malicious request to an authenticated web page, which then causes the page to authenticate the malicious actor as a legitimate user. An example of a CSRF attack is shown below:
<html> <body> <form action="http://victim.example.com/transfer.php" method="POST"> <input type="hidden" name="amount" value="5000" /> <input type="hidden" name="destination" value="attacker_account" /> <input type="submit" value="Transfer" /> </form> </body> </html>
In this example, the attacker is sending a malicious request to the victim's web page, which causes the page to authenticate the malicious actor as a legitimate user. Once authenticated, the attacker can then transfer funds to their own account.