Session IDs are a tasty treat for malicious hackers. Once an attacker gets their hands on a session ID, they can get unauthorized access to a web application and fully impersonate a valid user. In general, there are three primary methods to obtain a valid session ID:
- Guessing a valid session ID (session prediction)
- Creating a valid session ID and tricking the user into using it (session fixation)
- Obtaining a valid session ID from a user (session hijacking)
Note: Some sources perceive prediction and fixation not as separate types of attacks but as methods of session hijacking.
Most methods focus on session cookies because they are used most commonly to carry session IDs. However, these methods are not limited to cookie hijacking, as many apply equally to session tokens sent in other parts of HTTP requests, such as custom request headers or the request body.
A session ID must be unique and should be hard to guess. That’s why in most cases session IDs are simply long, randomly generated numbers. However, not every developer uses secure, renowned session management libraries. Some decide to generate session IDs themselves and don’t do it too well.
Session prediction attacks are, in general, all attacks that attempt to guess a valid session ID (of any user) on the basis of how such IDs are generated. For example, a developer might decide to use a base64-encoded Epoch time as a session identifier. Therefore, a valid session ID would look like
MTU4MDMwMDE1OQ==. If the attacker figures out this algorithm, they can attempt to guess a valid session token by trying different Epochs and base64-encoding them.
A brute-force attack could also be considered a form of session prediction. If the session key is short and the web server is not protected against multiple attempts, the attacker may try all possible values one by one until they get one that works.
Session fixation takes place when the attacker generates a valid session ID that has not yet been used and then provides it to the user, who then uses it to authenticate. The attacker must first figure out what format of session IDs is valid and then use social engineering such as phishing or a similar attack technique to trick the user into clicking the login link and providing their credential, thus associating the session ID with the account.
To learn more about session fixation, have a look at our article What is Session Fixation.
The term session side-jacking is used to describe man-in-the-middle attacks (MITM) that are performed to steal the session. The attacker listens in on the communication between the web server and the client and intercepts valid session IDs.
There are many session side-jacking techniques that rely on different MITM attack techniques. In the simplest case, when traffic is not encrypted, all it takes is a simple sniffer working in the same local network as the client, monitoring network traffic for user’s connections and packet sniffing. This is especially common in the case of public Wi-Fi networks.
If the website or web application uses exclusively encrypted connections, simple session sniffing won’t do, but there are other tricks that may be attempted. To learn more about them, have a look at our article All That You Need to Know About Man-in-the-Middle Attacks.
Cross-site Scripting (XSS)
To learn more about Cross-site Scripting, have a look at our articles: Cross-site Scripting (XSS) and Types of XSS.
Attackers may also use other methods to obtain session information. For example, they may attempt to infect user computer systems with malware such as trojans. An example of this may be the man-in-the-browser attack, where session identifiers are stolen directly from the user’s web browser.
Defending against Session Hijacking and Similar Attacks
To keep your session IDs safe, follow these rules:
- Don’t think up ways to generate sessions yourself. Use secure tools available in popular frameworks.
- Enforce HTTPS use on all your pages, not just the login page. For example, use HSTS, and set the
Secureflag for session cookies.
- Change the session ID after the user logs in.
- Logout inactive users and invalidate session IDs after a time.
- Set the
HttpOnlyflag for session cookies.
- Regularly scan your website or web application with a vulnerability scanner like Acunetix to discover potential Cross-site Scripting vulnerabilities (and more).