Kylie Addison Sabra
December 4, 2019
Session Hijacker has a nose for cookies–and opportunity. Turns out he’s a pretty popular old dog. As I was researching this article, my search for “session hijacking” netted a lovely tutorial on how to do it–right there on page one. It wasn’t even an ad. By page two, there were more session hijacking how-tos than there were methods to defeat the beast. As if that’s not enough, by page three, I could buy all the tools needed to engage in the crime. Clearly these URLs are getting an incredible number of clicks and shares to achieve such high organic rankings. Scary thought. Isn’t it?
What’s the attraction? Cookies!
Session Hijacker is utterly obsessed with cookies–stealing them, that is. They leave a nice trail of crumbs leading right to your session ID. Once he’s sniffed out your session ID he has access to your login information. He can become you for that session, or at his convenience. As a result, he can revel in a rambunctious shopping rampage. Or, he can send money from your bank account to his. He can even kidnap your files and hold them for ransom.
Two types of session hijacking
An active attack is much like having someone reach right through your monitor and take control of your computer. Your computer is likely to blow the whistle on them as soon as they are successful, though. Consequently, these efforts are often accompanied by a DDoS (Distributed Denial of Service) attack to render you helpless to respond and even force you offline.
A passive attack allows the attacker to watch your online activities. In this case, the hijacker is gathering information for later use. Over time, he can gather data on numerous victims and strike with vicious precision when the mood hits.
Give me a grande, skinny mocha, my smart phone and a comfy seat in the corner of my favorite coffee shop and I can be in the zone for hours. There was a time I’d happily pay my bills on my bank app, do my Amazon shopping and peruse social media. Yes. There was a time, but no more.
How do they do it?
The attacker actually gives you the session ID he wants you to use by using either a URL or a cookie. There are many options for giving you the URL with his chosen session ID in it, including social media and email. When you’re checking your email or Facebook, etc., you may find a fun link asking you to vote on something or any other request that will require you to not only click on the link, but to log in as well.
All the session hijacker needs is for you to log in. Once you do, there are two sessions running independently with the same session ID–the one he set up for you. Consequently, he is in control. He is now you!
A cookie attack is similar in that he will plant his chosen session ID into a cookie using a java script and exploit risk factors in a website. Then he’ll post or email the URL and wait for you to click on it. When you do, you receive the cookie he has baked just for you with the session ID in it. And the process proceeds as above. He is in control and you may not even know it.
Cross-site Scripting (XSS)
XSS is usually found in compromised websites where a hacker has injected malicious coding. The victim is not the actual website, but rather the website’s users. The hacker has turned the website into an unsuspecting virus carrier. Just opening the infected web page breathes life into the injected malicious script.
Sidejacking involves using packet sniffer tools to capture cookies from nearby Wi-Fi users. And, in my little coffee shop, the aroma of fresh cookies are a hit to his bloodhound-like senses.
Why look at that. There’s my device–top of the list. Of course, I am completely unaware that he can see everywhere I’ve been. Where was I? Oh yes. My bank account, Amazon, Facebook. He can access them all. But how?
When you log into a site, the site checks to see if you are authorized and then returns an authentication cookie to you with your login information inside to enable you to stay logged in on that browser. Once the session hijacker has stolen your cookie, he can be “you” on any of the sites you have visited in that session.
How can I protect myself from a session hijacker?
Outside of a holiday cookie swap, we’re not that fond of sharing. The more we learn the more there lies a deep-seated desire to swipe at the paw that reaches for our cookies.
Don’t click that link!
True, session hijacking is about stealing cookies and generally involves websites. But, one of the ways the hijacker can get your data is by sending you a URL, with a cookie attached, via email–the exact one he will use to hijack your session. it.
Email is still the easiest “in” for cybercriminals of all types; with more than 90% of all malware being introduced into our systems by clicking on an email link. Why? We are inundated with emails every day–all vying for our attention. It’s overwhelming. However, we can foil many cyber attacks by just slowing down a bit and reading carefully.
What to look for.
It all comes down to you.
They may harbor malicious intent or they may simply lack sufficient knowledge. Whichever the case, a site’s safety is solely in the hands of the site developer. You have control over one thing only–to click or not to click.
Zen Techworks believes knowledge is power.
We bring ongoing, effective and monitored cybersecurity training to our clients’ staff.