• Session hijacking is a method of overtaking a secure or unsecure web user’s session secretly by obtaining the session ID and masquerading as an authorized user.
• Once the user’s session ID has been accessed the attacker can masquerade as that user and perform tasks that the authorized user is allowed to do.
  

  Methods to commit a Session Hijack-

1. IP Spoofing:
   • IP spoofing is a method where attackers send packets with malicious content to a target machine and want to remain unidentified.
   • The victim is unaware that the packet is not from a trusted host, and hence it accepts the packet sending a response back to the source computer.
   • The biggest challenge for this is that the attacker must guess the proper sequence number to send the final ACK packet, as if it had come from a real source.
   • If this step gets successful then the attacker may have a connection to a victim’s machine as long as the victim’s machine is active.
2. Session Side jacking:
   • In this method an attacker uses packet sniffing to read network traffic between two parties to steal the session cookie.
   • Many websites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server viewed by the client.
   • This data includes the session cookie and allows the attacker to impersonate the victim even if the password is not compromised. Unsecured WI-FI hotspots are highly vulnerable.
3. Session Fixation:
   • In a session fixation attack, an attacker fixes the user’s session ID before the user even logs into the target web server, thereby eliminating the need to obtain the user’s session ID afterwards.
4. Cross-Site Scripting:
   • In this method a hacker collects malicious data through a hyperlink from a user. The hyperlink holds the malicious content that is located in a website.
   • When a user visits a web site and clicks on the link, the hacker sends the malicious data straight to the web application. After he clicks on the link, another page is created and the malicious content is generated within that page.
   • The user remains absolutely unaware of the forged content and assumes it to be valid data generated from then host website.

Methods to Prevent Session Hijacking:

1. Regenerating the session ID after a successful login: This method prevents the session fixation because the attacker does not know the session ID of the user after he has logged in.
2. Usng a Long Random Number or String as a Session Key
   • This reduces the risk that an attack could simply guess a valid session key through trial and error or brute force attacks.
3. Encryption of the data passed between the parties:
   • This technique is widely relied upon by web-based e-commerce services as it completely prevents sniffing-style attacks. Some services make additional checks against the identity of the user.
   • Example: a web server could check with each request made that the IP address of the user matched the one last used during that session. This does not prevent attacks by somebody who shares the same IP address but could be frustrating for users whose IP address is liable to change during a browsing session.
   • Some services change the value of the cookie with each and every request. This reduces the chances of a computer being attacked and makes it quite easy to identify attacks.