Before learning session hijacking let’s learn session first. The connectivity between a client and server or client active to a website is known as session. We will learn to hack with Cookie Poisoning, Cookie Stealing, Session Hijacking.
What is the purpose of a session?
A web server is responsible for handling the client’s request but it is unaware of the origin of request. The request can be from the same origin or from different origins. To keep track of the client’s origin, the web server establishes a session where each client is identified by a separate unique session id. Once the client is identified by this session the server becomes aware of the origin of the request.
A generated session id consists of following information.
Cookie is an alpha numeric randomly generated value which is used for identifying the session.
- Domain Name
This is server name which sets the cookie value.
The timestamp for destroying the cookie.
- User Specific Data
User specific data that is an optional.
Below given image describes session id in detail.
When a random person say adam logins to a website e.g www.example.com, the server signs him a session id and uses his specific information for example server looks for his username, location etc.
When a server generates a session id for a client it may contain Transient Cookie or Persistent Cookie.
A Transient Cookie is the one which is stored on the client’s browser cache. It can be viewed in the browser’s cache tab. It is deleted when the browser is closed.
A Persistent Cookie is the one that is stored on the client’s hard disk. It can be deleted when the expiry time is met.
Let’s see how an attacker takes unfair advantage of the session id.
Consider an example where an attacker with a name obama establishes a connection with a server. On the other side a username with admin also establishes a connection with a server. The server assigns a unique session id to both of the members. Now the attacker with a username obama tries to steal the session id of username admin by injecting a script using stored XSS vulnerability. This script or injection shows hello admin on the page (written in script). However this script when run by the server posts a cookie in the malicious server. The malicious server is configured in such a way that hosts the script that does two things.
- Capturing the cookie value
- Posting the value in a file(cookie) called log.txt
Once the server starts work, whenever a user visits this infected page on the server, their session id is automatically posted on the malicious server. With the help of malicious server’s log file, the attacker gains the session id of the users visiting this infected page. This action is known as cookie theft or cookie stealing.
Now the attacker has session id of the user admin using the cookie manager plugin in web browser he replaces the cookie value in content text box with the admin’s cookie value.
This is how he fools the server by claiming that he is the user admin.
This manipulation of the cookie value is called cookie poisoning. Since the server identifies the user with the session id, it gives the attacker access to the victim’s account. This method of accessing the victim’s account is known as session hijacking or sometimes called as session sniffing.
If you are interested in hacking, do visit our hacking category. You will find many ways to hack.