Understanding Session Hijacking: Protecting Your Online Sessions

CAPSTONE PRESENTATION
SESSION HIJACKING
HARINI SIVAKUMAR

Agenda
• Session Hijacking
• Abstract
• Research
• Data collection
• Exploitation
• Impact
• Prevention and Mitigation
• Conclusion
• Reference

Session Hijacking
• Cookie Hijacking /Session Fixation / Session Theft
• Session Hijacking is a form of Cyber-attack where an
attacker takes control of a user’s session on a computer
system or network service.
• Essentially the attacker aims to impersonate the victim by
stealing their session identifier or cookie, allowing them to
gain unauthorized access to the targeted system or service.
• These attacks are one of the commonly experienced cyber
threats in today’s network. Most of the websites and
networks are vulnerable from this kind of attack.

Session Hijacking (conti..)
• Session hijacking is a threat to online security,
allowing attackers to intercept and manipulate user
sessions.
• Attackers can use various techniques such as
session sniffing or cookie theft to exploit
vulnerabilities in web applications.
• This is usually done to attack the social network
website, online shopping website and banking
websites in order to gain the access over the valid
session.

Types of Session Hijacking
• Active Session Hijacking
Active session hijacking is a technic in which an
attacker attacks already active session between user
and server. Attacker attacks an active session and put
himself in place of a valid user.
• Passive Session Hijacking
Passive Session Hijacking is a technic where an
attacker put himself between valid user and server
and eavesdropping and capturing session data.

Types of Session Hijacking
(conti..)
• Hybrid Session Hijacking
Hybrid Session Hijacking is the combination of
the Active Session Hijacking and Passive Session
Hijacking. In this attackers user both types of session
hijacking technique to achieve his/her goal.

Session Hijacking Levels
• Network Level
Network level can be defined as the
interception of the packets during the transmission
between client and the server in a TCP and UDP
session
• Application Level
Application level is about gaining control on
HTTP user session by obtaining the session ID’s

Methods of Network Hijacking
• TCP/IP Hijacking
• IP Spoofing: Source Routed Packets
• RST Hijacking
• Blind Hijacking
• Man in the Middle: Packet Sniffer
• UDP Hijacking

Methods of Application Hijacking
• Obtaining Session ID’s
• Sniffing
• Brute Force
• Misdirected Trust

Session Hijacking Tools
Packet Sniffers:
• Wireshark
• Tcpdump
Proxy Servers:
• Burp Suite
• OWASP ZAP
Session Fixation tools:
• Fiddler
Network Spoofing tools:
• Ettercap
• Cain and Abel

ABSTRACT
• homeshopping.pk is a E-commerce website with a wide
range of products, from electronics to fashion. It offers
convenience of shopping from the comfort of your home
with many deals and discounts.
• The idea behind this marketplace is to provide maximum
visibility, drive reliance & offer excellence service to
customer.
• This task involves compromising session ID/ cookie ID in a
web application with proxy server and exploitation the
session. It involves interception on code using Burp Suite
tool.

Objective
• The objective of this report is to identify the
weakness in homeshopping website and exploit
those vulnerability.
• Homeshopping website offers Secure payment,
home step delivery, easy return and attractive
offers and discount.
• User can shop all their needs like electronics gadget
to fashion clothing, accessories etc.

Research on HomeShopping
• HomeShopping.pk is Pakistan's largest managed
marketplace, home to over 3000 local and international
brands. Founded in July 2008 in Karachi,
• Home Shopping aims to provide the best online shopping
experience to its customers - starting from the great
selection, low price, ease of use, fast delivery, and ending
with the best customer service.
• Home Shopping ships all across Pakistan and has thousands
of small businesses actively selling on the platform. The
company is run by energetic team of over 75 + people and is
self funded.
• HomeShopping.pk has received many global accolades
including being nominated in World Retail Awards 2013.

Data collection
Technologies used by this website:
• Analytics:
Analytics is a platform that collects data from your websites and apps to
create reports that provide insights into your business.
Google Analytics, Facebook Pixel, Cloudflare Browser insight.
• JavaScript frameworks:
AMP is designed to help webpages load faster.
AMP
• Tag managers:
Google Tag Manager is a tag management system (TMS) that allows you to
quickly and easily update measurement codes and related code fragments
collectively known as tags on your website or mobile app.
Google Tag Manager

Data collection
• Font Scripts:
Font Awesome is a font and icon toolkit based on CSS.
Font Awesome
• Payment Processors:
Checkout.com is an international payment platform that processes
different payment methods across a variety of currencies.
Checkout.com
• Live Chat:
For easy communication between business and customers.
WhatsApp Business Chat, Facebook Chat Plugin

Data collection
• Miscellaneous:
Miscellaneous sources is like unrelated sources of information, data, or
items that are grouped together for convenience or reference.
RSS, Open Graph, HTTP/3
• JavaScript graphics:
D3.js is a JavaScript library for producing dynamic, interactive data
visualizations in web browsers.
D3
• CDN
A content delivery network (CDN) is a group of geographically distributed
servers that speed up the delivery of web content by bringing it closer to
where users are.
Cdnjs, cloudflare

Data collection
• UI frameworks:
Bootstrap is a free and open-source CSS framework directed at responsive,
mobile-first front-end web development. It contains CSS and JavaScript-
based design templates for typography, forms, buttons, navigation, and
other interface components.
Bootstrap
• JavaScript libraries:
A JavaScript library is a library of pre-written JavaScript code that allows
for easier development of JavaScript-based applications, especially
for AJAX and other web-centric technologies. They can be included in a
website by embedding it directly in the HTML via a script tag.
Modernizr, jQuery UI, Dropzone, core-js, jQuery

Data collection
• RUM:
Cloudflare Browser Insights is a tool that measures the performance of
websites from the perspective of users.
Cloudflare Browser Insight
• Authentication:
Facebook Login is a way for people to create accounts and log into your
app across multiple platforms.
Facebook Login

Ideology and approach
• Application level method is used to gaining control
on HTTP user session by obtaining cookie.
• Session ID is intercepted and captured using Burp
Suite.
• Gaining access over another user session by using
the ID captured from authorized user.

Analysis and Findings
• Attackers can exploit weak session management or
use packet sniffing to intercept session data. It is
crucial to be aware of the various techniques used
by attackers to hijack sessions.
• Several common vulnerabilities, such as insecure
communication, poor session token generation,
and lack of encryption, can lead to session
hijacking.

Exploitation- Practical
Demonstration
Website: https://homeshopping.pk/

Practical Demonstration
Register an Account

Login with password and go to my Profile under My
Account

Turn on Proxy, Refresh the page and turn on
intercept in Burp Suite

Intercept the code and copy the code.

• Turn off the Intercept and open Burp Suite browser
and to go website - https://homeshopping.pk/
• Login to different account

Go to My profile under My Account option.

Turn on intercept refresh the page and paste the
copied cookie, then forward.

User details will be automatically changed to another
valid user.

Impacts of Session Hijacking
Session hijacking can have serious consequences,
such as:
• Unauthorized access to sensitive data
• Impersonation of legitimate users
• Financial loss
• Damage to the organization's reputation

Prevention and Mitigation
To prevent session hijacking, organizations can implement the
following measures:
• Use of HTTPS: Employing SSL/TLS encryption helps protect
against MITM attacks.
• Secure session management: Implementing secure session
handling mechanisms and regularly rotating session tokens.
• Input validation: Validating and sanitizing user input to mitigate
the risk of XSS attacks.
• Multi-factor authentication: Adding an extra layer of
authentication can enhance security.
• Employee education: Educating the employee about security will
reduce the risk.
• Anti-virus Software: Keeping anti-virus software up-to date can
add more security.

Conclusion
• Session hijacking poses a significant threat to the
security of online systems and user data.
• By understanding the various types of session
hijacking and implementing robust security
measures, organizations can mitigate the risks
associated with this type of attack.
• Staying updated about the latest threats and
implementing security measures, the impact of
session hijacking can be minimized.

Reference
• https://owasp.org/www-
community/attacks/Session_hijacking_attack
• https://learn.g2.com/session-hijacking
• https://www.researchgate.net/publication/325117343_Session_
Hijacking_and_Prevention_Technique
• chrome-
extension://efaidnbmnnnibpcajpcglclefindmkaj/https://www.nittt
rchd.ac.in/imee/Labmanuals/Session%20Hijacking%20Manual.pd
f
• Chrome-
extension://efaidnbmnnnibpcajpcglclefindmkaj/https://elhacker.i
nfo/manuales/Hacking%20y%20Seguridad%20informatica/CEH-
v10/CEH%20v10%20Module%2011%20-
%20Session%20Hijacking.pdf
• https://www.youtube.com/watch?v=SMi9qHMz4Lo

Understanding Session Hijacking: Protecting Your Online Sessions

More Related Content

Similar to Understanding Session Hijacking: Protecting Your Online Sessions (20)

More from Boston Institute of Analytics (20)

Recently uploaded (20)

Understanding Session Hijacking: Protecting Your Online Sessions