Introduction to Session Hijacking

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 6 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:01
Hey, everyone, welcome back to the course. So in this video, we're gonna go over a brief introduction to session hijacking. So we'll talk about what is session hijacking. We'll also talk about the different types of session hijacking, and then we'll focus on application level attacks for session hijacking. And then in the next video, we'll cover the network level attacks.
00:20
So what is session hijacking? Essentially, this is where the attacker takes over that valid TCP communication So that communication between the client and the server
00:30
and an attacker could be successful doing a session hijacking attack for a number of reasons, for example, you may not have
00:36
in account lockout for invalid session I. D. So the Attackers, able to brute force their way into the session. There could be a week session I d generation algorithm and use or small session I D. S, which allow for predictability. So the Attackers able to predict what the next session will be and take over that session
00:54
insecure handling of the session I D. S, which could lead to things like DNS poisoning or cross site scripting attacks, as well as not having any expiration on that session. token. So without that expiration, the attacker can use an older token to establish a communication with that server.
01:11
So too many types of session hijacking. We've got application level and network network level again. We're gonna cover network level in the next video.
01:21
So with application level session, hijacking attacks, the Attackers getting control over the http of the user session to try and get those session I d. S.
01:32
And they're going to do this by getting that session token.
01:36
So how can they do that? Well, there's many ways they could do session sniffing. They can look for predictable token. So again they can determine what What's the next token in that sequence, what's the next idea in that sequence, things like, man in the middle attacks man in the browser attacks and we'll talk about each one of these a little bit
01:53
cross site scripting attacks, cross site request, forgery session replay and session fixation attacks. So let's just jump right in and start off with our session sniffing attacks.
02:02
This is where the Attackers gonna use some type of tool. So it might be smart. Sniffer might be like wire shark or TCP Tunc. That they use and they're just capturing that valid session token or session I D that they're gonna try to use that to send to the server and get access to that Web server.
02:20
We've got our men in the middle attacks. So this is where the Attackers junk putting themselves in between that communication of the client and server.
02:28
So let's say, for example, I'm playing American football and I've got myself and two friends with me.
02:35
I throw the football to one of my friends. They're gonna be the wide receiver.
02:38
But my other friend comes and they jump and they actually catch the ball in between myself and my other friends. So let's just call them friends A and friend B.
02:46
So friend a is the one that I'm trying to throw the football too, right? I'm trying to throw the football to friend A. But here comes Friend B, and they jump in between us and they grab that football in similar fashion. If we think of that, football is a token, our friend B. In this case, the attacker
03:05
is grabbing that token so they could be in between that communication session
03:08
of myself. The client and friend A Who's the server?
03:14
So with the minimum middle attack, the Attackers just putting themselves in between that path, Right? So, like our football example, they're they're putting themselves in between that path. They captured that section token, and the goal is to try to intercept that communication. Now, by putting themselves in between,
03:30
they're basically forcing the communication from the client. So from from me, for example,
03:35
to go to them and then from there, they're actually directly communicating with the server. And then they're sending me information back as if it came from the server
03:45
predicting the session token. So this could be something like using a week algorithm as we talked about or just easy to identify patterns. So maybe a short algorithm is in use as well. So the Attackers basically able to guess that next session token and then take over the session in the communication between the client and the server.
04:04
We got our man in the browser attack that basically uses a Trojan on the client device and the Trojan intercepts that communication between the browser and it's libraries and the browser and its security mechanism. So,
04:16
for example, things like two factor. Authentication Orpik, ai or SSL. It doesn't matter that we have those in place because it's it's looked at as a legitimate communication because it's attacking and intercepting between the browser in the libraries or the browser. And it's different. Security mechanisms mechanisms itself.
04:35
So one of the objectives with this particular one is causing, like financial deception by changing around transactions of banking systems
04:45
within of our cross site scripting attack.
04:47
So this is where the attacker inject some kind of malicious client side script into Web pages that air actually access by the victim. So, for example, they might send a crafted linked to the victim, get them to click on it in the link, having malicious JavaScript. So when the victim clicks that link, the JavaScript runs, and then it does whatever the attacker wanted to do,
05:06
it allows them to take over the session.
05:09
We got session replay attacks where the Attackers basically listening to that conversation between the client and the server and then capturing that authentication token and then just replaying that to the server and an attempt to gain access.
05:20
We've got a cross site request forgery, which basically exploits the victims active session with a trusted site on that allows the attacker to perform whatever activities they want. Thio
05:31
and then session fixation. So this is where the attacker hijacks that values recession so they try to authenticate with a known session I d to try and take over that particular session and several techniques they might use for doing a session fixation attack are things like trying to identify the session token in the U. R L argument or in the hidden form field
05:51
or trying to find identify the session I'd
05:55
from a cookie.
05:57
All right, so in this video, we just talked about what session hijacking is. We also talked about the different types of session hijacking again. We'll be covering network level session hijacking in the next video, and we also talked about different application level session hijacking attacks.
Up Next