Certified Ethical Hacker - Part 10-2 - Session Hijacking

by Riazul H. Rozen
Jan. 30, 2018 0 comments 4 minute read Certifications CEH
Download PDF

Types of Session Hijacking

Apart from the active and passive hijacking classifications, which true to their name depict the level of involvement of an attacker to the system, there are level based hijackings that are peculiar to the network and applications of the target system.

Application level session hijacking

This type of hijacking, allows the attacker gain access to session IDs through theft or guessing, for the sole purpose of getting through the web server without authorization. There are different techniques for gaining session IDs or tokens: Cross-site scripting attacks Session fixation Session relay Cross-site request forgery attack Man-in-the-middle attack Prediction Man-in-the-browser attack Session sniffing


This technique deals with the attacker guessing the right token for the target system, with a varying number of tokens present to make the prediction from. Attackers could choose to carry out the prediction by hand, or through different cryptanalytic devices. Attackers do this by recognizing a pattern in the generation of tokens, and capitalizing on this analysis. The prediction method, works mainly for weak algorithms.

Since the algorithms used for generating session IDs are custom fitted to the systems, there is a pattern to this development. Hence, one the attacker can guess the session value or the session IDs, it is easier to carry out a session hijacking. The session IDs are gotten by the attacker for analysis, through capturing various session IDs.

Man-in-the-browser Attacks

This is an active type of hijacking, meaning the communication between two systems is on-going, and the attacker intercepts this connection to gain access to messages. Once the TCP communication is intercepted, the attacker is able to access and change information passing to the server and client.

Man-in-the-browser Attacks

This successful interception is divided into two connections:

  • The client and attacker connection,
  • And the attacker and server connection.

Man-in-the-middle attack

This uses Trojans to intercept calls between the browser and the security walls put in place to prevent attacks. The Trojans should be installed into the system, before attackers are able to interrupt and manipulate financial transactions in internet banking systems.

Man-in-the-middle attack

How is a man-in-the-browser attacker performed?

  • Insert the Trojan to infect the OS of target system.
  • Allow Trojan install malicious code in the form of extension files in system configuration, which loads when the user restarts the browser. These extension files will register a handler every time the user opens a webpage.
  • The extension file uses the URL to match with a list of known sites for target attacks. When the user logs into a specific webpage, a handler is registered, and the page is compared to the list for target attacks.
  • When the user clicks on a button, the DOM interface extracts all data: original and modified. This data is sent to the server, but the server is unable to distinguish between original and modified values.
  • A receipt is generated for every transaction, and the user receives the receipt consisting of the original details for the transaction without knowing that the transaction was interrupted.

Cross-site script attacks

Here the attacker sends a link consisting of a malicious JavaScript to the victim. If the victim opens this link, the JavaScript runs and completes its instructions on the target system.

Cross-site script attacks

Cross-site request forgery attacks

This exploits the trust connection between users, by using a trusted site to carry out attacks. Session fixation

Insert caption here

This works by hijacking a valid session by tricking the user to use an authenticated session ID after which the attacker hijacks the session without the knowledge of the user. There are some ways to lure users into using a pre-prepared token - By putting the token in a cookie By putting the token in a hidden form field * By putting the token in a URL argument

Network Level Session Hijacking

This allows the attacker gain important information that can be used to attack the application levels. This is done through hijacking transport and internet protocols used by web applications in the application layer.

Some of the techniques for network level hijacking are: Blind hijacking UDP hijacking TCP/IP hijacking RST hijacking * IP spoofing: source routed packets.

TCP/IP hijacking

This method uses packets that have been spoofed, to intercept the connection between the victim and its target machine. If this method is successful, the victim’s connection hangs, and the attacker is able to connect with the target machine in place of the victim. This can only be successful when the attacker is on the same network as the victim, but the victim and the attacker’s machines can be located anywhere.

How does this happen?

  • The attacker sniffs through the victim’s connection, and sends a spoofed packet and the correct sequence number using the victim’s IP address.
  • On the other end, the receiver gets the packet, increases the sequence number and sends a message of acknowledgement.
  • The victim machine turns the sequence number count off, and ignores the receiver’s message, because it is unaware of any change. This means the receiver gets an incorrect sequence number.
  • The attacker forces the connection between victim and receiver to desynchronized
  • The attacker keeps tracking the sequence numbers and sending spoofed packets and continues communicating with the receiver machine while the victim’s connection hangs.

IP Spoofing: Source Routed Packets

The attacker uses a trusted IP address to gain unauthorized access to the computer, spoofs the host computer, so the victim keeps receiving packets from the attacker to establish a connection. Once this is done, the attacker injects forged packets, before the host can reply to the server, which causes the original packets to be lost, because the server gets a sequence number used by the attacker. The attacker is able to re-route the packets to its specified IP address.

Blind Hijacking

Here the attacker can send comments but cannot see any response, after it has intercepted the communications between two systems, even when the source routing is disabled.

Hijacking Tools.

Zaproxy: this is used to find weaknesses in web applications. It consists of a passive scanner, brute force scanner, spider and fuzzer, port scanner, dynamic SSL certificates among others.


Burp Suite: this allows for modification and inspection of traffic, between the browser and target application.

Burp Suite

JHijack: Used for numeric session hijacking and parameter enumeration, the JHijack is a web application security session assessment tool.

DroidSheep: this tool is used for android hijacking, and works by extracting session IDs from HTTP packets sent via wireless connections.

DroidSniff: checks for weaknesses in wireless connections, and captures data from social media platforms.

Published with the express permission of the author.