Almost all systems are vulnerable to session hijacking and they can be a serious threat to web applications and networks. Session hijacking, also known as “token hijacking” allows the attackers to have access to a network without the requirement of authentication. Once in, the cybercriminals know that they won’t need to have to be concerned about authentication as long as the session is active. The cybercriminals have the same access to the server as a compromised user because they received authentication via the user before the attack occurred.
There are a number of ways for session hijacking to happen and each one gives the cybercriminal the ability to access a server. The most common way that the criminals use is called “IP spoofing.” The criminal makes use of source-routed IP packets to insert specific commands into an already active communication between two network nodes. It disguises itself as one of the users that are authenticated. The reason that this works so well is because authentication is usually accomplished at the beginning of a TCP session. The second most common method of session hijacking is called a “man-in-the-middle attack.” In this case, the attacker uses a “packet sniffer” while observing the communication between the devices and simply collects all of the information or data that is being transmitted.
Additional Session Hijacking Methods:
Today’s cybercriminals have not only made session hijacking a profession but have access to very high tech methods to accomplish their dirty deeds.
Cross Site Scripting (also known as an XSS Attack)
In this case, the spoofing process is just an attacker that is pretending to be someone else. It is a technique used by cybercriminals to gain unauthorized access to a computer that has an IP address of a host that is trusted. The criminal must get a client’s IP address and then insert his own packets spoofed with the client’s IP address into the TCP session. This fools the server into thinking that it is communication with the original host, who is in reality now, the victim.
In the case that a cybercriminal can’t sniff packets so that they guess what the correct sequence number is that the server expects, the criminal can use the blind attack method that simply forces combinations of sequence numbers again and again. This method often works on networks that don’t have an established alert system for multiple unsuccessful attempts or any staff monitoring the network.
“System hijacking has become the preferred method of many cybercriminals today. DaVinci Forensics knows that these individuals have both knowledge and access abilities and the technology to continuously attempt to hijack a network. We will work with businesses of all sizes to assist in establishing detection methods, crisis analysis, and a strategy that can be set in place to help to protect their proprietary data.”
Image by Tim Kabel