You are on page 1of 8

(IJCSIS) International Journal of Computer Science and Information Security

,
Vol. 8, No. 7, October 2010

A Survey on Session Hijacking
P. Ramesh Babu D.Lalitha Bhaskari CPVNJ Mohan Rao
Dept of Computer Science & Engineering Dept of Computer Science &Systems Engineering Dept of Computer Science & Engineering
Sri Prakash College of Engineering AU College of Engineering (A) Avanthi Institute of Engineering & Technology
Tuni-533401, INDIA Visakhapatnam-530003, INDIA Narsipatnam-531113, INDIA
E-mail:rameshbabu_kb@yahoo.co.in E-mail:lalithabhaskari@yahoo.co.in E-mail:mohanrao_c@yahoo.com

Abstract
With the emerging fields in e-commerce, Workstation server type of communication
financial and identity information are at a session; however, hijacks can be conducted
higher risk of being stolen. The purpose of between a workstation computer
this paper is to illustrate a common-cum- communicating with a network based
valiant security threat to which most systems appliance like routers, switches or firewalls.
are prone to i.e. Session Hijacking. It refers Now we will substantiate the clear view of
to the exploitation of a valid computer session to stages and levels of session hijacking.
gain unauthorized access to information or “Indeed, in a study of 45 Web applications
services in a computer system. Sensitive user in production at client companies found that
information is constantly transported 31 percent of e-commerce applications were
between sessions after authentication and vulnerable to cookie manipulation and
hackers are putting their best efforts to steal session hijacking” [3]. Section 2 of this
them. In this paper, we will be setting the paper deals with the different stages of
stages for the session hijacking to occur, and session hijacking, section 3 deals in depth
then discussing the techniques and details of where session hijacking can be
mechanics of the act of session hijacking, done followed by discussion of Avoidance
and finally providing general strategies for of session hijacking. Section 5 concludes the
its prevention. paper.

Key words: session hijacking, packet,
application level, network level, sniffing,
2. Stages of session hijacking
spoofing, server, client, TCP/IP, UDP and
Before we can discuss the details of session
HTTP
hijacking, we need to be familiar with the
stages on which this act plays out. We have
1. Introduction to identify the vulnerable protocols and also
obtain an understanding of what sessions are
Session hijacking refers to the exploitation of a and how they are used. Based on our survey,
valid computer session to gain unauthorized we have found that the three main protocols
access to information or services in a computer that manage the data flow on which session
system or the session hijack is a process hijacking occurs are TCP, UDP, and HTTP.
whereby the attacker inserts themselves into
an existing communication session between
two computers. Generally speaking, session
hijack attacks are usually waged against a

1

76 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 7, October 2010

2.1 TCP sequence number the server expects from
the client.
TCP stands for Transmission Control
Protocol. We define it as “one of the main  Client acknowledges receipt of the
protocols in TCP/IP networks. TCP the IP SYN/ACK packet by sending back to the
protocol deals only with packets and TCP server an ACK packet with the next
enable two hosts to establish a connection sequence number it expects from the server,
and exchange streams of data. TCP which in this case is P+1.
guarantees delivery of data and also
guarantees that packets will be delivered in
the same order in which they were sent.”[2]
The last part of TCP definition is important
in our discussion of session hijacking. In
order to guarantee that packets are delivered
in the right order, TCP uses
acknowledgement (ACK) packets and
sequence numbers to create a “full duplex Figure 2: Sending Data over TCP
reliable stream connection between two end (Figure and TCP summary taken from [1])
points,” [4] with the end points referring to
the communicating hosts. The two figures After the handshake, it’s just a matter of
below provide a brief description of how sending packets and incrementing the
TCP works: sequence number to verify that the packets
are getting sent and received. In Figure 2,
the client sends one byte of info (the letter
“A”) with the sequence number X+1 and the
server acknowledges the packet by sending
an ACK packet with number x+2 (x+1, plus
1 byte for the A character) as the next
sequence number expected by the server.
Figure 1: TCP Session establishment The period where all this data is being sent
using Three-Way Handshake Method over TCP between client and server is called
(Figure and TCP summary taken [1]) the TCP session. It is our first stage on
which session hijacking will play out.
The connection between the client and the
server begins with a three-way handshake 2.2 UDP
(Figure 1). It proceeds as follows:
The next protocol is UDP which stands for
 Client sends a synchronization User Datagram Protocol. It is defined as “a
(SYN) packet to the server with initial connectionless protocol that, like TCP, runs
sequence number X. on top of IP networks. Unlike TCP/IP,
UDP/IP provides very few error recovery
 Server responds by sending a services, offering instead a direct way to
SYN/ACK packet that contains the server's send and receive datagram’s over an IP
own sequence number p and an ACK network.”[6] UDP doesn’t use sequence
number for the client's original SYN packet. numbers like TCP. It is mainly used for
This ACK number indicates the next broadcasting messages across the network or
for doing DNS queries. Online first person

2

77 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 7, October 2010

shooters like Quake and Half-life make use session hijack occurs with HTTP sessions.
of this protocol. Since it’s connectionless Attacks at each level are not unrelated,
and does not have any of the more complex however. Most of the time, they will occur
mechanisms that TCP has, it is even more together depending on the system that is
vulnerable to session hijacking. The period attacked. For example, a successful attack
where the data is being sent over UDP on as TCP session will no doubt allow one
between client and server is called the UDP to obtain the necessary information to make
session. UDP is our second stage for session a direct attack on the user session on the
hijacking. application level.

2.3 HTTP 3.1 Network level hijacking
HTTP stands for Hyper Text Transfer The network level refers to the interception
Protocol. We define HTTP as the underlying and tampering of packets transmitted
protocol used by the World Wide Web. between client and server during a TCP or
HTTP defines how messages are formatted UDP session. Network level session
and transmitted, and what actions Web hijacking is particularly attractive to
servers and browsers should take in response hackers, because they do not have to
to various commands. For example, when customize their attacks on a per web
you enter a URL in your browser, this application basis. It is an attack on the data
actually sends an HTTP command to the flow of the protocol, which is shared by all
Web server directing it to fetch and transmit web applications [7].
the requested Web page. ” [2]

It is also important to note that HTTP is a 3.1.1 TCP Session hijacking
stateless protocol. Each transaction in this
protocol is executed independently with no The goal of the TCP session hijacker is to
knowledge of past transactions. The result is create a state where the client and server are
that HTTP has no way of distinguishing one unable to exchange data, so that he can forge
user from the next. To uniquely track a user acceptable packets for both ends, which
of a web application and to persist his/her mimic the real packets. Thus, attacker is
data within the HTTP session, the web able to gain control of the session. At this
application defines its own session to hold point, the reason why the client and server
this data. HTTP is the final stage on which will drop packets sent between them is
session hijacking occurs, but unlike TCP because the server’s sequence number no
and UDP, the session to hijack has more to longer matches the client’s ACK number
do with the web application’s and likewise, the client’s sequence number
implementation instead of the protocol no longer matches the server’s ACK
(HTTP). number. To hijack the session in the TCP
network the hijacker should employ
following techniques: they are as follows [7]

3. Levels of session hijacking  IP Spoofing
Session hijacking can be done at two levels:  Blind Hijacking
Network Level and Application Level.  Man in the Middle attack (packet
Network level hijacking involves TCP and
UDP sessions, whereas Application level sniffing)

3

78 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 7, October 2010

IP Spoofing Man in the Middle attack (packet
sniffing)
IP spoofing is “a technique used to gain
unauthorized access to computers, whereby This technique involves using a packet
the intruder sends messages to a computer sniffer that intercepts the communication
with an IP address indicating that the between the client and server. With all the
message is coming from a trusted host.”[2] data between the hosts flowing through the
Once the hijacker has successfully spoofed hijacker’s sniffer, he is free to modify the
an IP address, he determines the next content of the packets. The trick to this
sequence number that the server expects and technique is to get the packets to be routed
uses it to inject the forged packet into the through the hijacker’s host. [1]
TCP session before the client can respond.
By doing so, he creates the “desynchronized 3.1.2 UDP Session hijacking
state.” The sequence and ACK numbers are
no longer synchronized between client and Hijacking a session over User Datagram
server, because the server registers having Protocol (UDP) is exactly the same as over
received a new packet that the client never TCP, except that UDP attackers do not have
sent. Sending more of these packets will to worry about the overhead of managing
create an even greater inconsistency sequence number and other TCP
between the two hosts. mechanisms. Since UDP is connectionless,
injecting data into session without being
Blind Hijacking detected is extremely easy. If the “man in
the middle” situation exists, this can be very
If source routing is disabled, the session easy for the attacker, since he can also stop
hijacker can also employ blind hijacking the server’s reply from getting to the client
where he injects his malicious data into in the first place [6]. Figure4 shows how an
intercepted communications in the TCP attacker could do this.
session. It is called “blind” because the
hijacker can send the data or commands, but
cannot see the response. The hijacker is
basically guessing the responses of the client
and server. An example of a malicious
command a blind hijacker can inject is to set
a password that can allow him access from
another host.

Figure4: Session Hijacking over UDP

DNS queries, online games like the Quake
and Half-Life, and peer-to-peer sessions are
common protocols that work over UDP; all
are popular target for this kind of session
hijacking.
Figure3: Blind Injection

4

79 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 7, October 2010

3.2 Application level hijacking browser history and get access to a web
application if it was poorly coded. Session
The application level refers to obtaining info in the form submitted through the
session IDs to gain control of the HTTP user POST command is harder to access, but
session as defined by the web application. In since it is still sent over the network, it can
the application level, the session hijacker not still be accessed if the data is intercepted.
only tries to hijack existing sessions, but Cookies are accessible on the client’s local
also tries to create new sessions using stolen machine and also send and receive data as
data. Session hijacking at the application the client surfs to each page. The session
level mainly involves obtaining a valid hijacker has a number of ways to guess the
session ID by some means in order to gain session ID or steal it from one of these
control of an existing session or to create a locations.
new unauthorized session.
Observation (Sniffing)
3.2.1 HTTP Session hijacking
Using the same techniques as TCP session
HTTP session hijacking is all about hijacking, the hijacker can create the “man
obtaining the session ID, since web in the middle” situation and use a packet
applications key off of this value to sniffer. If the HTTP traffic is sent
determine identity. Now we will see the unencrypted, the session hijacker has traffic
techniques involved in HTTP session redirected through his host where he can
hijacking [7]. examine the intercepted data and obtain the
session ID. Unencrypted traffic could carry
Obtain Session IDs the session ID and even usernames and
passwords in plain text, making it very easy
Session IDs generally can be found in three for the session hijacker to obtain the
locations [5]: information required to steal or create his
own unauthorized session.
 Embedded in the URL, which is
received by the application through Brute Force
HTTP GET requests when the client
clicks on links embedded with a page. If the session ID appears to be predictable,
the hijacker can also guess the session ID
 Within the fields of a form and
via a brute force technique, which involves
submitted to the application. Typically
trying a number of session IDs based upon
the session ID information would be
the pattern. This can be easily set up as an
embedded within the form as a hidden
automated attack, going through multiple
field and submitted with the HTTP
possibilities until a session ID works. “In
POST command.
ideal circumstances, an attacker using a
 Through the use of cookies. domestic DSL line can potentially conduct
up to as many as 1000 session ID guesses
All three of these locations are within the per second.” Therefore, if the algorithm that
reach of the session hijacker. Embedded produces the session ID is not random
session info in the URL is accessible by enough, the session hijacker can obtain a
looking through the browser history or usable session ID rather quickly using this
proxy server or firewall logs. A hijacker can technique.
sometimes reenter in the URL from the
5

80 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 7, October 2010

Misdirected Trust [5] Strong Session ID’s so that they cannot be
hijacked or deciphered at any cost. SSL
It refers to using HTML injection and cross- (Secure Socket layer) and SSH (Secure
site scripting to steal session information. Shell) also provides strong encryption using
HTML injection involves finding a way to SSL certificates so that session cannot be
inject malicious HTML code so that the hijacked, but tools such as Cain & Bell can
client’s browser will execute it and send spoof the SSL certificates and decipher
session data to the hijacker. Cross-site everything! Expiring sessions after a definite
scripting has the same goal, but more period of time requires re-authentication
specifically exploits a web application’s which will useless the hacker’s tricks [7].
failure to validate user-supplied input before
Methods to avoid session hijacking include
returning it to the client system. Cross-site”
[8]:
refers to the security restrictions placed on
data associated with a web site (e.g. session
 An open source solution is ArpON
cookies). The goal of the attack is to trick
"Arp handler inspectiON". It is a portable
the browser into executing injected code
ARP handler which detects and blocks all
under the same permissions as the web
Man in the Middle attacks through ARP
application domain. By doing so, he can
poisoning and spoofing attacks with a static
steal session information from the client
ARP inspection (SARPI) and dynamic ARP
side. The success of such an attack is largely
inspection (DARPI) approach on switched
dependent on the susceptibility of the
LANs with or without DHCP. This requires
targeted web application.
an agent on every host that is to be
protected.
4. Avoidance of Session
Hijacking  Use of a long random number or
string as the session key. This reduces the
risk that an attacker could simply guess a
To protect your network with session
valid session key through trial and error or
hijacking, a user has to implement both
brute force attacks.
security measures at Application level and
Network level. Network level hijacks can be  Regenerating the session id after a
prevented by ciphering the packets so that successful login. This prevents session
the hijacker cannot decipher the packet fixation because the attacker does not know
headers, to obtain any information which the session id of the user after he has logged
will aid in spoofing. This encryption can be in.
provided by using protocols such as IPSEC,
SSL, SSH etc. Internet security protocol  Encryption of the data passed
(IPSEC) has the ability to encrypt the packet between the parties; in particular the session
on some shared key between the two parties key. This technique is widely relied-upon by
involved in communication [7]. IPSec runs web-based banks and other e-commerce
in two modes: Transport and Tunnel. In services, because it completely prevents
Transport Mode only the data sent in the sniffing-style attacks. However, it could still
packet is encrypted while in Tunnel Mode be possible to perform some other kind of
both packet headers and data are encrypted, session hijack.
so it is more restrictive [4].
To prevent your Application session  Some services make secondary
to be hijacked it is recommended to use checks against the identity of the user. For

6

81 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 7, October 2010

example, a web server could check with 6. References
each request made that the IP address of the
user matched the one last used during that [1] Lam, Kevin, David LeBlanc, and Ben
session. This does not prevent attacks by Smith. “Hacking: Fight Back: Theft On The
somebody who shares the same IP address, Web: Prevent Session Hijacking.” Microsoft
however, and could be frustrating for users TechNet Festival. Winter 2005. 1 Jan. 2005.
whose IP address is liable to change during a
browsing session. [2] <http://www.webopedia.com/>.
 Alternatively, some services will
change the value of the cookie with each and [3] Morana, Marco. “Make It and Break It:
every request. This dramatically reduces the Preventing Session Hijacking and Cookie
window in which an attacker can operate Manipulation.” Secure Enterprise Summit,
23 Nov. 2004.
and makes it easy to identify whether an
attack has taken place, but can cause other
technical problems [4] William Stallings, Network Security
Essentials, 3 rd Edition, Pearson Edition.
 Users may also wish to log out of [5]Ollman, Gunter, “Web Session
websites whenever they are finished using Management: Best Practices in Managing
them HTTP Based Client Sessions.” Technical
Info: Making Sense of Security. Accessed
5. Conclusion 20 Dec. 2004.

Session hijacking remains a serious threat to [6] Kevin L. Paulson, “Hack proofing your
networks and web applications on the web. network “1st Edition, Global Knowledge
This paper provides a general overview of Professional reference. Syngress Edition
how the malicious exploit is done and how
the information security engineer can protect [7] “Session Hijacking in Windows
networks and web applications from this Networks.”. By Mark Lin, Date Submitted:
threat. It is important to protect our session 1/18/2005 GSEC Practical Assignment
data at both the network and application v1.4c (Option 1) of SANS Institute of
levels. Although implementing all of the Information Security.
countermeasures discussed here does not
completely guarantee full immunity against [8] www.wikipedia.com
session hijacking, it does raise the security
bar and forces the session hijacker to come
up with alternate and perhaps more complex
methods of attack. It is a good idea to keep
testing and monitoring our networks and
applications to ensure that they will not be
susceptible to the hijacker’s tricks.

We hope earnestly that the paper we
presented will cater the needs of novice
researchers and students who are interested
in session hijacking.

7

82 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 7, October 2010

Authors Profile Dr. C.P.V.N.J Mohan Rao
is a Professor in the
Department of Computer
Ms. Dr D. Lalitha Science and Engineering
Bhaskari is an Associate and principal of Avanthi
professor in the Institute of Engineering &
department of Computer Technology - Narsipatnam.
Science and Engineering He did his PhD from Andhra University and his
of Andhra University. research interests include Image Processing,
She did her Phd from Networks & Data security, Data Mining and
JNTU Hyderabad in the Software Engineering. He has guided more than
area of Steganography and Watermarking. 50 M.Tech Projects. He received many honors
Her areas of interest include Theory of and he has been the member for many expert
computation, Data Security, Image committees, member of many professional
Processing, Data communications, Pattern
bodies and Resource person for various
Recognition. Apart from her regular
organizations.
academic activities she holds prestigious
responsibilities like Associate Member in
the Institute of Engineers, Member in IEEE,
Associate Member in the Pentagram
Research Foundation, Hyderabad, India. She
is also the recipient of “Young Engineers”
Award from the prestigious Institution of
Engineers (INDIA) for the year 2008 in
Computer Science discipline.

Mr. P. Ramesh babu is an
Assistant Professor in the
Department of Computer
Science & Engineering of
Sri Prakash college of
Engineering-Tuni. His
research interests include
Steganography, Digital Watermarking,
Information security and Data communications.
Mr.Ramesh babu did his M.Tech in Computer
Science & Engineering from JNTU Kakinada.
He has 5 years of good teaching experience.
Contact him at: rameshbabu_kb@yahoo.co.in

8

83 http://sites.google.com/site/ijcsis/
ISSN 1947-5500