Session hijacking attack
Thank you for visiting OWASP.org. We recently migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. There’s still some work to be done.
This is an example of a Project or Chapter Page.
The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token.
Because http communication uses many different TCP connections, the web server needs a method to recognize every user’s connections. The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication. A session token is normally composed of a string of variable width and it could be used in different ways, like in the URL, in the header of the http requisition as a cookie, in other parts of the header of the http request, or yet in the body of the http requisition.
The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.
The session token could be compromised in different ways; the most common are:
- Predictable session token;
- Session Sniffing;
- Man-in-the-middle attack
- Man-in-the-browser attack
In the example, as we can see, first the attacker uses a sniffer to capture a valid token session called “Session ID”, then they use the valid token session to gain unauthorized access to the Web Server.
Figure 1. Manipulating the token session executing the session hijacking attack.
Cross-site script attack
<SCRIPT> alert(document.cookie); </SCRIPT>
Figure 2. Code injection.
Other Examples The following attacks intercept the information exchange between the client and the server:
Related Threat Agents