10.2 - Session Hijacking

 10.2 - Session hijacking 

 

Key Terms: 

    • Session hijacking – Taking over an established connection between a host and a web server using a token. 
    • Session ID – A combination of letters and numbers assigned to an open connection between a user and a server. 

 

Session Hijacking Process 

The first step to hijack an active session is to first sniff the traffic between the target machine and the server. Next, the hacker will monitor the traffic and try to predict the packet sequence numbers. Then they will desynchronise the current session to be able to predict the session ID. Finally, commands will be injected to target the server. 

 

Session IDs 

The key to session hijacking lies in session IDs. Once a client is authenticated, the server provides a short period of time that the client can maintain an open connection. The server assumes that information sent and received during this session is being done by the appropriate user. Each reservation, or session, is assigned an alphanumeric session ID, also known as a session token. This token serves as the key--and this is where the opportunity lies for an attacker. If an attacker can capture or even calculate the ID, they can hijack a session. 

 

Application-Level Hijacking 

This is when the session ID lets the server know who it is communicating with. Session IDs can be found in web history, hidden fields and cookies. 

Comments

Post a Comment

Popular posts from this blog

OSA Summer 2023 Mock - Task 1, Assignment 1

Image
  OSA Summer 2023 Mock – Task 1           Legal requirements   The company must ensure they are compliant with the correct legislation whilst the project is undertaken.   If any person is working at height, the correct safety measures to prevent injury or death must be imposed under The Work at Height Regulations 2005. They must have an appropriate safety harness on and hazardous areas at height should be i dentified in the risk assessment.   By storing data internally on a local file server, the business is responsible for maintaining the confidentiality, availability and integrity of that data. They must comply with The Data Protection Act 2018 and General Data Protection Regulations.   Display screen equipment regulations (DSE) should be considered when installing workstations. Ergonomic and posture-friendly chairs should be installed and employees given appropriate breaks from working around screens.     Data p...
Read more

OSA Assignment 1 - Task 1 GUIDE

  OSA Assignment 1 – Task 1 Guide     Exam parameters   Time length – 3 hours   Marks available – 20     Task 1: Planning   In this task you are required to submit :   A project plan   Gantt chart showing th e critical path   Explanation of legal requirements   Physical and digital threat countermeasures   Annotated floor plan     Gantt Chart   The Gantt Chart is the first document you should create. This details each phase of the project alongside the timescale to complete it.   Ensure you make a note of the deadline for the project along with any pre-requisites such as cabling. This should all be implemented into your Gantt Chart.   You can follow a layout like this:   Project:   Pre considerations (Gathering project timescale, risk assessments, ...)   Planning (Devising project plan, identifying budget, ...)   Design (Research hardware, identify topology, ...)   Pre ...
Read more

Useful Core A Acronyms

  Useful core A acronyms     NGO – Non governmental organisation   KPI – Key performance indicator   USP – Unique selling point   CRM – Customer relationship management   Saas – Software as a service   CAB – Change advisory board   SMARTER – Specific, measurable, accurate , realistic, time-bound, evaluate, re-evaluate   IPO – Intellectual property office   RCD – Registered community designs   UCD – Unregistered community designs   TNA – Training needs analysis   PRR – Post project reviews   COBC – Code of business conduct   BCS – British computing society   ML – Machine learning   CVS – Computer vision syndrome   RSI – Repetitive strain injury   DSE – Display screen equipment   HSE – Health and safety executive   ODD – Optical disk drive   RPM – Revolutions per minute   CPU – Central processing unit   RAM – Random access memory   EMI – Electromagnetic inter...
Read more