Session hijacking is an attack where an adversary obtains a valid session token belonging to another user and uses it to impersonate that user within the application. Because session tokens serve as proof of authentication after login, possessing a valid token grants the attacker full access to the victim's account without needing their credentials.
How It Works
Attackers steal session tokens through multiple vectors. Cross-site scripting vulnerabilities allow malicious JavaScript to read the document's cookies and exfiltrate session tokens to an attacker-controlled server. Network-level attacks like packet sniffing on unencrypted connections capture session cookies in transit. Man-in-the-middle attacks on improperly configured TLS connections intercept tokens during transmission. Malware on the victim's device can directly read browser cookies from local storage.
Session token prediction is another approach. If an application generates session IDs using weak or predictable algorithms, an attacker can analyze patterns in issued tokens and generate valid session IDs without stealing them. This is why cryptographically random session ID generation is critical. Even partial predictability, such as sequential numbering or time-based components, can reduce the search space enough to make brute-force attacks feasible.
Cross-site request forgery, while technically different, achieves a similar outcome by tricking the victim's browser into making requests that include the session cookie automatically. The attacker does not steal the token but uses the browser's automatic cookie attachment to perform actions as the victim. Proper session management must defend against both token theft and token misuse.
Why It Matters
Session hijacking bypasses authentication entirely, giving attackers the same access as the legitimate user without triggering login alerts or account lockout mechanisms. The attack is often invisible to both the user and the application. Defenses include marking cookies as HttpOnly to prevent JavaScript access, using the Secure flag to prevent transmission over HTTP, implementing SameSite cookie attributes, binding sessions to client fingerprints, and enforcing TLS across all pages. Security assessments evaluate all of these controls because a weakness in any one of them can enable session theft.
Need your application tested? Get in touch.