Question

Due to cyber threats in the digital world, an aspiring penetration testers are in demand to enter the field of cybersecurity. A penetration testeris a professional who hasthe skills of a hacker; they are hired by an organisation to perform simulations of real world attacks because there are wide reaching consequences if systems in any organisation are compromised. Assume, yourself as an aspiring pen tester, how you will showcase the impact of session hijacking, session prediction, session fixation, session side jacking, cross-site scripting and illustrate some of the infamous session hijacking exploitsto your prospective employer BAGAD Pty. Ltd.

Answer 1

The impact can be showcased by performing all these activities on systems or network devices.

Session hijacking:

Session hijacking can be performed using Ettercap, a tool used for it. Using this tool, the session of any user, once they open the browser, can be taken over. First the session ID of the user is found and the session cookie is stolen. This can be done by sending a genuine looking session ID to the user.

Session prediction:

For session prediction, session ID is determined. This is done by sending fake mails to users and asking them to click on a link. Once the ID is known, the value can be used to imitate the genuine user and get entry into the system without authentication.

Session fixation:

Session fixation is done by using session ID again. The user is fooled into believing that a certain request came from a genuine user and owner of the session. The user then responds to the request and the attacker takes control over the session.

Session side jacking:

This can be done by packet sniffing. The session cookie is stolen by sniffing the packet on the network.

Cross-site scripting:

This is done using XSS. This is an injection type where scripts of malicious codes are used and injected into the website.

Infamous session hijacking exploits:

Very famous example from February 2020 is of anonymous session hijacking exploit on United Nation's site. The hackers created a page for the country Taiwan there with anonymous logo and flag and hacked the Social affairs' departmental server of United Nations.