Question

Due to cyber threats in the digital world, an aspiring penetration testers are in demand to enter the field of cybersecurity. A penetration testeris a professional who hasthe skills of a hacker; they are hired by an organisation to perform simulations of real world attacks because there are wide reaching consequences if systems in any organisation are compromised. Assume, yourself as an aspiring pen tester, how you will showcase the impact of session hijacking, session prediction, session fixation, session side jacking, cross-site scripting and illustrate some of the infamous session hijacking exploitsto your prospective employer BAGAD Pty. Ltd.

Answer 1

SESSION ATTACKS: The Hackers like to use the session attacks as they are well versed in it. Some of the session attacks are as follows:

Session Hijacking: A hacker takes control of an active TCP/IP communication session without the user’s permission. Once the hacker hacks the session, the hacker can do any of these: Identity theft, Information theft, stealing sensitive data etc.

Session Prediction: The organizations must ensure that session IDs must be unique and very hard to guess. Any algorithm can be used to create unique and strong session IDs. The attacker tries his skills and tries to guess the algorithms based on the session properties. The attacker may try brute-force attack also. Once he gets the algorithm, he can harm the organization very easily.

Session Fixation

Session fixation happens when the attacker creates /guesses a valid session ID which has not yet been used. The attacker then easily authenticates himself with the system. The attacker may try the format of session IDs which is valid and then he may try phishing or a similar kind of attack technique to trick the user into clicking the login link and providing their credentials.

Session Side-Jacking

The word “session side-jacking” is commonly used to describe man-in-the-middle attacks (MITM). These attacks are performed to steal the session. The attacker snoops in the communication between the client and the web server and intercepts valid session IDs. The simplest MITM attack can be possible when traffic is not encrypted. A simple sniffer is required working in the same local network as the client, monitoring network traffic for the user’s connections and packet sniffing. This is very common in public Wi-Fi networks.

Cross-site Scripting (XSS)

Cookies are tasty and so hackers prefer to use cookies for their attacks. An attacker can get a session cookie to use a Cross-site Scripting XSS attack. In the case of XSS, the victim visits a page which executes an embedded malicious JavaScript in the client browser. This malicious script gets the session cookie and sends to a server controlled by attacker.

Some Infamous Session Hijacking Exploits:

1. In the month of October 2010, a Mozilla Firefox extension named as Firesheep was released. Firesheep made it easy for session hijackers to attack users of unencrypted public Wi-Fi.
2. An app called "What*sApp**" Sniffer" was put to try on Google Play in the month of May 2012. The app was able to display messages from other What*sApp** users connected to the same network as the app user.

The impacts of session attacks are very detrimental to the organization. The organizations must employ penetration testers who can keep the oraganizations safe.

Final Words: "WHATEVER KIND OF SESSION ATTACK IS USED BY AN ATTACKER, THE ORGANIZATIONS MUST KEEP THEIR CYBER SECURITY TIGHT WHICH CAN FIGHT"