what's up neanderthals this is yuba and today we're gonna know all about session hijacking what do you say about someone in a room inside of which exists all kinds of private stuff that belongs to that person and then all of a sudden they decide to leave the room for a moment and come back and because the process of opening the door and closing it is daunting due to the security measures they thought leaving the door open for a short while is not a big deal so they open the door and leave and immediately after they disappear the burglar that have waited so long for this moment enters the room steals valuable stuff displaces everything and wrecks havoc and then disappears this is an extreme case where the person will be able to recognize something changed or a lot of things actually in his room but what if the burglar takes pictures of personal information or other things that would be of value to the burglar or the one who hired them well if you think this someone is unlucky you should know about the one who has his web session hijacked so in this lesson we're gonna learn about sessions we're gonna see what is session hijacking and how it works we'll dive into types of session hijacking and we'll of course talk about some prevention measures let's dive in folks so section hijacking is a lot like what happened to the unlucky fellow in the story as our use and existence in the web increase we find ourselves customers and users of many online services that range from entertainment to shopping to education to name a few and what we wish in this case is to have a smooth and seamless web experience we don't want to log in every time we want to perform an action right for this to happen we need a mechanism whereby browsers and application servers can trust each other and communicate on our behalf one way to do this is through sessions all right so what is a session a session is the time you stay active using a website it is a technique used for servers to keep track of who you are during a period while using a website and that's because http is stateless as you know http is the protocol of the web and if you want to know more about http and how the web works you can visit my other lessons about http and the web you will find the links below okay so while the session is active every request from your browser will be identified as coming from you otherwise every time you make a new request you have to tell the server hey it's me again and here is my personal id this is not a good way to serve the web and there is no way the server could know when you're done with a website so the session terminates either by you logging out or through an expansion mechanism we'll talk about that in security measures it's worth noting that we need sessions because as we said http is tasteless it is built not to keep information about users so sessions help us associate requests to other requests without sessions if you are on the facebook news feed page and want to visit your profile you would have to log in again and that would be super cumbersome wait huh you know what i just realized the session feature is the reason behind facebook and social media addiction had sessions never existed we would be living in a better world now that's wow http actually is a perfect flawless protocol it's just beyond compare anyway when you first log into a web app you certainly log in using your username and password right the server may use this info along with other stuff to generate a unique id or a key and pass it back to the web browser and this marks the start of a session the id is what further requests will use to authenticate you and talk to the server and of course this id is called the session id now you know we don't live in an ideal world right so what we'll talk about next is the dark side of human beings great so attackers have several tricks under their sleeve to compromise systems steel sensitive data and perform malicious actions we've already seen a bunch of attacks they use session hijacking is one of them in this type of attack a hacker fuels the website into thinking they are you and can then do anything you could do on the site hackers know how servers make use of session ids to identify users so they will try to find ways to steal those ids or even find ways to trick users to use ids that they have control over which is called session fixation session hijacking is anyway an attacker can gain control over a user's session without their knowledge now to understand how session hijacking works we have to understand a couple of things right first browsers keep track of session keys that are used to identify users document.cookie is an attribute that contains all cookies and you can read and write values in the document.cookie using javascript and second thing is that communication over the internet is done through packets of information when we send an http request to the server the data is text it gets divided into packets and sent to the destination and we need a way to safely get the data to the destination unfortunately not all settings are safe and sometimes the network through which data is sent is not safe such as unsecured wi-fi hotspots another important thing to know is that both servers and browsers keep track of session keys and there could be many ways to access the storage files and databases on both ends if security measures are not in place now attackers know all this stuff and more and this gives them a lot of options to hijack users sessions alright so before i talk about specific types of session hijacking keep in mind that there are three major ways to steal a valid station id first is of course guessing a valid session key through brute force and second is creating a valid session key and tweaking the user into using it as their own and the third is stealing a valid session key from the client or the server all right so the first type i want to talk about is session hijacking through cross-site scripting if you don't know much about this attack you can visit my short video about it cross-site scripting is a way to inject code into websites so that when the application is active or the page is loaded the code executes usually it's javascript and an attacker could simply inject code that reads the document that cookie key value pairs and sends the data to the hacker's server this is the most common and possibly the most dangerous type of session hijacking attacks the attacker first finds a vulnerability on the server or client side then they inject malicious code into the website how could the attacker inject code is another story they could do it through input form through links etc and again if you want a detailed explanation about this you can find it in the cross site description video lesson and of course if there is no sanitization of input the attacker could easily get the session key so what would usually happen is that the attacker finds a cross-site scripting vulnerability in a web app they inject malicious code that would read and steal users session keys now that the track has been set right when a user logs into the web app the server identifies the user creates and sends a session key to the user's browser upon successful authentication unfortunately at this moment the injected code is waiting for the user to log in once that happens the victim's browser executes the javascript code and the attacker hijacks the session after they get the session key not a happy story right anyway the second type is called jacking this is just a fancy way to describe a hacking technique called man in the middle attack this technique is used to get the session key through sniffing the attacker could easily get involved in the communication between the server and the browser of the user if the client side is using an insecure network so through packet sniffing the attacker could observe the communication between the server and the client and intercepts the session cookie when the user authenticates on the server hackers take advantage of websites that use ssl tls encryption only for the login step and not for the entire session to perform this type of attack and of course as we said unsecured wi-fi spots help a lot so when the attacker receives the desired packet they can have access to the user's active session and impersonate them to do nefarious things yep another sad story and there is a couple more but the good news is that we will learn how to stop these types of stories and create happy ones most of the time of course so keep watching okay session hijacking using malware or malicious software is another way to obtain valid session keys when a user clicks a malicious link that would trigger a download of a malicious software the malware gets downloaded and installed on the clients or the user's computer once in the victims system it may use network sniffing for web-based messages to detect session data and send them to the perpetrator the malware could also access the local storage file for the browser to fetch session cookies alright so this is another type of session hijacking and i have a couple more but these last two types are classified as session fixation and session prediction respectively session fixation is a slightly different type of attack in that the hacker begins the attack before the user logs in actually the attacker will have a valid session key at their disposal and tries to induce or force the victim into logging in to the desired website using the session id injected by the attacker there are many ways to perform this type of attack http query parameters is one way to pass the valid session key to the victim the link will take the victim to a login form and upon successful authorization the injected session id will be used to identify the user for further requests the attacker now can hijack the victim's session and do all sorts of information the technique used to fix cites the session id will depend on how the application handles sessions it could be as simple as sending a malicious url or the attacker might have to create a fake website with a login form that will contain the session key hidden cross-site scripting could be used to change the session cookie or manipulate http header values as well and finally the attacker could resort to brute force to guess or predict the session key plenty of tools would help to achieve that this technique is possible if the website uses a weak mechanism to create session ids using short predictable ids will make it easy for the attacker to guess the station key generally these are the main types of search hijacking diving deeper in these attacks is beyond the scope of this video but this should give you a fair idea about session hijacking vulnerabilities alright so such hijacking is the result of insufficient web security or and inappropriate session management now let's talk how to turn the sad stories into happy ones when it comes to protection measures against this type of attack as a good practice always check the validity of session ids session keys range from expired to very old to duplicate and there should be a mechanism through which a session key is checked and validated also do not accept session identifiers from post and get requests this is just a good opening for hackers to fix science session ids sweet now there are a couple of things that can be done to lower the chance for user sessions to be hijacked first use https for all traffic and that means session traffic as well using tls ssl for all your traffic ensures the hacker cannot intercept the plain text session id take a look at the http strix transport policy to know more about this second setting the http header set cookie to http only will prevent access to cookies from client-side scripts feel free to watch the protection measures section and the cross-site description video to learn more about other security measures concerning cross-site scripting based attacks alright so third protection measure is to regenerate decision id after initial login at least this will prevent session fixation attacks and speaking of changing the station key setting a reasonable session id expiration date is a good practice to make sure you don't have valid session keys forever another security measure is using secure frameworks and libraries for session id generation and management community verified and proven libraries are just stronger and more secure than implementing your own session management logic so yeah that was a lot of information you might feel overwhelmed and your head might want to explode now but the good news is this is a video you can repeat it you can stop it you can slow it down and take your time to really understand these things so these are the major security measures taken to prevent session hijacking other important things to do and best practices are flagging station ids as secure re-authoritating users before important actions such as withdrawing money change your password etc and you might be familiar with this process if you are a regular web user great so this should be enough to implement an acceptable policy to secure user sessions of course security depends on the type of the system and what is involved the more complex the application is the more vulnerabilities it has and the more protection it will need alright fellas i enjoyed sharing with you my knowledge about session hijacking today we've learned about sessions and session hijacking we have seen types of attacks to gain access to valid session ids and of course we talked about prevention measures i hope you enjoyed this video and learned something new and don't forget to leave me a comment below if you have a question or suggestion or anything you can like and subscribe as well to show your appreciation that is if you want to until the next video stay fine and stay tuned