Session hijacking is a type of cyberattack that WordPress site owners need to know about. Also known as TCP session hijacking, session hijacking makes attackers look like properly logged-in users. The attacker takes over a user session by obtaining their session ID without the valid user’s knowledge or permission. After an attacker has stolen a user’s session ID, they can masquerade as the targeted user. The attacker will be able to do everything the authorized user can do after the authorized user logs into the same system.
One of the worst things hackers can do with a hijacked session is gain access to a web application or server controls without authentication. When an attacker hijacks a user’s session they don’t need to authenticate themselves as long as the session is active. The application that generated the session thinks they are the authenticated user whose session they’ve hijacked.
In other words, the hacker will enjoy the same access as the user they’ve compromised. Since the legitimate user already authenticated their session before the attack happened, a successful hijacking lets an attacker completely bypass authentication.
In this guide, we’ll dive into the details of session hijacking. We’ll show you exactly what you need to do to prevent it from happening to your WordPress site.
What Exactly Is a Session?
A session is simply a series of interactions between communication endpoints that occur throughout a single HTTP connection.
The Hypertext Transfer Protocol (HTTP) is foundational to the web. It’s what allows you to use hypertext links and load web pages. HTTP is also an application layer protocol for passing information between devices on a network.
A key characteristic of HTTP is that it’s “stateless.” That means it doesn’t save any data about clients (like you and your browser) who open a session with a website. Each session is completely new. HTTP does not preserve data about users from their previous sessions.
Dealing with Statelessness
Web applications like WordPress need to track the state between multiple connections from the same and different users. It needs to identify each user’s session, once they’ve logged in — potentially on more than one device or browser.
When a user logs into an application like WordPress, the server creates a session. The session will maintain the “state” of the connection for the user by storing parameters that are unique to them. Sessions are kept alive on the server for the entire period a user is logged into the application.
A session ends when a user logs out of the system or after a pre-defined period of no activity. When a user session ends, the application should delete its data from the server’s memory.
Session IDs (or “keys” or “tokens”) are the unique session identifiers. Typically, they are long, random alphanumeric strings the server and client transmit to each other. The authenticating application normally stores session IDs in URLs, cookies, or hidden fields on web pages.
While session IDs are useful for maintaining state in a stateless system, they also come with some potential security hazards. For example, if we understand the algorithms that generate session IDs for a web application, we can generate them ourselves. Further, if the web application isn’t using SSL encryption to encrypt HTTP as HTTPS, it will be transmitting session IDs in the clear. On a public network, anyone can eavesdrop on unencrypted connections and steal session IDs.
How Exactly Does Session Hijacking Work In Practice?
A successful session hijack attack is extremely stealthy. They’re usually done on very busy networks with a lot of active communication sessions.
Some of the most common forms of session hijacking make use of:
- Predictable session token IDs
- Session sniffing
- Session sidejacking
- Man-in-the-browser malware
- Cross-site scripting
- Session fixation
Let’s take a look at each one of these threat vectors individually.
Predictable Session Token IDs
A lot of web servers use custom algorithms or predefined patterns to generate their session IDs. The greater the overall predictability of a unique session token, the weaker it is.
And the easier it is for a hacker to predict.
Session sniffing is one of the most simple and basic methods hackers use for application-layer session hijacking.
An attacker will use a packet sniffer, such as Wireshark, or a proxy like OWASP Zed to capture network traffic. If this traffic contains unencrypted session IDs for connections between clients and a website, the IDs can be stolen. Hackers can use the valid ID or token to quickly gain unauthorized access to the site and its users’ accounts.
An attacker can use packet sniffing to intercept session cookies for users as they log into a site. If login pages are not encrypted or weak encryption is used, a cybercriminal can easily hijack user sessions this way.
In this attack, the attacker has to initially infect a victim’s computer or browser with malware.
This malware can invisibly modify browser transaction information and create transactions without the user being aware. The corrupted browser’s requests are initiated by the victim’s physical device, so they’re assumed to be valid.
A cybercriminal may exploit application or server vulnerabilities to inject arbitrary code into a site’s web pages. This will cause visitors’ browsers to execute that code when a compromised page is loaded.
When HTTP-only isn’t set in session cookies, it’s possible to steal a session key through injected code. This would gives attackers all they need to hijack a user session.
This uses a valid session ID that hasn’t been authenticated yet. Using session fixation, an attacker will try to trick a user into authenticating with this particular ID.
Once the authentication happens, an attacker now has full access to the computer of the victim.
Session fixation explores a big limitation in how the web application manages a session ID.
What Does a Hacker Get Out Of Session Hijacking?
When a hacker hijacks a session, they can do anything that a legitimate user was authorized to do in that active session.
The most effective — and damaging — session hijacking might result in:
- Compromised bank accounts
- Unauthorized online purchases items online
- Identify theft
- Data theft from internal company systems
Not good! A successful session hijacking session can do a lot of damage.
What Are Some Examples Of Session Hijacking?
In the fall of 2012, two security researchers named Juliano Rizzo and Thai Duong announced CRIME, an attack that takes advantage of an information leak within the compression ratio of TLS requests as a side channel. This enabled them to decrypt the requests made by the client to the server.
In turn, this allowed them to grab a user’s login cookie and hijack the session, impersonating them on high-value online destinations like ecommerce sites and banks.
This demonstration displayed how a hacker could execute this type of attack to recover the headers of an HTTP request.
CRIME works to decrypt HTTPS cookies that are set by websites to remember authenticated users using brute force. The attack code forces the victim’s browser to send specially crafted HTTPS requests to a targeted website and analyzes the variation in their length after they’ve been compressed to determine the value of the victim’s session cookie. This is possible because SSL/TLS uses a compression algorithm called DEFLATE, which eliminates duplicate strings, as we saw above.
The attack code can’t read the session cookie included in the requests because of security mechanisms in the browser. However, it can control the path of every new request and can insert different strings into it in an attempt to match the value of the cookie.
Session cookie values can be very long. They’re constructed of upper and lowercase letters and digits.
As a result, the CRIME attack code has to initiate a very large number of requests to decrypt them, which can take several minutes.
Session Hijacking Prevention
It’s important to remember that attackers can steal and reuse session IDs (or other cookie values that are sensitive) when they’re insecurely transmitted or stored. While 100% protection isn’t a guarantee, using encryption is a major defense.
When users authenticate, SSL and secure cookies need to be mandatory. And when authenticated users visit more than one secure page, they need to be forced into using HTTPS.
Beyond that, WordPress site owners need to use the iThemes Security Pro WordPress security plugin for session hijacking protection. The Trusted Devices feature built into iThemes Security Pro will work 24 hours per day, seven days per week, to help keep your site safe from this dangerous attack. Learn how to set it up for your site’s users.
Understanding and Preventing Session Hijacking
With the information in this guide, you know all you need to protect your WordPress site from session hijacking:
- Ensure your site is fully encrypted using SSL and will force users to stay in HTTPS.
- Download and install the iThemes Security Pro plugin.
By taking those simple steps, you will shield your site against session hijacking.
The Best WordPress Security Plugin to Secure & Protect WordPress
WordPress currently powers over 40% of all websites, so it has become an easy target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.
Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.