Session Fixation, Session Hijacking,

and Captcha Bypass

Karthik B
What is Session?
A session refers to the entire time spent on an activity. In computer systems, a
user session begins when a user logs in or accesses a specific computer, network, or
software service. It concludes when the user logs out or shuts down the computer.
During a session, information related to the user's activities can be temporarily
stored.

A session cookie is employed in web pages to retain information in case the user
leaves the page or closes their Internet browser. For instance, it allows a website to
remember the contents of your shopping cart if you leave and return later.

In computer programming, session variables are used to store temporary

information, often for retrieving and displaying data across multiple web pages.
Websites that require a username and password utilize session variables to
facilitate data transfer between web pages, but this occurs only while the user is
logged into the computer.

What is Session Fixation?

A session fixation attack enables an attacker to take control of a valid user session.
In this attack, the vulnerability lies in how the web application handles the session
ID, particularly in scenarios where the application fails to assign a new session ID
during user authentication. This oversight allows the exploitation of an existing
session ID. The attack involves acquiring a valid session ID (e.g., by connecting to
the application), prompting a user to authenticate themselves using that session
ID, and subsequently seizing control of the user-validated session through
knowledge of the utilized session ID. The attacker must present a legitimate web
application session ID and attempt to induce the victim's browser to use it.

How is Session Fixation Performed:

A typical session fixation attack follows the below steps:

1. The attacker gains access to the web application's login page and acquires a
session identifier generated by the application. In certain cases, if the web
application allows arbitrary session IDs, this step may not be necessary.
2. Using techniques like CRLF Injection, man-in-the-middle attacks, social
engineering, etc., the attacker persuades the victim to use the provided session
identifier. The success of this step relies on how the web application manages
 session IDs. It might involve sending a malicious URL or, in more complex
cases, creating a fake website.
3. The victim visits the web application's login page, enters credentials, and logs
in. Post-authentication, the web application treats anyone using this session
ID as if they were the legitimate user.
4. Leveraging the acquired session identifier, the attacker gains access to the web
application, takes control of the user session, and assumes the identity of the
victim. Subsequent actions depend on the intentions of the attacker and the
functionalities of the web application.

Mitigation against Session Fixation:

• The standard practice is to alter the session ID immediately after a user

logs in, effectively mitigating most session fixation vulnerabilities.
• Another precautionary measure involves changing the session ID upon
detecting any hint of potential misconduct. For instance, the web
application might assess whether the client's IP address or user-agent has
changed and, if so, assign a new session ID.
• It's advisable to invalidate session IDs after a designated timeout period.
For example, an automatic logout could occur after 10 minutes of inactivity,
limiting the attacker's window of opportunity to exploit a fixed session ID.
• While some sources suggest changing session IDs with every user action,
this can be drastic, unnecessary, and potentially detrimental to user
experience and performance. To minimize impact, consider altering the
session ID before significant user actions on the website.
• Ensure the use of session cookies for effective session management and
refrain from accepting session IDs from HTTP requests and headers.
• Employing HTTPS (HSTS), anti-CSRF tokens, and appropriate cookie
flags (Secure, SameSite) can also contribute to preventing session fixation.
What is Session Hijacking?

Session hijacking is a malicious act where an attacker takes control of a user's web
session. In web browsing, a session involves a series of interactions between two
endpoints, sharing a unique session token for continuity and security.

In this type of attack, a threat actor steals or manipulates the session token to gain
unauthorized access to information or services. The process begins when the
attacker intercepts this token, similar to a secret handshake between the user and
the website. Once in possession of the token, the attacker can impersonate the
legitimate user, potentially causing harm. Methods of interception vary, from
network eavesdropping to sophisticated phishing attacks.

Given the widespread use of the internet for various activities, including banking
and social interactions, session hijacking poses a significant threat. Attackers can
exploit hijacked sessions for fraud, identity theft, and breaching confidential
communications. Therefore, understanding session hijacking is crucial for
protecting our online presence.

How Session Hijacking Works:

Session hijacking occurs when an attacker uses captured, brute-forced, or reverse-
engineered session IDs to take control of a legitimate user's ongoing session. Upon
successfully hijacking a session, the attacker typically gains full access to the user's
data and can perform operations on behalf of the hijacked user.

There are three main techniques for session hijacking:

⚫ Brute Force: The attacker attempts multiple session IDs until finding a
successful match.
⚫ Calculate: In many cases, session IDs are generated in a predictable manner
and can be calculated by the attacker.
⚫ Steal: The attacker can acquire the Session ID using various techniques.

In a Brute Force attack, the attacker may try numerous IDs systematically. For
example, they might guess session IDs by iterating through a list of URLs, as
shown below:

• http://www.somesite.com/view/VW30422101518909
• http://www.somesite.com/view/VW30422101520803
• http://www.somesite.com/view/VW30422101522507

Session IDs can be stolen using various methods, including:

• Network Sniffing: Intercepting network traffic to capture session IDs.

• Trojans: Installing malicious software on client PCs to obtain session IDs.
• HTTP Referrer Header: Exploiting the referrer header, where the ID is
stored in query string parameters.
• Cross-Site Scripting (XSS): Injecting scripts to redirect private user
information to the attacker.

In a "referrer" attack, the attacker lures the user to click on a link leading to
another site (e.g., www.hostile.com), and the browser sends the referrer URL,
containing the session ID, to the attacker's site. Session IDs can also be stolen
using script injections, such as Cross-Site Scripting, where a malicious script
redirects the user's information to the attacker.
What are the impacts of Session Hijacking?

The consequences of session hijacking are extensive, impacting both individuals

and organizations. For individuals, a hijacked session can result in unauthorized
access to personal accounts, the exposure of sensitive information, and financial
losses. The implications for organizations can be more severe, including the risk of
a breach of confidential data, loss of customer trust, and significant financial and
reputational damage.

On an organizational scale, the threat goes beyond immediate losses. A breach of

trust can have enduring effects on customer loyalty and brand reputation.
Organizations may also face regulatory fines and legal challenges due to the
compromised security of user sessions.

How to detect for Session Hijacking?

Several tools and techniques are specifically crafted to detect session hijacking.
Intrusion detection systems (IDS), for instance, can actively monitor network
traffic, identifying any indications of session token misuse. Moreover, anomaly-
based detection mechanisms are designed to notify administrators of unusual
session activities, serving as alerts for potential session hijacking attempts.

How to prevent against Session Hijacking?

Users can enhance their security by adhering to fundamental practices, such as

refraining from conducting sensitive transactions on public Wi-Fi, utilizing VPNs,
and ensuring their software is regularly updated. It's crucial for users to be vigilant
against phishing tactics and to recognize the significance of logging out from
sessions, especially on shared computers.

Web developers and organizations need a more technical strategy for prevention.
This involves the widespread implementation of HTTPS, the use of secure
cookies, and the adoption of robust session management practices. Consistent
system updates and the timely application of security patches are essential to
thwart potential session hijacking attacks exploiting known vulnerabilities.

What are the differences between Session

Fixation and Session Hijacking?

Session fixation and session hijacking are both strategies aimed at compromising a
user's client and web server session. In a session hijacking attack, the assailant
seeks to pilfer the ID of a victim's session post their login. On the other hand, in a
session fixation attack, the attacker already possesses a valid session and endeavors
to compel the victim into utilizing that specific session for their own objectives.
Crucially, the session fixation attack initiates by "fixing" an established session on
the victim's browser even before the user logs in.
What is Captcha Bypassing?

Captcha mechanisms are in place to ensure that human users are making requests
rather than automated bots or tools. Although not foolproof, this security measure
is crucial. Originally designed to enhance OCR software by presenting a known
and an unknown word, captchas have evolved significantly. Bypassing captchas
can lead to severe consequences, such as application brute forcing or even
application-level denial-of-service attacks.

Common bypass methods include:

1. Omitting or leaving the captcha empty in the request, as developers might

have overlooked the verification process.
2. Switching the request type from GET to POST or vice versa while
excluding the captcha.
3. Altering the request type to or from JSON format.
4. Checking if the captcha value is stored in a cookie.
5. Attempting to reuse captcha tokens, allowing an attacker to request a
captcha code and use it in multiple requests (as captchas are not request-
bound).
6. Verifying if the same captcha value can be used several times with the
same or different session ID.
7. Trying to predict the next captcha code.
 8. Attempting to use an old captcha value.
9. Automating the calculation if the captcha involves a mathematical
operation.
10. Verifying if the captcha value is present in the page's source code.
11. Using Optical Character Recognition (OCR) to solve text-based captchas,
highlighting a weakness in their effectiveness over time.

References:

https://www.computerhope.com/jargon/s/session.htm

https://www.acunetix.com/blog/web-security-zone/what-is-session-fixation/

https://vishnushivalalp.medium.com/session-fixation-and-session-hijacking-
6f67400e815c

https://www.imperva.com/learn/application-security/session-hijacking/