Author Topic: is session hijacking still possible nowadays? (Read 1802 times)

shadow125 · « **on:** June 22, 2015, 01:13:04 AM »

I was watching some pentesting courses I've downloaded and one of them talked about session hijacking, but the course is from 3 years ago and now https is standard. So I was wondering, is session hijacking still possible in any way? Or does it work with http only?

ColonelPanic · « **Reply #1 on:** June 22, 2015, 02:46:31 AM »

Session hijacking is possible anytime you can intercept, predict or otherwise acquire the session ID. So, if someone is using really awful session IDs that you can predict, you can certainly do it over HTTPS. Additionally, there's the "Secure" flag on cookies. If it's not set, the data will be visible over HTTP. Even if it is set, you can overwrite it with a plaintext cookie.

mr.sinister · « **Reply #2 on:** July 27, 2015, 08:33:12 PM »

ssl strip and a mitm is needed mostly for session hijacking
but most sites have different cookies for differnet parts of the site.
example
with yahoo you can capture session data and be 'logged in' on the search page but when you goto the emai section it askes you for the password.
prpbably because of the 'hacky'nature of session.
but with other more basic sites that use simple logged in or not cookies it is very possable still.
on andoird intercepter-ng is great at it
set sslstrip run the mitm and wait for a cookie
press the cookie and the site loads with the cookie set and you are logged in as whatever user.
it worked with facebook messenger app but as i said before moveing from once site service to another is a bit dodgy in recent years

_Enigma · « **Reply #3 on:** July 30, 2015, 07:00:04 AM »

Had a funny situation where a friend was working on a site that passed a sessionID in the URL from a GET request and the only other cookie relevant to the session literally had the value of the username. All of this done over HTTP.... Sniff one packet and know their username and boom, hello session.

proxx · « **Reply #4 on:** July 30, 2015, 10:37:11 AM »

Before the fix you could session hijack evilzone as demonstrated:
https://evilzone.org/hacking-and-security/session-hijacking-evilzone/msg72536/#msg72536

This is not too long ago actually.
Pretty sure many websites still have similar flaws.

insane · « **Reply #5 on:** August 02, 2015, 04:10:09 AM »

Yes, session hijacking is absolutely still possible. All session hijacking is is using someone else's session ID as your own, making a server think you're that person. Doesn't really matter how you obtain the session ID.

techb · « **Reply #6 on:** August 02, 2015, 05:17:27 AM »

On the LAN side of things, if you can predict the next seq numbers then sessions highjacking is still very much possible.

Author Topic: is session hijacking still possible nowadays? (Read 1802 times)

shadow125

is session hijacking still possible nowadays?

ColonelPanic

Re: is session hijacking still possible nowadays?

mr.sinister

Re: is session hijacking still possible nowadays?

_Enigma

Re: is session hijacking still possible nowadays?

proxx

Re: is session hijacking still possible nowadays?

insane

Re: is session hijacking still possible nowadays?

techb

Re: is session hijacking still possible nowadays?