<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Session Hijacking Attack: Definition, Damage & Defense
Sep 26, 2023
Okta Classic Engine
Okta Identity Engine
Administration
Overview
  • Take over the session. Anything a user is authorized to do on that site, the hacker is also able to do. That could mean transferring money, making a purchase, or changing the password. 
  • Search for more opportunities. Does logging in on one site (like Google) allow working on another site (like YouTube)? The hacker will find out. 
Applies To
  • API 
  • Okta Identity Engine
  • Okta Classic Engine 
Cause

Five known techniques exist, including:

  • Cross-site script (XSS) attacks. An attacker sends a seemingly innocent link. Once clicked on it, the malicious code runs. The hacker gains the session key. This approach is considered a top application security risk by OWASP.  
  • Malware. The hacker plants a malicious link in an email or on a website. When infected, the hacker can steal session keys or otherwise take over the device. Sometimes, hackers use malware to engage in man-in-the-middle or man-in-the-browser attacks, where they can see everything that is done on any server.
  • Session fixation. The hacker sends a known session key via a link. When logging in via that link, the hacker has the cookie.  
  • Session-side jacking. The hacker uses a sniffing tool to read unencrypted traffic that passes between the device and the server. If working on public WiFi, the hacker's job is even easier as the traffic may not be encrypted.  
  • Session sniffing. The session ID is sent in an unencrypted state, and the hacker monitors the network to spot it. 
Solution

Four other security options include:

  • Beefing up encryption. Ensure that all movement to and from the server is completely encrypted so no bystander can watch and steal. 
  • Demanding a VPN. If the admins and employees must do work in public spaces, ensure that the communication is protected with a VPN. Public WiFi is simply too dangerous. 
  • Randomizing. Set up the server to issue random session cookies so hackers have a hard time guessing what comes next. 
  • Cutting ties. When a session ends, log out. For site administrators, it is recommended to log off users after a period of inactivity. 


Related References

Recommended content

Still looking for help?
Loading
Session Hijacking Attack: Definition, Damage & Defense