A Review Paper on

Session Hijacking Attack

Md. Rakibul Hasan, Yeasin Ahmed Shuvo, Jahid Hasan Sakib
Department of Computer Science and Engineering, Southeast University,
Bangladesh
Email: rakibulhasantech@gmail.com, 2018100011009@seu.edu.bd ,
2018100010056@seu.edu.bd

Abstract

Session Hijacking is a form of attack to gain the unauthorized access from a

session or connection. Nowadays, these attacks are the most common cyber
threats. So many websites and networks are vulnerable from this kind of attack.
Today’s world is very much dependent on the web applications and various
networks for so many reasons such as, online shopping, bank transactions, digital
workplace, business platform etc. But sadly, most of the owners and users of
these networks are unaware and inattentive about this form of attacks. In this
paper, we discussed several types of attacks, natures of the attacks, the available
prevention techniques. We also discussed about the effectiveness ratio of these
techniques, how well they are operating. We have reviewed dozens of papers and
learnt about some proposed ideas that might help reduce this modern cyber
threat. The main objective of this paper is to provide a clearer view of Session
Hijacking and the techniques that are being used or can be used to have a safer

and better internet experience.

Keywords: Session hijacking, HTTP, HTTPS, Sniffing, Cookies, Session ID,

Vulnerability, Prevention techniques, RSA, Blowfish, AES, DES, OTC.

i
Contents

Abstract i

Acknowledgements Error! Bookmark not defined.

List of Table iii

List of Figures iv

1 Introduction 1

1.1 Types of session hijacking 2

1.1.1 Active Session Hijacking: 2

1.1.2 Passive Session Hijacking: 3

1.1.3 Hybrid Session hijacking: 3

1.1.4 Types of Cross Site Scripting: 7

1.2 Objectives 10

1.3 Methodology 10

1.4 Motivation 11

2 Related Works 12

3 Literature Review 12

4 Problem Statement 17

5 Gap Analysis 19

6 Comparative Analysis 21

CONTENTS

Comparative Analysis 22

Conclusion 24

Appendix A 25

Bibliography 27

ii
List of Tables

6.1 Comparative analysis among existing countermeasures ...... 23

iii
List of Figures
1.1 Active Session Hijacking . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Passive Session Hijacking . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Blind Spoofing Attack ........................ 4
1.4 Non-Blind Spoofing Attack . . . . . . . . . . . . . . . . . . . . . . 5
1.5 Sniffing Attack ............................ 6
1.6 Brute Force Attack . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.7 Cross Site Scripting(XSS) ...................... 7

1.8 Reflected XSS Attack . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.9 Stored XSS Attack . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.10 Dom-Based XSS Attack ....................... 8

1.11 SSL Stripping Attack . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.1 Web Server Setting a Cookie for the client . . . . . . . . . . . . . 13

3.2 Flowchart for Prevention of Session Hijacking Attack . . . . . . . 14

3.3 System Flowchart for Re-Authentication and ID Re-generation . . 14
3.4 Block Diagram of preventing Session Hijacking with Modified OTC15

3.5 Average users experienced latency per request for cookies with
HTTP,HTTPS,OTC with HTTP and OTC with HTTPS . . . . . 16
3.6 Original Session Cookie Flags . . . . . . . . . . . . . . . . . . . . 16

iv
Chapter 1

Introduction

In computer science and networking, a session is a temporary and interactive

information interchange between two or more communicating devices, or
between a computer and user. A session is established at a certain point in time,
and then brought to an end afterwards. A session is typically stateful, meaning
that at least one of the communicating parties needs to hold current state
information and save information about the session history to be able to
communicate, as opposed to stateless communication, where the communication
consists of independent requests with responses. Session hijacking is as the term
suggests. Session hijacking is an attack where a user’s session is taken over by an
attacker. A session starts when you log into a service, for example, your banking
application, and ends when you log out. The attack relies on the attacker’s
knowledge of your session cookie, so it is also called cookie hijacking or cookie
side-jacking. Although any computer session could be hijacked, session hijacking
most commonly applies to browser sessions and web applications. In most cases
when you log into a web application, the server sets a temporary session cookie
in your browser to remember that you are currently logged in and authenticated.
HTTP is a stateless protocol and session cookies attached to every HTTP header
are the most popular way for the server to identify your browser or your current
session.
To perform session hijacking, an attacker needs to know the victim’s session ID
(session key). This can be obtained by stealing the session cookie or persuading
the user to click a malicious link containing a prepared session ID. In both cases,
after the user is authenticated on the server, the attacker can take over (hijack)
the session by using the same session ID for their own browser session. The

1
CHAPTER 1. INTRODUCTION

server is then fooled into treating the attacker’s connection as the original user’s
valid session. There are three types of session hijacking.

1.1 Types of session hijacking

There are three types of session hijacking:

• Active session hijacking

• Passive session hijacking

• Hybrid session hijacking

1.1.1 Active Session Hijacking:

An attacker attacks an existing active session between a user and a server using
active session hijacking. Using a denial of service attack, the attacker hijacks an
active session and puts himself in the place of a valid user (DOS). Using a packet
capturing tool like Wireshark, the attacker sniffs the connection and collects all
data packets between the user and the server before launching the DOS assault.
Denial of service attack occurs when an attacker floods the target with traffic by
sending a large number of requests or information to the target network,
rendering the server unavailable. As a result, the target system is unable to use
the services sent by the server, and the target machine may shut down or crash
in order to handle the traffic flood. The server waits a short time before sending
another connectivity request to the user computer, at which point the attacker
disguises himself as a valid user and sends an acknowledgement to the server,
allowing the attacker to connect to the server in the place of a valid user. Figure
1 shows an active session hijacking diagram to demonstrate superior active

session hijacking.[1]

2
CHAPTER 1. INTRODUCTION

Figure 1.1: Active Session Hijacking

1.1.2 Passive Session Hijacking:

In passive session hijacking, the attacker places himself between the valid user
and the server, sending valid packets to the user while impersonating a server,
and receiving packets from the user while impersonating a valid user, and
sending them to the server while impersonating a valid user. In this Passive
Session Hijacking technique, the attacker can make changes to the data packets
while neither the user nor the server is aware of the changes. As a result, the
attacker will be able to gather all of the necessary information for his or her
nefarious activities. The attacker does, however, have one disadvantage. Attacker
only read data between the user and the server while the session is ongoing; if
the user logs out or the server resets the connection for any reason, the attacker
will be unable to access the data packets and the session will be permanently
terminated.[2]

Figure 1.2: Passive Session Hijacking

1.1.3 Hybrid Session hijacking:

The Active Session Hijacking and Passive Session Hijacking techniques are
combined to form Hybrid Session Hijacking. To accomplish their goal, the

3
CHAPTER 1. INTRODUCTION

attackers deploy both active and passive session hijacking techniques. The
following are the two types of hybrid session hijacking:

• Blind Spoofing Attack

• Non-Blind Spoofing Attack

Blind Spoofing Attack:

Blind Spoofing Attack: Blind Spoofing is a type of attack in which the attacker
attacks the target system without making any changes to the server-to-victim
machine connection. An attacker merely collects the entire packet from the
network between the user and the server in order to get the TCP sequence
number and gain complete control over the session. However, there is a
significant problem with this attack: it is extremely difficult to determine or guess
the TCP sequence number from captured packets because the TCP sequence
number is a random number that is generated each time, making it extremely
difficult to determine the correct sequence number. To figure it out, you’ll need a
lot of time. It takes a long time to figure out, thus the attacker must maintain

capturing packets in order to examine the TCP sequence.[3]

Figure 1.3: Blind Spoofing Attack

Non-Blind spoofing attack:

Non-Blind spoofing attack in which the attacker is on the same network as the
victim and is on the same sub net as the victim, allowing the attacker to monitor
the communication between the victim and the server. Because the attacker can

4
CHAPTER 1. INTRODUCTION

see the packets moving over the same network, it is simple for the attacker to
monitor traffic from the same network. Attackers keep an eye on the connection
and try to estimate the TCP sequence number of the next packets in order to use
the TCP sequence number to get authentication through the connection.
Attackers determine the right sequence number and re-establish the connection
with the server using that number. But the fundamental difficulty with this
approach is that today’s routers don’t allow packets to be broadcast on the
network; instead, they keep it switched off to protect packets. To bypass this
obstacle, the attacker resets the connection, putting him between routers and
allowing him to grab the first broadcast packet.[3]

Figure 1.4: Non-Blind Spoofing Attack

Sniffing:
Sniffing is a type of attack in which an attacker takes over a network and steals
the session ID. The attacker continues to watch the victim’s network traffic,
looking for any packets traveling unencrypted. If the attacker finds any packets
traveling unencrypted, it checks to see if they contain a session ID. If the attacker
obtains the session ID from the packet, it takes over the already established
session between the victim and the server, allowing the attacker to create a new

session

5
CHAPTER 1. INTRODUCTION

Figure 1.5: Sniffing Attack

and obtain all of the target machine’s information.[3]

Brute Force:
Brute Force is a well-known assault that may crack any character, number,
symbol, or special character when paired with a login, password, or any word.
This Brute Force at-tacker may take a long time, but it guarantees that the job will
be completed. In this Brute Force attack, the attacker can customize the character,
special character, symbol, and number combinations to meet their needs, as well
as the quantity of words. If the victim has a password with six digits and the
attacker guesses it, the brute force will examine all of the combination words set
by the attacker up to the eighth digit. This brute force attack in the target network
checks all the combinations set by the user to crack the session ID and give the
proper session ID to the attacker, who then takes over the valid session that was
already created.[3]

Figure 1.6: Brute Force Attack

6
CHAPTER 1. INTRODUCTION

Cross Site Scripting(XSS): Another method of stealing the session ID is using

cross-site scripting (XSS). This XSS attack is also known as a client-side code
injection attack because it allows a malicious script (malicious payload) to be
executed on any website or online application. This attack essentially exploits

website weaknesses by converting any user input into unencrypted or

uuencoded data and sending it to an attacker in plain text. However, there is a
significant disadvantage for the attacker in that this attack only works on

vulnerable targets; many websites have been patched to address these security

flaws.[4]

Figure 1.7: Cross Site Scripting(XSS)

1.1.4 Types of Cross Site Scripting:

Reflected XSS:
When a web application returns user input in an error message, search result, or
any other response that includes some or all of the input provided by the user as
part of the request, without making that data safe to render in the browser, and

7
CHAPTER 1. INTRODUCTION

Figure 1.8: Reflected XSS Attack

without permanently storing the user provided data, it is called reflected XSS.
Stored XSS:
When user input is stored on the target server, such as in a database, a message
forum, a visitor log, or a comment field, stored XSS happens. The saved data from
the web application can then be retrieved by a victim without the data being made
safe to render in the browser. With the development of HTML5 and other browser
technologies, we may see the attack payload, such as an HTML5 database, being
permanently kept in the victim’s browser and never being communicated to the
server.

Figure 1.9: Stored XSS Attack

Dom-Based XSS:

When JavaScript accepts data from an attacker-controllable source, such as the

URL, and transfers it to a sink that enables dynamic code execution, such as eval

() or inner HTML, DOM-based XSS vulnerabilities occur. This allows attackers to

run malicious JavaScript,

8
CHAPTER 1. INTRODUCTION

Figure 1.10: Dom-Based XSS Attack

which allows them to take control of other people’s accounts. To carry out a DOM-
based XSS attack, the attacker must insert data into a source, which will then be

transmitted to a sink, resulting in the execution of arbitrary JavaScript.

SSL Stripping
SSL stripping is the process of converting a website from https to http. In other
words, the exploit is used to get around the protection that SSL certificates
provide on https sites. SSL downgrade is another term for this. By forcing the
website to use insecure HTTP rather than secure https, the assaults expose it to
eavesdropping and data manipulation. When you type the URL into your browser,
the first connection will be normal http, which will be followed by a secure https
redirect. Using the SSL strip attack, the attacker takes advantage of this tiny
window. Moxie Marlinspike, a renowned computer security expert, was the first
to demonstrate the attack and how the https security may be compromised. He
was the Chief Technical Officer of Whisper Technologies, a company that was
acquired by Twitter in 2011. Http and Https are HTTP and HTTPS, respectively.
Http sends data in plaintext, whereas https uses a secure tunnel to transport data.
Now that you have a good understanding of SSL stripping, let’s look at how it truly
works.

Figure 1.11: SSL Stripping Attack

For SSL stripping to take place there are three requirements

• Attacker

• Victim

9
CHAPTER 1. INTRODUCTION

• Server
When transmitted over the network to the server, the victim is led to feel that the
data he is transferring is secure and encrypted. However, the data that is flowing
has no validity because the encryption has been removed and the data is in plain
text, making it vulnerable to MITM.[5]

1.2 Objectives
The long-term goal of the research is to understand the limitations and
prevention methods of various type of session hijacking. The objective of the
current study is to provide a comprehensive review of the literature and industry
practices in relation to session hijacking. Particularly, the study has the following
sub-
objectives:

1. To provide a comprehensive review of sources and characteristics of

different types of session hijacking.

2. To examine current practices and studies on session hijacking.

3. To develop one-time cookies to prevent session hijacking using blowfish

algorithm.

4. To outline a conceptual framework for session hijacking.

The findings of this study will be useful to practitioners and software suppliers in
establishing better session hijacking and look-ahead scheduling methods and

tools.
1.3 Methodology
A literature review and conceptual modeling are the key research methods used
in this study. The initial step towards a ”Cryptography Operation Module” is to
hijack sessions using an organized manner.

10
CHAPTER 1. INTRODUCTION

This study will first review various types of session hijacking and their
characteristics. Based on this understanding, a classification method will be
developed to categorize session hijacking factors for the purpose of preventing
attacks like MITM, MitMO (Man In The Mobile Attack), DOS and so on. In the

second stage
of this study, existing prevention techniques of session hijacking will be identified
based on a comprehensive review of current industry practices and academic
researches. Finally, once the prevention and modeling techniques are identified,
a conceptual prevention technique for session hijacking will be outlined.

1.4 Motivation
Session Hijacking is one of the dangerous attack among several vulnerabilities. So
it is very important to secure web application from Cyberattacks like XSS,
spoofing, sniffing, SSL stripping attack. Attacker’s motive is to steal the data of the
user and taking over the control of the session. After taking over the control of
the session, attackers can access to all the information of the users.

• To secure our confidential information.

• To secure fraudulent purchase.

• To prevent identity theft.

• To secure online transaction.

11
Chapter 2

Related Works

We have put together different type of approaches proposed and tested by

various authors

• Server-site cookie manager

• SHA1 Hash Algorithm

• Re-authentication and ID regeneration

• Modified One-Time-Cookies

• CookiExt: Patching the browser

• One-Time Cookies: Stateless Authentication Tokens

Chapter 3

Literature Review

While reviewing all the related papers of this particular area, it was found that
there are many ways to deal with session hijacking such as, Cookie manager, uses
of various encryption algorithm, session id regeneration, two-way verification,
changing cookie value after a certain period, etc. But the big question here is, are
they feasible and if they are, how good will they act in current era of
technology.
Server-Side Cookie Manager

12
In this paper[6] authors preliminary focus was on developing a web application
with secure session management will prevent attackers from getting hold on to
some session id. In order to do that, they used a server-side cookie manager that
puts together a set-cookie for the user and allocates a response- cookie from the

user’s end.

Figure 3.1: Web Server Setting a Cookie for the client

Both of these are set with HTTP. But using HTTP to generate cookies is not secure
at all, where using HTTPS could’ve been a better solution. The preventing
techniques that are proposed to use in this paper may work fine for a short
period, but it’s not a long-term solution.

SHA1 Hash Algorithm

In the paper [7] the authors proposed a Hashing technique that is acquired from
the SHA1 Hash Algorithm. They discussed about the natures of various type of
attacks such as, Tautology attack, Piggy Backing attack, Union attack etc. Authors
also proposed a Prevention Technique flowchart against some probable attack

sequences. Their prevention technique flowchart is shown below

Figure 3.2: Flowchart for Prevention of Session Hijacking Attack

13
CHAPTER 3. LITERATURE REVIEW

Re-authentication and ID regeneration

In another recent paper [8] authors proposed to work with Session id

regeneration, Auto sign out, attack detection report, and protect me feature.

Figure 3.3: System Flowchart for Re-Authentication and ID Re-generation

For modern day prevention technique, these processes are really effective but

then again, they lack security. There are quite a few vulnerabilities that can be

breached. There are better and more effective encryption techniques available

14
CHAPTER 3. LITERATURE REVIEW

Nowadays, which may come handy in order to prevent session hijacking.

Modified One-Time-Cookies
While reviewing the paper [9] we found that the authors are proposing an idea to
prevent session hijacking by modifying the existing One-Time-Cookie, in short,
OTC method. They proposed a mechanism that uses OTC to prevent an attacker
to gain access to a cookie and back-end server. Basically, a reverse proxy with
OTC, IP, Session ID, and browser fingerprinting are used to prevent adversary
from capturing session credentials. Their proposed system is shown below:

Figure 3.4: Block Diagram of preventing Session Hijacking with Modified OTC

One-Time Cookies: Stateless Authentication Tokens

Here [10] authors showed that OTC can be combined with HTTPS to effectively
add another layer of security to Web applications. They also demonstrated that
one-time cookies can significantly improve the security of Web applications with
minimal impact on performance and scalability. According to this paper, one-time
cookies can significantly improve the security of Web applications with minimal
impact on performance and scalability. OTC offers another security layer to Web
applications that already support always-on HTTPS by reducing the threats
associated with cookies; OTC and always-on HTTPS are complementary
mechanisms. They developed OTC for the popular WordPress application and
demonstrated that OTC has similar performance to traditional cookies.

15
CHAPTER 3. LITERATURE REVIEW

Figure 3.5: Average users experienced latency per request for cookies with HTTP,
HTTPS, OTC with HTTP and OTC with HTTPS

CookiExt : Patching the browser

Out of all the papers we’ve reviewed, [11] seemed to be the most successful one.
The authors proposed Cookie Ext, a client-side solution aimed at taming existing
security flaws. Their experiments show that Cookie Ext is very effective at
protecting vulnerable websites against session hijacking without sacrificing the
user experience. Some of their success rates among various grounds are shared
below:

Figure 3.6: Original Session Cookie Flags

So overall, most of the proposals from different paper lacks effective approaches.
We can use techniques such as Blowfish, AES, or DES which are faster and more
secure, rather than using the most commonly used - RSA technique. As we know
AES and DES is much more complicated than RSA. On the other hand Blowfish is
much more efficient.

16
Chapter 4

Problem Statement

Session hijacking is exactly what it sounds like. A user can be hijacked by an

attacker and lose control of their session, allowing their personal information to
be readily taken. An attacker can hijack a session that a user has started, such as
logging into a banking website. To hijack a session, the attacker must have a good
understanding of the user & cookie session. Although any session can be hijacked.
Browser sessions on online applications are the most common.

In the paper [12] the authors proposed a reverse proxy server that employs the
concept of a one-time cookie, with each HTTP request being associated with a
unique session token. Their proposed cryptography module ensures cookie
confidentiality, authenticity, and integrity. But they used RSA algorithm to
generate Asymmetric Key Pair. Their scheme can prevent session hijacking
through replay attack and cookie poisoning attacks by using OTC instead of
expensive HTTPS connections. But if they use Blowfish algorithm it can be faster
than RSA algorithm. Because the blowfish encryption process is 178,958% faster
than RSA. As well as the decryption process 420.44188% faster than RSA
algorithm.
Here [13] the authors presented Cookie Monster, a process driven experiment
that can be run against any cookie-granting (i.e. session identification generation)
application to test the strength of the cookie generation algorithm. As long as
session identifiers are granted to requesting client machines, the Cookie Monster

17
CHAPTER 4. PROBLEM STATEMENT

processes are applicable to any operating system, web server, and web
application. Their Bockscar tool was created to automate the entire process of
being assigned a unique session identifier, which was then analyzed to determine
how many consecutive sessions could be requested before the application
assigned a duplicate. Their Cookie Monster process is introduced in the following

list, which Bockscar executes automatically,

1. Log into a web application with the attacker machine running Bockscar and

receive a generated cookie from the application.

2. Retrieve the assigned cookie from the attacker’s machine and store it in a

Bockscar runtime variable.

3. Save the assigned cookie in a database that stores both the cookie and the

timestamp.

4. End the session between the attack computer and the web application so
that the next web request can be issued to the same attacker machine with

a new unique code. They concluded the setup and execution of the entire
experiment in a 90 days window as introduced. To be a credible testing tool,
their Bockscar tool requires considerable exception handling work. Too
many unexpected problems caused testing to be postponed until a new

iteration of cases could be run. Their process was too lengthy and time
consuming and they faced a lot of errors during the test process

In the paper [14] the authors focused on detailing the session hijacking attack and
demonstrated how harmful it is to network security. They explore numerous
defenses to the session hijacking assault in this work, which do not completely
prevent the attack but make it more difficult for the attacker to succeed. There
are still many adjustments that need to be made to the web applications and
server in order to permanently end the session hijacking assault. The main focus

18
of this work is on session hijacking countermeasures. They did not show any

specific solution and encryption methods.

CHAPTER 4. PROBLEM STATEMENT

In the paper [15], the authors shared their analysis and evaluation of SSL/TLS
attacks. The most popular and extensively used application for safeguarding web
browser sessions is SSL/TLS. TLS can also be used to establish a VPN by tunneling
a complete network stack, as well as providing authentication and encryption for
SIP and any other client-server interaction. Their second section examines
certain SSL/TL-related exploits. Section three discusses current attacker’s flaws
as well as the limitations of current countermeasures. The SSL Record Protocol is
the bottom layer, whereas the SSL Handshake Protocol, SSL Alert Protocol, and
SSL Change Cipher Spec Protocol are the three sub protocols of the higher layer.
Data fragmentation, compression, authentication, and encryption are all features
of the SSL Record Protocol. The SSL Handshake Protocol allows two parties
(server and client) to authenticate each other and negotiate encryption, MAC
techniques, and cryptographic keys. Alert messages are sent via the SSL Record
Protocol using the SSL Alert Protocol. This report investigated the most common
assaults and their countermeasures. Certain attacks are only semi-practical, but
with some improvements, they could become feasible in the near future.

Chapter 5

Gap Analysis

The limitations of different existing approaches are given below:

Two Way Authentication:

Each consumer and server side certificates must be authenticated for two-way
authentication. The majority of customers can determine the validity of a server
without two-way authentication by looking at the provided certificates. However,

19
in two-way authentication, each client and server must obtain their certificates
from CAs. Thus, once all aspects have been verified by one another, an SSL
connection may be successfully established.[16]

• Each client must obtain an SSL certificate from a CA. this can be a problem

Client.

• Asymmetric encryption and decryption like SSL is about 1000 times slower

than symmetric encryption. With two-way authentication, both Server and

client must use SSL to verify each other. So the connection speed will be

slow. Increase the load on the server.

In the Gateway:
All operations between client and server (on the Internet) are ARP over standard
gateways is insecure, allowing attackers to use them. victim node. The gateway
may also use a static ARP table to prevent this attack. [17]
CHAPTER 5. GAP ANALYSIS

• Not suitable for wireless networks specially with DHCP configuration such

as public WiFi access point

Monitoring ARP table periodically

• should be connected with MAC of the Gateway

• ARP Posioning is a great risk

EV SSL Certificate:
EV SSL certificate is a new type of SSL certificate. This is also known as extended
validation of certificate. Generic SSL certificates are relatively easy to obtain from
certificate authorities. So plain SSL certificates contributed to phishing attacks.
On the other side, getting an EV SSL certificate requires careful CA authentication.
All CAs Applicants must meet uniform criteria that require verification of their
legal nature for use domain. [16]

20
 • The cost of obtaining an EV SSL certificate is 1.5 to 2.5 times more expensive

than obtaining a regular SSL certificate. Many web administrators do not

recommend obtaining an EV SSL certificate for maximum security.

• Some users, especially in poor developing countries, tend to use outdated

web browsers. It does not recognize the EV SSL certificate separately. In this

case, the user interface is not recognized possible.

Cookie Proxy:

• Takes more time to complete the prevention process.

Chapter 6

Comparative Analysis
S/N Author Title Methodology Limitations
1 [Israel Detection various types Didn’t use more
O. Ogundele, and of session efficient
Abigail Prevention of hijacking and encryption
O. Akinade et al] Session how the techniques
Hijacking in attack works
Web Ap-
plication
Management.
2 [Abeer SSL/TLS The most This report
W.Eldewahi, Attacks: popular and investigated the
Tasneem M.H. Sharfi, Analy- extensively most common
Abdelhamid sis and used for assaults and
A.Mansor Evaluation application countermeasures
et el] only.
3 [Joshua J Pauli, Cookie Automate the Their Bockscar
Patrick H Monster entire tool faced a lot of
Engebretson,Michael process of error in the test
J Ham et al] being process.
assigned a
unique

21
 session
identifier.

4 [Tarafder Preventing Reverse vulnerable to a

Prapty,Shuhana Session proxy server factoring
Azmin, Md. Shohrab Hijacking uses the cyberattack when
Hossain, Husnu S. using En- concept of a public keys are
Narman] crypted One- one-time generated with
Time- cookie poor randomness
Cookies
CHAPTER 6. COMPARATIVE ANALYSIS

5 [Michele CookiExt: Patching They did not

Bugliesi et Patch- the browser include sub
al] ing the Against Session domains and only
browser Hijacking worked with main
against Attacks domain.
session
hijacking
attacks.
6 [Annis Minu Proposed Modified one They proposed
Sathiyaseelan system for time cookies. modified onetime
et prevent cookies but did not
al] session implement the
hijacking process on their
attack with paper.
modified
one time
cookies.

7 [Italo Dacosta One-Time One time They developed

et Cookies: cookies with one time cookies
al] Preventing stateless only for Wordpress
Session authentication websites.
Hijacking tokens.
Attacks with
Stateless
Authentication
Tokens.

22
 8 [Karis D’silva etAn Ef- Preventing They mainly
al] fective SQLi & focused only SQLi
Method for Session attacks &
Pre- hijackin prevention.
venting g attack
SQL In- using
jection Attack SHA-1 hashing
and algorithm.
Session
Hijacking
Table 6.1: Comparative analysis among existing countermeasures

Conclusion

This paper provides all the information of session hijacking attack and shows how
dangerous it is for the network security. Still many peoples are unaware about
these kind of attacks and network security expert also don’t take it much
seriously and lack of knowledge of session hijacking attack there is still poor
session management of some of the web application and web server. We would
like to draw conclusion to this paper by proposing an idea that could work better
in prevention of Session Hijacking. There’s this new algorithm in the process
called Blowfish.
We highly recommend the future researchers to work more on Blowfish
algorithm in order to give the users a more secure internet experience.

Appendix A
Our Survey has been conducted based on the given factors:

• Usability and User Friendliness: If an approach does not need any special
configuration, then the approach can be called user-friendly and it will be
an effective solution. An approach cannot be called user-friendly if there is
a necessity of too much configuration, too much expensive to deploy.

• Efficiency and Scalability: If the approaches are user-friendly, browser

supported, acceptable overheads, then the approaches are very effective.
Scalability is a measure of an approach’s ability to increase or decrease in
performance, cost-effective.

23
 • Resource Utilization: Some of the existing approaches need high RAM,
CPU, high network bandwidth usage, or storage in server-side and client
side. If any of these is missing, then the approach may not be successful to
mitigate the attack or will be slow in response.

Bibliography
[1] P. Kamal, “State of the art survey on session hijacking,” Global Journal of
Computer Science and Technology, 2016.

[2] A. Alabrah and M. Bassiouni, “Preventing session hijacking in collaborative

applications with hybrid cache-supported one-way hash chains,” in 10th
IEEE International Conference on Collaborative Computing: Networking,
Applications and Worksharing. IEEE, 2014, pp. 27–34.

[3] V. Jain, D. R. Sahu, and D. S. Tomar, “Session hijacking: Threat analysis and
countermeasures,” in Int. Conf. on Futuristic Trends in Computational
Analysis and Knowledge Management, 2015.

[4] W. Burgers, R. Verdult, and M. v. Eekelen, “Prevent session hijacking by

binding the session to the cryptographic network credentials,” in Nordic
Conference on Secure IT Systems. Springer, 2013, pp. 33–50.

[5] M. S. Hossain, A. Paul, M. H. Islam, and M. Atiquzzaman, “Survey of the

protection mechanisms to the ssl-based session hijacking attacks.” Netw.
Protoc. Algorithms, vol. 10, no. 1, pp. 83–108, 2018.

[6] C. Palmer, “Secure session management with cookies for web applications,”
iSEC Partners, Inc, 2008.

[7] K. D’silva, J. Vanajakshi, K. Manjunath, and S. Prabhu, “An effective method

for preventing sql injection attack and session hijacking,” in 2017 2nd IEEE
International Conference on Recent Trends in Electronics, Information &
Communication Technology (RTEICT). IEEE, 2017, pp. 697–701.

[8] I. O. Ogundele, A. O. Akinade, H. O. Alakiri, A. A. Aromolaran, and B. Uzoma,

“Detection and prevention of session hijacking in web application
management,” Inte. Adv. Res. Comput. Commun. Eng, vol. 9, no. 6, pp. 1–10,
2020.

[9] A. M. Sathiyaseelan, V. Joseph, and A. Srinivasaraghavan, “A proposed

system for preventing session hijacking with modified one-time cookies,” in
2017 International Conference on Big Data Analytics and Computational
Intelligence (ICBDAC). IEEE, 2017, pp. 451–454.

[10] I. Dacosta, S. Chakradeo, M. Ahamad, and P. Traynor, “One-time cookies:

Preventing session hijacking attacks with stateless authentication tokens,”

24
 ACM Transactions on Internet Technology (TOIT), vol. 12, no. 1, pp. 1–24,
2012.
BIBLIOGRAPHY

[11] M. Bugliesi, S. Calzavara, R. Focardi, and W. Khan, “Cookiext: Patching the

browser against session hijacking attacks,” Journal of Computer Security,
vol. 23, no. 4, pp. 509–537, 2015.

[12] R. T. Prapty, S. A. Md, S. Hossain, and H. S. Narman, “Preventing session

hijacking using encrypted one-time-cookies,” in 2020 Wireless
Telecommunications Symposium (WTS). IEEE, 2020, pp. 1–6.

[13] J. J. Pauli, P. H. Engebretson, M. J. Ham, and M. J. Zautke, “Cookiemonster:

Automated session hijacking archival and analysis,” in 2011 Eighth
International Conference on Information Technology: New Generations. IEEE,
2011, pp. 403–407.

[14] A. K. Baitha and S. Vinod, “Session hijacking and prevention technique,”

International Journal of Engineering & Technology, vol. 7, no. 2.6, pp. 193–
198, 2018.

[15] A. E. Eldewahi, T. M. Sharfi, A. A. Mansor, N. A. Mohamed, and S. M.

Alwahbani, “Ssl/tls attacks: Analysis and evaluation,” in 2015 International
Conference on Computing, Control, Networking, Electronics and Embedded
Systems Engineering (ICCNEEE). IEEE, 2015, pp. 203–208.

[16] K. Cheng, M. Gao, and R. Guo, “Analysis and research on https hijacking
attacks,” in 2010 Second International Conference on Networks Security,
Wireless Communications and Trusted Computing, vol. 2. IEEE, 2010, pp.
223–226.

[17] G. N. Nayak and S. G. Samaddar, “Different flavours of man-in-the-middle

attack, consequences and feasible solutions,” in 2010 3rd International
Conference on Computer Science and Information Technology, vol. 5. IEEE,
2010, pp. 491–495.

25