Browser Session Hijacking

Information

• Name: Browser Session Hijacking

• ID: T1185

• Tactics: TA0009

Introduction

Browser Session Hijacking, classified under the MITRE ATT&CK framework as technique T1185, refers to adversaries stealing authenticated browser sessions to gain unauthorized access to web applications or services. Attackers leverage existing user sessions, typically through theft of cookies or session tokens, enabling them to bypass authentication mechanisms and impersonate legitimate users. This technique is particularly effective since it circumvents traditional login procedures, making it difficult to detect without proper monitoring.

Deep Dive Into Technique

Browser Session Hijacking involves capturing or stealing session identifiers (session cookies, tokens, or session IDs) that web applications use to maintain user authentication state. These identifiers are typically stored within cookies or URLs, and attackers can exploit various methods to obtain them:

• Session Sniffing:

  • Capturing session cookies transmitted over unencrypted HTTP connections using network sniffing tools (e.g., Wireshark, tcpdump).

  • Exploiting insecure Wi-Fi networks to intercept session data.

• Cross-Site Scripting (XSS) Attacks:

  • Injecting malicious scripts into vulnerable web pages to extract session cookies from victim browsers.

  • Commonly executed through stored or reflected XSS vulnerabilities.

• Man-in-the-Middle (MitM) Attacks:

  • Intercepting communication between user browsers and web servers to extract session tokens.

  • Typically involves techniques like ARP spoofing, DNS spoofing, or rogue access points.

• Malware and Browser Extensions:

  • Deploying malicious software or browser extensions to directly read and exfiltrate session cookies from victim machines.

• Session Fixation Attacks:

  • Attacker sets a known session ID for the victim, who then authenticates, allowing the attacker to hijack the session afterward.

Once session identifiers are captured, adversaries can reuse them by injecting cookies into their own browsers, effectively impersonating the legitimate user without needing credentials or multi-factor authentication.

When this Technique is Usually Used

Browser Session Hijacking can occur across multiple stages of the cyber kill-chain and various attack scenarios, including:

• Initial Access:

  • Attackers use hijacked sessions to gain initial foothold into web-based services or cloud environments.

• Privilege Escalation and Lateral Movement:

  • Leveraging compromised sessions to escalate privileges within applications or move laterally to other services or resources accessible by the victim's account.

• Credential Access:

  • Using session hijacking to bypass authentication and directly access sensitive data or administrative functions.

• Persistence:

  • Maintaining long-term access by repeatedly hijacking sessions, especially when credentials change frequently or multi-factor authentication is employed.

Attack scenarios typically include:

• Targeting executives or administrators via phishing or malware to gain high-privileged session cookies.

• Exploiting insecure public Wi-Fi networks to intercept sessions of unsuspecting users.

• Leveraging XSS vulnerabilities in web applications to extract session cookies from users.

How this Technique is Usually Detected

Detection of Browser Session Hijacking requires proactive monitoring and analysis of various indicators and behaviors, including:

• Session Anomaly Detection:

  • Monitoring for simultaneous or geographically dispersed logins from the same user account.

  • Identifying unusual session activity, such as access from unknown IP addresses or devices.

• Behavioral Analytics:

  • Using User and Entity Behavior Analytics (UEBA) tools to detect deviations in user behavior patterns.

  • Identifying abnormal session durations, login times, or application usage patterns.

• Web Application Firewall (WAF) and IDS/IPS:

  • Detecting and blocking XSS payloads or other malicious scripts attempting to steal cookies.

  • Monitoring network traffic for signs of MitM attacks or session sniffing.

• Endpoint Detection and Response (EDR):

  • Detecting malware or malicious browser extensions attempting to read or exfiltrate session cookies.

• Specific Indicators of Compromise (IoCs):

  • Unusual user-agent strings or headers in HTTP requests.

  • Sudden IP address changes within the same session.

  • Multiple concurrent sessions from geographically distinct locations.

  • Presence of known malicious browser extensions or malware artifacts on endpoints.

Why it is Important to Detect This Technique

Timely detection of Browser Session Hijacking is crucial due to its significant impact on systems, networks, and organizational security posture:

• Unauthorized Access:

  • Attackers gain direct, authenticated access to sensitive data, applications, and administrative functions without needing credentials.

• Data Breach and Leakage:

  • Session hijacking can result in exposure of confidential data, intellectual property, customer information, or financial records.

• Account Takeover and Identity Theft:

  • Attackers can impersonate legitimate users, perform fraudulent transactions, alter data, or cause reputational damage.

• Bypassing Multi-Factor Authentication (MFA):

  • Session hijacking effectively circumvents MFA, as attackers utilize already authenticated sessions.

• Persistence and Lateral Movement:

  • Attackers maintain persistent access, enabling lateral movement across applications, services, and infrastructure.

Early detection helps organizations:

• Mitigate potential damage and limit attacker dwell time.

• Prevent data loss, financial losses, and reputational harm.

• Strengthen security posture by identifying vulnerabilities, improving authentication mechanisms, and enhancing monitoring capabilities.

Examples

Real-world examples demonstrate the prevalence and impact of Browser Session Hijacking:

• Firesheep Tool (2010):

  • Attack Scenario: Attackers used Firesheep, a Firefox extension, to capture session cookies transmitted over unsecured Wi-Fi networks.

  • Tools Used: Firesheep browser extension.

  • Impact: Enabled attackers to hijack sessions of popular sites like Facebook, Twitter, and Gmail, resulting in widespread unauthorized access.

• Yahoo Cookie Forgery Attack (2015-2016):

  • Attack Scenario: Attackers forged session cookies using stolen Yahoo source code and internal tools.

  • Tools Used: Custom cookie-forging scripts and internal Yahoo tools.

  • Impact: Over 32 million accounts compromised, allowing attackers to access email accounts without passwords.

• GitHub Session Hijacking via XSS (2013):

  • Attack Scenario: Attackers exploited an XSS vulnerability to steal GitHub session cookies from other users.

  • Tools Used: Malicious JavaScript payloads, XSS exploitation techniques.

  • Impact: Attackers gained unauthorized access to user repositories, potentially exposing sensitive code and data.

• Operation Aurora (Google, 2009):

  • Attack Scenario: Attackers used targeted malware to steal session cookies from Google employees.

  • Tools Used: Custom malware designed to extract session cookies from browsers.

  • Impact: Attackers accessed sensitive data and intellectual property, prompting Google to enhance security measures and infrastructure.

These examples highlight the critical need for secure session management, encrypted communications (HTTPS), robust XSS mitigation, and comprehensive monitoring and detection capabilities to prevent and mitigate Browser Session Hijacking attacks.