9 Session vulnerabilities
In this chapter
- How server-side and client-side sessions are implemented
- How sessions can be hijacked
- How sessions can be forged if session identifiers are guessable
- How client-side sessions can be tampered with unless you digitally sign or encrypt the session state
In chapter 8, we looked at how attackers try to steal credentials from your users. If that strategy isn’t feasible, the next thing an attacker will try is accessing a victim’s account after they log in.
The continued authenticated interaction between a browser and a web server—when a user visits various pages in your web application and the server recognizes who they are—is called a session. Session hijacking is the act of stealing a user’s identity while they are browsing the web application.
If an attacker can hijack sessions from your website, they can act as that user. Hackers are inventive in the ways they have discovered to steal sessions, so we dedicate this chapter to the subject. Before we get started, let’s review how web applications implement sessions.
How sessions work
Rendering even a single page of a website usually requires a browser to make multiple HTTP requests to the server. The initial HTML of the page is loaded; then the browser makes additional requests to load the JavaScript, images, and stylesheets referenced in that HTML.