KNOWLEDGE BASE

Overview

Understanding

Session Hijacking

Attackers can still steal your session, even if your credentials are safe

Currently, the only thing that indicates that you are "logged in" is a session key that is stored in your browser. If an attacker gets that value, they too will be "logged in" as you.

Cookies are delicious. And, they are all an attacker needs to break into your online accounts. Forget stealing passwords or breaking private keys… Cookie is all you need.

After you authenticate to a site, it will send a Set-Cookie header with a session value. Any subsequent request that presents that value will be treated as a "logged in" session for that user — wether it's actually them or an attacker. This cookie can be stolen using a Man-in-the-Middle attack or attacking the implementation directly.

Cookies have become part of the foundation of the modern Internet. The first big "security breakthrough" was to move sensitive data from the client's browser to server-side cookies. Yet, hacking some sites is still as easy as modifying the username or rank in a client-side cookie. 😔

Methods

Exploit Techniques

Disclaimer: The information provided in this article is for educational and informational purposes only. Allthenticate is committed to enhancing security awareness and readiness in the cybersecurity community. This content is intended to be used responsibly and ethically by security professionals, researchers, and organizations to improve their defensive capabilities.

Session Sniffing

Attackers can use a man-in-the-middle attack to steal the session ID in transit.


Exploit tools

Wireshark, Ettercap, dsniff, Cain & Abel

Malware

If the attacker can install malicious software (malware) on your computer, they can trivially steal the session cookie, log your keypresses, and much more.


Exploit tools

Metasploit Framework, Spyrix Free Keylogger, emotet, njRat, DarkComet, Mimikatz

Session Fixation

If the websites allow the users to define their own session IDs, an attacker can trick you into setting a session ID that they know.


Exploit tools

Burp Suite, OWASP ZAP, BeEF (Browser Exploitation Framework), Fiddler

Cross-Site Scripting (XSS)

XSS attacks target poor implementations or security vulnerabilities to trick the browser into passing values from a good website to an attacker owned one when you browse to it (e.g., a session ID).



Exploit tools

XSSer, Burp Suite, OWASP ZAP, XSStrike, Metasploit Framework

Brute Force

If web servers use a small session value or a predictable pattern, it is possible that the attacker may be able to simple "try all of them" and get lucky.


Exploit tools

Hydra, Burp Intruder, John the Ripper, THC-Hydra, Patator

Why Traditional Defenses Fall Short

Until the sessions are somehow bound to the physical computer that the user is interacting with, or better yet their phone that they carry everywhere, this attack will continue to be trivial and extremely powerful.

How Allthenticate Defends Against This

Allthenticate eliminates session hijacking

Since Allthenticate binds your sessions to your phone and uses end-to-end encryption, there is nothing to steal on the network, nothing stored on your computer, and nothing sensitive passed around by your browser.


Simply put: all of the attacks mentioned here are rendered completely ineffective.

Authenticated Actions

Current session-based login is all or nothing — you are either logged in and can do everything or you are not.

With Allthenticate, every individual action is authenticated, requiring the user's phone to satisfy the request. Therefore, stealing the phone is the only attack left, not a simple cookie value.

To ensure maximum usability, our patented architecture permits three levels of assurance:

  • Presence: verifies the phone is still nearby

  • Intent: verifies a human approved the action

  • Identification: verifies the owner of the account approved the action

Device-Bound Sessions

By binding each action to the secure key stored on the smartphone, Allthenticate ensures that all remote session attacks will be neutered.

The phone is the key. When you walk away, you automatically be "logged out" and everything will magically work again when you return with your phone.

Secure your organization by eliminating entire classes of vulnerabilities with Allthenticate.

See Pricing

Learn More