Web apps use session IDs as a credential. If an attacker steals a SID, they are logged in ! This is session hijacking. Many possible theft mechanisms :
- XSS, sniffing, interception
- Calculate, guess, brute-force
- Also session fixation
- Using the same SID from unauthenticated to logged in
- Attacker grabs/sets SID before user visits site
Session Hijacking Defences
Web apps (or frameworks) should implement defences and discard SIDs if something suspicious happens.
- Link SID to IP address of client
- Problems if behind NAT, transparent proxies
- ISP proxy pools mean need to use subnet, not IP
- Subnet may be shared with attacker!
- Link SID to HTTP Headers, e.g. User-Agent
- Can be trivially faked… and usually guessed
- … or captured (trick victim to visit recording site)