Session Hijacking (Cookie Theft)

Session Hijacking involves stealing the unique session ID (usually stored in a cookie) that identifies a logged-in user to a web server, allowing the attacker to take over the account without knowing the password.

Attack Simulation

Unsecured Network

Victim

SID: abc123xyz

Web Server

Attacker

Waiting to intercept traffic...

Interactive: Click "Sniff Packet" to simulate an attacker on the same unsecured WiFi network intercepting your session cookie.

Common Methods

SniffingOn unencrypted (HTTP) or public WiFi networks, attackers can simply read the session cookie from the network traffic.
XSSIf a site has an XSS vulnerability, an attacker can use JavaScript (`document.cookie`) to steal the session ID and send it to themselves.
FixationAn attacker tricks a user into authenticating with a known session ID (e.g., via a link), then uses that same ID to access the account.

Prevention & Defense

HTTPS (TLS/SSL)Encrypts all traffic between the user and server, preventing network sniffing.

Secure & HttpOnly FlagsMarking cookies as `Secure` ensures they are only sent over HTTPS. `HttpOnly` prevents JavaScript (XSS) from reading them.

Session RotationWebsites should generate a new session ID immediately after a user logs in to prevent Session Fixation.