Man-in-the-middle & Session Hijacking

Man-in-the-middle & Session Hijacking

Session Hijacking

E-Commerce and cloud computing has enabled more companies to do online transactions and the rise in online data, which by large as also simultaneously increase security risk and vulnerabilities. Protecting these transactions and sensitivity information is vital to not only the end-users but also the company itself. “Symantec found that 31 percent of e-commerce applications were vulnerable to cookie manipulation and session hijacking”,(Lin, 2005)

These are the protocols on which session hijacking can occur, namely: 

  • Main Protocol
    • TCP – Transmission Control Protocol
    • UDP – User Datagram Protocol
    • HTTP – HyperText Transfer Protocol
  • Other vulnerable protocols include
    • TELNET
    • FTP
    • DNS

Method or Techniques used Man-in-the-middle packet sniffing are:

  • ICMP – Internet Control Message Protocol and is an extension of IP and is used to send error messages
  • ARP – Address Resolution Protocol and are tables used by each host to map local IP addresses to hardware addresses or MAC addresses

Vulnerable Protocols

TCP is the communication between a host and a server and is established via a three-way handshake between both, after which data is sent from client/host to server and vice versa. This type of communication is known as a TCP Session and transpires on IP hence the term TCP/IP.

UDP this type of communication provides very few error recovery services, and unlike TCP, it does not use IP to communicate and is known as “a connectionless protocol”. This protocol is used essentially for broadcasting messages or DNS queries thus making it even more vulnerable than TCP. This type of communication is known as a UDP Session.

HTTP is the underlying protocol by which the Internet operates. This protocol facilitates how client and server communication and is known as a stateless protocol which by definition means HTTP treats each request as an independent transaction with no relation to the previous request thus the communication will consist of independent pairs of requests and responses. Thus making impossible to distinguish one client from the other. Lin(2005) claims that for HTTP identifies and tracks a user “the web application defines its own session to hold this data”, he went on further to state that “ that web application sessions have to be kept track of separately from the protocol.”.

Network Level

How does Hijacking work?

Session hijacking occurs on two levels: the network and application level. We can classify the TCP and UDP stages at the network level and the HTTP stage under the application level.

Figure 1.0 Illustrates a Session Hijacking Attack(Qiu, n.d)

TCP Session Hijacking is accomplished by being able to forge acceptable packets from both client/host and server by way of mimicking legitimate packets being sent between both. Another method is IP Spoofing, within this method the attacker obtains an IP of a client or server, creates an acceptable packet and injects it into the system, forging communication.

As discussed earlier, the client/server communication is first established via a three-way handshake after an ACK number is used to keep track of the communication, an attacker has to randomly choose an ACK number to inject. It is unlike that it’s correct, however, what this does is cause what is know as  “Desynchronized state” – which in essence is sequence number within the received packet that is not the same as the expected sequence number. In a publication by Chamber et al(n.d), they said that “TCP uses a sliding window protocol to allow efficient communication even in the presence of packet loss and high network latency. So, if the received packet is not the one expected, but is within the current window, the packet will be saved on the premise that it will be expected later”.

Otherwise, if source routing is disabled, the session hijacker can also employ blind hijacking where he injects his malicious data into intercepted communications in the TCP session.


This is somewhat similar to Session Hijacking via IP Spoofing discussed earlier, but rather than manipulating the packet or ACK sequence number or causing “Desynchronized state. The attacker uses a packet sniffer to intercept communication between the client/host and the server. From the list above stating the two techniques, the first of which is ICMP, this is used to redirect packets between the two communication mediums through the attacker’s host machine. 

Lin(2005) confirmed this point in a statement he made, stating that attackers “forging messages to fool the client and server into thinking that the route through his host is better than the original path (better as in faster, shorter, or non-error prone).”, Figure 1.0.

Secondly, ARP spoofing attacks. This type of attack involves the forging of ARP replies to fool the host broadcasting the request into updating their table. This update if triggered by the attacker will contain IP mapping for the hijacker’s host machine. This goes without mention that traffic will now be routed based on the updates made to said table. 

The attacker now stands the chance of receiving all transmutation intended for a host, which in turn can be further manipulated and relay onto the intended host.

Figure 1.1 Illustrates a Man-in-the-Middle Attack(DuPaul, n.d)

Application Level

Within this level, the session hijacking mainly occurs by retrieval of the session ID, which the intern will allow for unauthorized access to the application or the creation of a new unauthorized session. This session ID can be found in three(3) places, namely:

  • Embedded in the URL
  • Within forms 
  • Cookies

Hijacking Methods

  • Man-in-the-middle(MitM) – Using the same techniques as TCP session hijacking
  • Brute Force – If the session ID appears to be predictable, the hijacker can also guess the session ID which involves trying a number of session IDs based upon the known pattern
  • Misdirected Trust – It refers to using HTML injection and cross-site scripting to steal session information.

How does Hijacking work?

As discussed earlier, the same approach is used when it comes on to Hijacking data from TCP, however, it can only be done on information that is not encrypted. Once the information is transmitted via HTTP unsecured ports, hijackers have an easy task in capturing the session ID, user name or even passwords as it is in plain text so it is easy to obtain the required information and can now create unauthorized session via the technique highlighted earlier MitM.


Network Level

Encrypted Transfer Protocols – This makes it even harder for hijackers to interpret and decipher the transmitted packet’s content, ways of doing same are:

  • Internet Protocol Security (IPSec)
  • Secure Socket Layers (SSL)
  • Secure Shell (SSH)

Application Level

The key to protecting the application, which in this discussion, speaks to the session ID is as follows:

  • Increase the length of the cookie or session ID
  • Make the session ID more random
  • Use encrypted session IDs

These are just a few of the measures that can be put in place.

In conclusion, by implementing countermeasures for Hijacking at the Network Level your have I would say done 60% of what is also required to also protect the Application level attacks.


Lin, M., 2005. An overview of session hijacking at the network and application levels. SANS Institute InfoSec Reading Room.

Chambers, C., Dolske, J., Iyer, J. (n.d) TCP/IP Security, Available at: Aug 12, 2016).

DuPaul, N. (n.d) Man in the Middle (MITM) Attack, Available at: (Accessed: Aug 12, 2016).

Qiu, J. (n.d) Session hijacking, Available at: (Accessed: Aug 12, 2016).

Leave a Reply

Your email address will not be published. Required fields are marked *

Groope Multimedia © 2019, All rights reserved