JavaOne – The Hacker’s Guide to Session Hijacking

“The Hacker’s Guide to Session Hijacking”

Speaker: Patrycja Wegrzynowicz

For more blog posts from JavaOne, see the table of contents

Dropbox and Yahoo passwords sold on black market last year


  • stateless
  • JSessionId – cookie, header, parameter, hidden field
  • OWASP top 10 – A2 – Broken Authentication and Session Management

Session Hijacking

  • Easy targets
  • Session theft – steal session id from URL, sniffling, logs, XSS.
  • Session fixation – trick user into using the (fixed) session id of the hacker’s choosing
  • Session prediction – server uses weak algorithm so hacker cn guess session id. Least common in Java world. About 5 years ago, Jetty had this issue

How protect

  • Need to disable URL rewriting in an app server.
  • Alternatively can set up tracking mode in the web.xml: <tracking-mode>COOKIE</tracking-mode> starting Java EE 6/Servlet 3
  • Use HTTPS to avoid session exposure during transport
  • Set &ltsecure>true&lt/secure> under cookie-config in web.xml so only sent over https. Also added in Java EE 6/Servlet 3
  • Set &lthttp-only>true&lt/http-only> under cookie-config in web.xml so only sent over https.
  • Java EE 7/Servlet 4 has request.changeSessionId() so can have diferent id
  • Shorter timeouts – 2-5 minutes for critical apps; 15-30 minutes for typical apps. By default they aren’t supposed to timeout
  • Write logic to see if IP/user agent changes during session and invalidate session if does
  • CSRF token, double submit cookie (if no server side session), SameSite cookie flag in Chrome (not yet upported by Java EE)

Session created when call requeest.getSession(true) explicitly or implicity (ex: when visit JSP page)

How attack

  • Get session id from log
  • Use JavaScript to get cookie
  • Get user to click link with URL
  • Go to site anonymously and close tab so user gets that session id [requires physical access]
  • XSS
  • CSRF

My take:
She did interative demos of the issues. She posted a URL with session id on twitter and a bunch of people clicked real time; fun to see. Then she did the opposite where she got into our session. Then she stole the cookie with JavaScript using an image to bypass same source policy. [That I’m not doing. Intentionally sharing all my cookies; no thanks! She only displayed the cookie with the jsession id for her site which is good]. Finally she did an interactive CSRF demo

Leave a Reply

Your email address will not be published.