Session hijacking is a big part of the common attack surface and something the pentester must take into consideration when defending networks from attacks. An overlooked attacker is the disgruntled employee that already is inside the network and has physical access. This attacker holds a favorable seat. Remember that even though statistics say different things and none of them may be completely accurate, around half of all attacks comes from inside the organization.
Penetration testing to uncover vulnerabilities is also an important part of the overall defensive strategy. Encryption should be implemented for sensitive network traffic to resources such as servers. Even internal traffic that seems less useful to an attacker could be encrypted to minimize the damage if a successful attack should occur as it may give the attacker less pieces of the puzzle to privilege escalation. Implementing policies that limit the generation of unique session tokens to intranet resources can reduce the probability of an attacker stealing an active session. Fewer active sessions makes it less likely an attacker will guess or predict an active session in the total session key space.
- Encrypting network traffic is a viable and effective preventive technique against hijacking attacks from both internal and external parties.
- Using network-monitoring appliances such as IDS and IPS systems can aid in detecting and preventing anomalies that may be a session hijack attack in progress.
- Configure the appropriate appliances, such as gateways, to check and filter for spoofed client information such as IP addresses. User access switches should have DHCP snooping and Dynamic ARP inspection (DAI) configured to prevent ARP poisoning.
- Be aware of local browser vulnerabilities such as extended history logs and lingering cookies. Clearing temporary browsing information can help in preventing the use of old session IDs.
- Stronger authentication systems such as Kerberos will provide protection against session hijacking.
- The use of technologies such as IPSec and SSL/TLS will also provide protection against session hijacking.
- Defence-in-depth, or the use of multiple defensive technologies to slow or deter an attacker, provides protection as well.
Penetration testing to uncover vulnerabilities is also an important part of the overall defensive strategy. Encryption should be implemented for sensitive network traffic to resources such as servers. Even internal traffic that seems less useful to an attacker could be encrypted to minimize the damage if a successful attack should occur as it may give the attacker less pieces of the puzzle to privilege escalation. Implementing policies that limit the generation of unique session tokens to intranet resources can reduce the probability of an attacker stealing an active session. Fewer active sessions makes it less likely an attacker will guess or predict an active session in the total session key space.