Session Hijacking
What is Session Hijacking?
Session HijackingAn attack that takes over a victim's authenticated session by stealing or forging the session identifier so the attacker can act as the user without their credentials.
Session hijacking targets the token used to maintain an authenticated session — typically a cookie or bearer token — and reuses it from an attacker-controlled client. Tokens can be captured through network sniffing on unencrypted links, XSS exfiltration, malware on the client, predictable session ID generation, session fixation, or cookie/token theft from third parties. Once the session is replayed, the attacker bypasses authentication, including MFA performed earlier. Defences include HTTPS everywhere with HSTS, secure cookie flags (Secure, HttpOnly, SameSite), strong CSPs against XSS, short-lived rotated tokens, device-bound tokens (DPoP, Token Binding, passkeys), continuous risk-based reauthentication, and detection of session anomalies (IP, device fingerprint, ASN).
● Examples
- 01
An XSS payload exfiltrates a logged-in user's session cookie to the attacker, who pastes it into their browser to impersonate the victim.
- 02
Malware on a workstation steals an OAuth refresh token, granting persistent access to a SaaS application.
● Frequently asked questions
What is Session Hijacking?
An attack that takes over a victim's authenticated session by stealing or forging the session identifier so the attacker can act as the user without their credentials. It belongs to the Attacks & Threats category of cybersecurity.
What does Session Hijacking mean?
An attack that takes over a victim's authenticated session by stealing or forging the session identifier so the attacker can act as the user without their credentials.
How do you defend against Session Hijacking?
Defences for Session Hijacking typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Session Hijacking?
Common alternative names include: TCP session hijacking, Cookie session hijacking.