What is Session Hijacking?
Every time you connected to the web application (usually a dynamic web application) you will have a unique ID called “session”, this session will identifies you as a valid user and will always valid until you kill the session (log out process) or the session has expired. Some bad people trying to identifies or guessing the session ID value to gain privileges as a valid user in a web application.
Firesheep HTTP Session Hijacking
Firesheep is a firefox extension to do the session hijacking. I was very surprised that this tools can hijack Facebook, Twitter, WordPress, Amazon, etc from the valid user. The most important thing that this tools is very easy to configure and to launch an attack. Just a few step :
>> Download Firesheep
>> Sit on a unencrypted wireless network
>> Turn on your wireless card(support promiscious mode, such as : atheros, orinocco, etc) and join the network
>> Start capturing with firesheep
>> Just wait until some user authenticate at the facebook, twitter, etc.
- Facebook phishing: manual session hijacking (research.zscaler.com)
- Android best app for hacking and security [H2B] INC. (hack2backsec.wordpress.com)
- Security and Hacking apps for Android devices (resources.infosecinstitute.com)
- Jamming With WordPress Sessions (spiderlabs.com)
- Hack to School: Beware the open school wi-fi (zdnet.com)
- How to: Understanding session hijacking (pcauthority.com.au)