11.1 Understand session hijacking and session hijacking techniques Exam Focus: Understand session hijacking and session hijacking techniques. Objective includes:

Understand what is session hijacking. Identify types of session hijacking. Identify key session hijacking techniques.

  Session hijacking Session hijacking refers to the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to Web developers, as the HTTP cookies used to maintain a session on many Web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer.

TCP session hijacking occurs when a hacker takes over a TCP session between two machines. Since authentication only occurs at the start of a TCP session, it allows the hacker to gain access to a machine. A popular method is using source-routed IP packets. This allows a hacker at point A on the network to participate in a conversation between B and C by encouraging the IP packets to pass through its machine. If source-routing is turned off, the hacker can use "blind" hijacking, whereby it guesses the responses of the two machines. Thus, the hacker can send a command, but can never see the response. However, a common command would be to set a password allowing access from somewhere else on the net.

A hacker can also be "inline" between B and C using a sniffing program to watch the conversation. This is known as a "man-in-the-middle attack". A common component of such an attack is to execute a denial-of-service (DoS) attack against one end-point to stop it from responding. This attack can be either against the machine to force it to crash, or against the network connection to force heavy packet loss.

Session hijacking is successful due to the following reasons:

There is no account lockout for invalid session IDs. Weak Session ID Generation algorithm is used. There is indefinite session expiration time. There is clear text transmission. There are small session IDs. This is insecure handling.

  Types of session hijacking The following are the types of session hijacking:

Active: This attack takes over an active session after finding it.

Passive: In this attack, an attacker hijacks a session by sitting back, and watching and recording all the traffic sent forth.

  Dangers posed by hijacking The following dangers are posed by hijacking:

Unless encryption is used, most countermeasures do not work. It is easy to launch hijacking. Hijacking poses threat of identity theft, information loss, fraud, etc. Most computers that use TCP/IP are vulnerable. Unless another secure protocol is used, little can be done to protect against hijacking.

  Key session hijacking techniques The following are key session hijacking techniques:

Brute forcing: An attacker tries different IDs until he succeeds. Stealing: An attacker steals session IDs by using different techniques. Calculating: An attacker tries to calculate session IDs by using non-randomly generated

IDs.

  Methods to perform session hijacking There are four main methods used to perpetrate a session hijack:

1. Session fixation, where the attacker sets a user's session id to one known to him, for example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in.

2. Session sidejacking, where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many Web sites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or Web pages viewed by the client. Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised. Unsecured Wi-Fi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the Web traffic between other nodes and the access point.

3. Alternatively, an attacker with physical access can simply attempt to steal the session key by, for example, obtaining the file or memory contents of the appropriate part of either the user's computer or the server.

4. Cross-site scripting, where the attacker tricks the user's computer into running code, which is treated as trustworthy because it appears to belong to the server. This attack allows the attacker to obtain a copy of the cookie or perform other operations.

 

11.2 Understand session hijacking process and session hijacking in the OSI Model Exam Focus: Understand session hijacking process and session hijacking in the OSI Model. Objective includes:

Understand session hijacking process. Analyze session hijacking in the OSI Model.

  Session hijacking process The process to perform session hijacking is as follows:

Sniff: In this step, the attacker places himself between the victim and the target. Monitor: The attacker monitors the flow of packets and predicts the sequence number. Session DE synchronization: The attacker breaks the connection to the victim's

machine. Session ID prediction: The attacker takes over the session. Command injection: The attacker starts injecting packets to the target server.

  Packet analysis of a local session hijack The following is a packet analysis of a local session hijack:

  Levels of the OSI model in which session hijacking works In the OSI model, session hijacking can be performed at the following two levels:

1. Network Level: In this level of session hijacking, the attack is performed by the interception of packets during the transmission between the client and the server in TCP and UDP sessions.

2. Application Level: In this level of session hijacking, the attacker gains control on HTTP's users' sessions by obtaining session IDs.

  11.3 Understand the brute forcing attack, and HTTP referrer attack Exam Focus: Understand the brute forcing attack and HTTP referrer attack. Objective includes:

Understand the brute forcing attack. Understand the HTTP referrer attack. Understand spoofing vs. hijacking.

  Brute force attack In a brute force attack, the attacker uses software that tries a large number of key combinations in order to get a password. In order to prevent such attacks, passwords that are more difficult to guess should be created. For example, create passwords using a minimum of six characters, alphanumeric combinations, lower-upper case combinations, etc.  Http referrer attack HTTP referrer is a phishing attack. The attacker sends a user to a Web page from which HTTP request originated. From this web page, the attacker sends the user to a Web page where the attacker can perform various malicious activities. The following steps describe how such information can be used for a phishing attack:

A phisher sets up a URL rewriting reverse proxy, which is a generic phishing site. It seats in the middle between the user and legitimate websites and logs all data supplied in web forms and change all HTTPS traffic to plain HTTP.

The phisher sets up a website with some interesting content and linked to malicious sources.

When the site is visited, it extracts URL from the referrer field and tricks the user into thinking that he or she returned to the referring page.

  Countermeasure of the HTTP referrer attack The only countermeasure of the HTTP referrer attack is not passing referrer to visited sites. Firefox and Opera have built-in plugins for it. For Chrome and Safari, the user has to use the external extensions. IE does not provide any easy way to do it.  Difference between session hijacking and IP spoofing In IP spoofing, the attacker artificially identifies the packets' source address. The packets' source address is often fetched from sniffed network traffic.

However, session hijacking is an attack in which the attacker takes over the session by making the user offline and uses his session.

  11.4 Understand application level session hijacking, and discuss session sniffing Exam Focus: Understand application level session hijacking, and discuss session sniffing. Objective includes:

Understand application level session hijacking. Discuss session sniffing.

  Application level session hijacking In application level session hijacking, an attacker obtains session IDs to gain control of the HTTP user session. During this attack, the session hijacker can also try to create new sessions using stolen data. Application level session hijacking is all about obtaining the session ID, since web applications key off this value to determine identity. Some common methods for these types of attacks are obtaining Session IDs, observation (sniffing), and brute forcing. There are different ways to compromise a session token. The following are the most common ways:

Predictable session token Session sniffing Client-side attacks Man-in-the-middle attack

Man-in-the-browser attack

  Application level attacks The following are various application level attacks:

Session sniffing: In the session sniffing attack, the attacker uses a sniffer to capture a valid token session called "Session ID", and then he uses the valid token session to gain unauthorized access to the Web Server.

Man-in-the-browser: In the Man-in-the-browser attack, the attacker uses a Trojan to intercept the calls between the browser and its security mechanisms or libraries. Its main aim is to manipulate transactions of Internet Banking system to cause financial deceptions.

Predictable session token: In the predictable session token attack, the attacker predicts a session ID or to impersonate a web site user. It is also known as session hijacking. The attacker performs this attack by guessing the unique session value or deducing the session ids. Custom algorithms or a predefined pattern are used to generate session IDs by most of the webservers.

Client-side - XSS: In the XSS attack, the attacker compromises the session token by sending malwares to the client-side programs.

Man-in-the-middle: The man-in-the-middle attack is used to intrude into an existing connection between systems and to intercept messages being exchanged.

Attackers split the TCP connection into the following connections by using different techniques:

o Client-to-attacker connectiono Attacker-to-server connection

An attacker can read, modify, and insert fraudulent data into the intercepted communication after the successful interception of TCP connection. The TCP connection between the client and the server becomes the target in case of an http transaction.

Session fixation: In the session fixation attack, the attacker tries to lure a user to authenticate himself with a known session id. Once the attacker performs the first step, he hijacks the user-validated session by the knowledge of the user session ID.

  Session sniffing In the session sniffing attack, the attacker uses a sniffer to capture a valid token session called "Session ID", then he uses the valid token session to gain unauthorized access to the Web Server.  11.5 Describe man-in-the-middle, man-in-the-browser, Client-side, and cross-site script attacks Exam Focus: Describe man-in-the-middle, man-in-the-browser, client-side, and cross-site script attacks. Objective includes:

Describe man-in-the-middle attack. Understand man-in-the-browser attack. Examine steps to perform man-in-the-browser attack. Understand client-side attacks. Understand cross-site script attack.

  Man-in-the-middle attacks Man-in-the-middle attacks occur when an attacker successfully inserts the intermediary software or program between two communicating hosts. Attackers can use the intermediary software or program to listen to and modify the communication packets that pass between the two hosts. The software intercepts the communication packets and then sends the information to the receiving host. The receiving host presumes it to be the legitimate client and responds to the software. The tools used for the man-in-the-middle attack are as follows:

dsniff: It is a tool used for SSH and SSL MITM attacks. Cain: It is a Windows GUI tool that can perform MITM attacks, along with sniffing and

ARP poisoning. Ettercap: It is a tool used for LAN-based MITM attacks. Karma: It is a tool that uses 802.11 Evil Twin attacks in order to perform MITM attacks. AirJack: It is a tool that demonstrates 802.11-based MITM attacks. wsniff: It is a tool for 802.11 HTTP, HTTPS-based MITM attacks.

  Countermeasures of the man-in-the-middle attack A user can follow various methods to mitigate the man-in-the-middle attack. To overcome these attacks, use authentication techniques that are based on the following:

Public key infrastructures Stronger mutual authentication Secret keys (high information entropy secrets) Passwords (low information entropy secrets) Other criteria, such as voice recognition or other biometrics

Off-the-Record Messaging for instant messaging Off-channel verification Carry-forward verification

  Man-in-the-browser (MitB) attack Man-in-the-browser (MitB) is a Trojan that is used to infect a web browser. It is able to modify pages, modify transaction content or insert additional transactions. This attack will be successful irrespective of whether security mechanisms, such as SSL/PKI and/or Two or Three Factor Authentication solutions are in place. The only way to counter this attack is by utilizing transaction verification.  Performing man-in-the-browser attack The following steps are taken to perform man-in-the-browser attack:

1. The Trojan infects the computer's software (OS or application) and then installs malicious code (extension files) and saves it into the browser configuration.

2. The malicious code in the form of extension files is loaded after the user restarts the browser.

3. For every visit to the webpage, the extension files register a handler.4. The extension uses the URL and compares it with a list of known sites targeted for attack

when the page is loaded.5. The user logs in securely to the website.6. It registers a button event handler when a specific page load is detected for a specific

pattern and compares it with its targeted list.7. The browser forwards the form and modified values to the server.

  Client-side attack A client-side attack uses the inexperience of the end-user for creating a foothold in the user's machine, and therefore, the network. Client-side attacks are everywhere and hidden in plain sight. Common hiding places are malicious Web sites and spam. A simple click of a link will permit an attacker to enter.

Cross-site scripting (XSS) is a type of an injection attack. In this attack, the malicious scripts are injected into the web sites. A malicious script can be embedded in a web page. It does not produce any warning when the page is seen in any browser. In Trojan horse, the malicious code is included inside apparently harmless programming or data in such a manner that it can get control and cause damage.  Cross-site script attack Cross-site script attack is focused on a specific victim website and the users who visit it. In this attack, an attacker can send malicious code or programs to the client-side programs to compromise the session token.

Suppose an attacker sends a crafted link to the victim with the malicious JavaScript. The

JavaScript will run and complete the instructions made by the attacker when the victim clicks on the link. In this way, the attacker can use the XSS attack to steal the session token.

A specific JavaScript code such as <SCRIPT>alert(document.cookie) ;</SCRIPT> can be created to send the cookie to the attacker by using the XSS attack. In this way, the attacker can use the XSS attack to show the cookie value of the current session.  Things have to happen for cross site request forgery to succeed The following are the things have to happen for cross site request forgery to succeed:

1. The attacker must target either a site that doesn't check the Referrer header (which is common) or a victim with a browser or plugin bug that allows Referrer spoofing (which is rare).

2. The attacker must find a form submission at the target site that does something useful to the attacker (e.g., transfers money, or changes the victim's e-mail address or password).

3. The attacker must determine the right values for all the form inputs: if any of them are required to be secret authentication values or IDs that the attacker can't guess, the attack will fail.

4. The attacker must lure the victim to a Web page with malicious code while the victim is logged in to the target site.

Since, the attacker can't see what the target Web site sends back to the victim in response to the forged requests, unless he exploits a cross-site scripting or other bug at the target Web site. Similarly, the attacker can only "click" any links or submit any forms that come up after the initial forged request, if the subsequent links or forms are similarly predictable. (Multiple "clicks" can be simulated by including multiple images on a page, or by using JavaScript to introduce a delay between clicks).  Preventions from cross site request forgeries Web sites can be prevented from cross site request forgeries (CSRF) by applying the following countermeasures available:

Requiring authentication in GET and POST parameters, not only cookies. Checking the HTTP Referer header. Ensuring there's no crossdomain.xml file granting unintended access to Flash movies. Limiting the lifetime of authentication cookies.

Requiring a secret, user-specific token in all form submissions prevents CSRF; the attacker's site can't put the right token in its submissions. Individual Web users can do relatively little to prevent cross-site request forgery. Logging out of sites and avoiding their "remember me" features can mitigate CSRF risk; not displaying external images or not clicking links in "spam" or unreliable e-mails may also help.  11.6 Understand session fixation attack, and describe network level session hijacking Exam Focus: Understand session fixation attack, and describe network level session hijacking. Objective includes:

Understand the session fixation attack. Describe network level session hijacking.

  Session fixation Session fixation is a type of attacking technique that forces a user's session ID to an explicit value. A number of techniques can be utilized to "fix" the session ID value depending on the functionality of the target Web site. The techniques include cross-site scripting exploits and peppering the Web site with previously made HTTP requests. Once a user's session ID has been fixed, the attacker waits for them to login. After the user does so, the attacker uses the predefined session ID value to assume their online identity.  Countermeasures of the session fixation attack The following are countermeasures of the session fixation attack:

Do not accept session identifiers from GET / POST variables. Ask for the identity confirmation from the user. Store session identifiers in HTTP cookies. Utilize SSL / TLS Session identifier. Regenerate SID on each request. Accept only server-generated SIDs. Time-out old SIDs. Destroy session if Referrer is suspicious. Verify that additional information is consistent throughout session.

  Network-level hijacking Network-level hijacking is the interception of packets during transmission between a client and the server in a TCP/UDP session. By attacking on network level sessions, an attacker can get critical information to attack application level sessions. The following are included in network-level hijacking:

TCP/IP hijacking IP spoofing RST hijacking Blind hijacking Man-in-the-middle UDP hijacking

  IP spoofing attack An IP spoofing attack can be performed to hide the identity in the network. In computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system. The basic protocol for sending data over the Internet and many other computer networks is the Internet

Protocol ("IP"). The header of each IP packet contains, among other things, the numerical source and destination address of the packet. The source address is normally the address that the packet was sent from. By forging the header so that it contains a different address, the attacker can make it appear that the packet was sent by a different machine. The machine that receives spoofed packets will send a response back to the forged source address, which means that this technique is mainly used when the attacker does not care about the response or the attacker has some way of guessing the response.  Nonblind spoofing Nonblind spoofing is a type of spoofing that occurs when a user can see the traffic being sent between the host and the target. It is the easiest type of session hijacking, but it requires that a user captures packets as they are passing between the two machines.  Blind spoofing In blind spoofing, a user cannot see the traffic being sent between the host and the target. It is the most difficult session hijacking because it is very difficult to guess the TCP sequence number correctly.  RST hijacking In RST hijacking, an authentic-looking reset (RST) packet is injected using a spoofed source address and the acknowledgement number is predicted. The victim resets the connection as it believes that the reset packet is actually sent by the source. RST hijacking can be performed using a packet crafting toll such as Colasoft's Packet Builder and TCP/IP analysis tool such as tcpdump. The ACK flag should be turned on to sniff the packets.  Blind hijacking In blind hijacking, even if the source routing is disabled, the attacker can introduce the malicious data or commands into the intercepted communications in the TCP session. Although the attacker can send the data or comments, he has no access to see the response.

  UDP hijacking UDP hijacking works at the network level. As UDP does not use packet sequencing and synchronizing, the attacker forges a server reply to the client UDP request before the server can respond.

  Man-in-the-middle attack using packet sniffer The man-in-the-middle attack involves the use of the packet sniffer as an interface between the client and the server. The following techniques are used to route the packets between the client and the server through the hijacker's host:

Forged Internet Control Message Protocol (ICMP): It is an extension of IP for sending error messages where attacker can fool the client and the server by sending messages.

Address Resolution Protocol (ARP) spoofing: ARP is used for mapping the local IP address to hardware addresses or MAC addresses. In ARP, the ARP request is broadcasted to fool the host and ARP tables are changed by sending the forged ARP replies.

  Source routed packets The source routed packets technique is used to gain unauthorized access to the computer with the assistance of the trusted host's IP address. The host's IP address spoofs the packet so that the packets can be accepted by the server managing a session with the client. Before the client responds, the hijacker injects the forged packets when the session is established. As the server gets the packet with a different sequence number, the original packet is lost. The packets are source-routed where the attacker can specify the patch to the destination IP.  Sequence numbers Sequence numbers are required to provide a reliable communication. They are important for hijacking a session. Sequence number is a 32-bit counter. Hence, the possible combinations can be over 4 billion.

Sequence numbers are required to direct the receiving machine the order in which the packets should move when they are received. Hence, an attacker should correctly sequence the numbers to hijack a session.  Sequence number prediction The server responds (SYN-ACK) with the chosen sequence number that must be acknowledged by the client after a client sends a connection request (SYN) packet to the server. This sequence number is predictable. The attacker first uses its own IP address to connect to a server, records the sequence number chosen, and then opens a second connection from a forged IP address.

Although the attacker does not see the SYN-ACK or any other packet from the server, he can guess the correct response.  11.7 Understand TCP/IP hijacking, session hijacking tools, and countermeasures of session hijacking Exam Focus: Understand TCP/IP hijacking, session hijacking tools, and countermeasures of session hijacking. Objective includes:

Understand TCP/IP hijacking. Identify session hijacking tools. Identify countermeasures of session hijacking. Understand session hijacking pen testing.

  TCP/IP hijacking TCP/IP hijacking uses spoofed packets in order to take over a connection between a victim and a target machine. The connection of the victim hangs and the hacker is able to communicate with the host's system. The following are the steps in TCP/IP hijacking:

In order to obtain ISN of the victim, the hacker sniffs the communication between the victim and the host.

The hacker sends a spoofed packet from the victim's IP address to the host system using ISN.

The host machine responds to the victim, assuming that the packet has arrived from it. It increments the sequence number.

  Session hijacking tools The following are session hijacking tools:

Hamster Hunt Session Thief JHijack Surf Jack TamperIE Ettercap Ferret Paros Firesheep

  Hunt Hunt is a tool that is used for exploiting well known weaknesses in the TCP/IP protocol. It is primarily used to hijack connections but has many other features. It is a program that can be used for intruding into a connection, watching it, and resetting it. Hunt operates on Ethernet; however,

it can do something even for hosts on another segment or switched ports. It can also be used to perform hacking techniques: sniffing and session hijacking.  Paros Paros is a man-in-the -middle proxy and application vulnerability scanner. It permits the attacker to intercept, modify, and debug HTTP and HTTPS data on-the-fly between a web server and a client browser. It is also useful in spidering, proxy-chaining, filtering, and application vulnerability scanning.  Burp suite Attackers use burp suite to inspect and modify traffic between the browser and the target application. The burp suite tool is used to analyze all kinds of content. It automatically colorizes the request and response syntax.  Firesheep Firesheep is an extension for the Firefox web browser. The Firefox browser permits attackers to steal a valid session ID in order to get into the system and snoop the data.  Countermeasures of session hijacking The following are countermeasures of session hijacking:

Secure shell (SSL) should be used to create a secure communication channel. The authentication cookies should be passed over HTTPS connection. The log-out functionality should be implemented for user to end the session. The session ID should be generated after successful login. String or long random number should be used as a session key. The encrypted data should be passed between the users and the webservers.

  Measures taken to protect against session hijacking The following measures are taken to protect against session hijacking:

Using encryption Minimizing remote access Educating the employees Regenerating the session ID after login Limiting incoming connections Using a secure protocol

  Methods to prevent session hijacking Web developers should use the following methods to prevent session hijacking:

Reducing the life span of a session or a cookie Expiring the session as soon as the user logs out Regenerating the session id after a successful login in order to prevent fixation attack

Preventing eavesdropping within the network Encrypting the data and session key that is transferred between the user and the web

servers Creating session keys with lengthy strings or random number to make it difficult for an

attacker to guess a valid session key

Web users should use the following methods to prevent session hijacking:

Do not click on the links that are received via mails or IMs. Prevent the malicious content from entering the network by using firewalls. Restrict cookies by using firewalls and browser settings. Ensure from certified authorities that the website is certified. Ensure that after every confidential and sensitive transaction, history, offline content is

erased from your browser. Prefer htttps when transmitting sensitive and confidential data. Https is a secure

transmission. Click the logout button instead of closing the browser to logout from the browser.

  Defending against session hijack attacks The following actions should be taken against session hijack attacks:

Encryption protocols that are available at OpenSSH suite should be used. Strong authentication, such as Kerberos or peer-to-peer VPNs should be used. IDS products or ARPwatch should be used to monitor ARP cache poisoning. The appropriate internal and external spoof rules should be configured on gateways.

  Session hijacking remediation Defense in depth is considered as a key component of a comprehensive security plan. It is also required to protect a network from session hijack attacks.

Defense in depth involves using multiple security systems or technologies in order to prevent network intrusions. If one countermeasure fails, additional levels of protection exist in order to safeguard the network.  IPSec IETF developed IPSec to securely exchange the packets at the IP layer. IPSec is deployed widely in order to implement Virtual Private Networks (VPNs). The following are the benefits of IPSec:

It provides network-level peer authentication. It provides replay protection. It provides data confidentiality. It provides data integrity. It provides data origin authentication.

  Modes of IPSec The following are the modes of IPSec:

Transport mode: In this mode, two connected computers are authenticated and data transfer can be encrypted. This mode is compatible with NAT.

Tunnel mode: This mode encapsulates packets that are transferred and encrypts the data transfer. It is not compatible with NAT.

  IPSec architecture The following is the IPSec architecture:

  IPSec authentication and confidentiality The following security services are used by IPSec for authentication and confidentiality:

Authentication Header (AH): It is used to provide data authentication of the sender. Encapsulation Security Payload (ESP): It is used to provide both data authentication

and encryption or confidentiality of the sender.

  Components of IPSec The following are the components of IPSec:

IPSec Policy Agent: It is a service of the Windows 2000. It collects IPSec policy settings from the active directory and sets the configuration to the system at start up.

IPSec driver: It is software that performs protocol-level functions. Protocol-level functions are needed to encrypt and decrypt the packets.

Internet Key Exchange (IKE): It is an IPSec protocol. It produces security keys for IPSec and other protocols.

Oakley: It is a protocol that uses the Diffie-Hellman algorithm in order to create master key and a key that is specific to each session in IPSec data transfer.

Internet Security Association Key Management Protocol: It is software that permits the communication between two computers by encrypting data exchanged between them.

  Session hijacking pen testing The following actions should be taken during session hijacking pen testing:

1. Use tools such as Wireshark, CACE Pilot, Capsa Network Analyzer, Windump, etc. to sniff session traffic between two machines.

2. Use proxy server Trojans. Proxy server Trojans changes the proxy settings in the victim's browser.

3. Hijack session using automated tools such as Paros proxy, Burp suite, Webscarab, etc.4. Crack the session ID if it is URL encoded, HTML encoded, Unicode encoded, Base64

encoded, or Hex encoded.

  Chapter Summary In this chapter, we learned about session hijacking, key session hijacking techniques, session hijacking process, types of session hijacking, and session sniffing. This chapter focused on man-in-the-middle, man-in-the-browser, client-side, cross-site script attacks, and countermeasures of session hijacking.Glossary  Brute force attack In a brute force attack, the attacker uses software that tries a large number of key combinations in order to get a password.  Client-side attack A client-side attack uses the inexperience of the end-user for creating a foothold in the user's machine, and therefore, the network.  Man-in-the-browser Man-in-the-browser (MitB) is a Trojan that is used to infect a web browser.  Man-in-the-middle attacks Man-in-the-middle attacks occur when an attacker successfully inserts the intermediary software or program between two communicating hosts.  Network-level hijacking

Network-level hijacking is the interception of packets during transmission between a client and the server in a TCP/UDP session.  Session fixation Session fixation is a type of attack technique that forces a user's session ID to an explicit value.  Session hijacking Session hijacking is the exploitation of a valid computer session sometimes also called a session key to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server.  Source routed packets The source routed packets technique is used to gain unauthorized access to the computer with the assistance of the trusted host's IP address.  TCP/IP hijacking TCP/IP hijacking uses spoofed packets to take over a connection between a victim and a target machine.