Forum Discussion

ricky_paulus_gi's avatar
ricky_paulus_gi
Icon for Nimbostratus rankNimbostratus
Apr 30, 2018

How to test Session Hijacking

Hi everyone,

 

I already enabled Session hijacking and set enforcement mode to blocking in a security policy.

 

How can I test the security policy to block session hijacking attack?

 

Regards,

 

Ricky Paulus Ginting

 

1 Reply

  • Hi,

     

    Session hijacking, also called cookie hijacking, is the exploitation of a valid computer session to gain unauthorized access to an application. The attacker steals (or hijacks) the cookies from a valid user and attempts to use them for authentication. Application Security Manager™ (ASM™) can prevent session hijacking by tracking clients with a device ID. The device ID is a unique identifier that ASM creates by sending JavaScript to get information about the client device. If the client browser does not accept JavaScript, the client receives a message saying to enable JavaScript to view the page content. Clients that do not accept JavaScript are stopped even when the security policy is in transparent mode.

     

    First of what his Session hijacking (From F5):

     

    s the exploitation of a valid computer session to gain unauthorized access to an application. The attacker steals (or hijacks) the cookies from a valid user and attempts to use them for authentication. ASM can prevent session hijacking by tracking clients with a device ID.

     

    So for testing cookie hijacking you can use 2 differents devices. First one, access to the application then with developper tools retrieve application cookie information.

     

    With second device you have to access to the same application that are protected by ASM BUT you have to inject cookie information that you retrieve from the first device. You can use for example cookie injector (google chrome plugin) or burp or fiddler...

     

    Let me now if you need assistance.

     

    Regards.