Learn about the HTTP protocol, and how it uses cookies and session IDs to maintain state in a browsing session.
- [Instructor] HTTP is a stateless protocol,…so there's no retention of any…information between webpages.…However there's often a need for managing information…across a web session consisting of multiple interactions.…Consequently, web developers will code their systems…to uniquely track a web user through the use…of unique sessions IDs issued by the server.…Each browser request sent to the web server…will then include session ID.…Session IDs will often be used as a way…to uniquely identify an authenticated user,…and potentially enable access to sensitive information.…
A typical way for a web developer to store session IDs…is to use the .php session array,…and then the session ID can be passed in one of two ways,…embedded in the URL or through the use of cookies.…We can also create our own variables…and store them in the session array as required.…I've created a webpage for Apache which uses sessions.…So let's have a look at how we'd get…a session ID and use the session array.…
We can see the private sessions start…
Author
Malcolm Shore
Released
9/7/2016This course teaches you what session hijacking is, and how black-hat hackers use it to attack an organization. Learn how TCP, web, and wireless protocols work and how hackers exploit them. Find out how to use built-in Windows and Linux tools, as well as specialized third-party solutions such as Zed Attack Proxy (ZAP) and Cain, to detect and shore up vulnerabilities. Author and cybersecurity expert Malcolm Shore also discusses remote hijacking, which allows hackers to take control of drones or even vehicles.
Note: This course maps to the Session Hijacking domain of the Certified Ethical Hacking exam. Review the exam objectives at the EC-Council's website.
- Hijacking a network session, such as a Telnet session
- Understand web sessions
- Intercepting sessions via man-in-the-middle or man-in-the-browser attacks
- Downgrading a session by stripping SSL
- Using ARP poisoning through Subterfuge
- Hijacking an HTTP session through cookies
- Using hijacking defense tools: Zed Attack Proxy and Cain
- Service hijacking (DNS and SSH)
- Hijacking in the physical world: cars and drones
Skill Level Intermediate
Duration
Views
-
Introduction
-
Welcome1m 21s
-
-
1. Network Session Hijacking
-
Hijacking a Telnet session4m 29s
-
2. Web Session Hijacking
-
Understanding WebSockets2m 41s
-
Gambling at the Hacme Casino1m 57s
-
3. Additional Tools
-
Using Zed Attack Proxy3m 16s
-
Using Cain3m 7s
-
-
4. Service Hijacking
-
Hijacking SSH sessions3m 52s
-
DNS hijacking2m 3s
-
-
5. Hijacking in the Physical World
-
Conclusion
-
Summary1m 6s
-
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.
Share this video
Embed this video
Video: Understanding web sessions