Session
hijacking, also known as TCP session hijacking, is a method of taking over a
Web user session by surreptitiously obtaining the session ID and masquerading
as the authorized user. Once the user's session ID has been accessed (through
session prediction), the attacker can masquerade as that user and do anything
the user is authorized to do on the network.
http://searchsoftwarequality.techtarget.com/glossary/
An attack in
which the Attacker is able to insert himself or herself between a Claimant and
a Verifier subsequent to a successful authentication exchange between the
latter two parties. The Attacker is able to pose as a Subscriber to the
Verifier or vice versa to control session data exchange. Sessions between the
Claimant and the Relying Party can also be similarly compromised. [NIST-SP800-63:2013]
Take over a
session that someone else has established.
An intrusion
technique whereby a hacker sends a command to an already existing connection
between two machines, in order to wrest control of the connection away from the
machine that initiated it. The hacker's goal is to gain access to a server
while bypassing normal authentication measures.
http://www.watchguard.com/glossary/
See session
hijacking
http://www.watchguard.com/glossary/
The result of a
users session being compromised by an attacker. The attacker could reuse this
stolen session to masquerade as the user.
http://www.webappsec.org/projects/glossary/
A string of data
provided by the web server, normally stored within a cookie or URL. A Session
ID tracks a users session, or perhaps just his current session, as he traverse
the web site.
http://www.webappsec.org/projects/glossary/
An attack
technique used to hi-jack another users session by altering a session ID or
session credential value.
http://www.webappsec.org/projects/glossary/
An attack technique
used to create fraudulent session credentials or guess other users current
session IDs. If successful, an attacker could reuse this stolen session to
masquerade as another user.
http://www.webappsec.org/projects/glossary/
When a web site
permits an attacker to reuse old session credentials or session IDs for
authorization.
http://www.webappsec.org/projects/glossary/
A form of active
wiretapping in which the attacker seizes control of a previously established communication
association.
http://www.sans.org/security-resources/glossary-of-terms/
Temas relacionados