Comparing Session Hijacking, Fixation and Riding

Question

How do I differentiate between these Session Hijacking/Session Fixation/Session Riding. I find it difficult to understand when read about all three at the same time. I get very confusion between when comparing Hijacking with Fixation because there's sort of thin line deference. Can someone provide a technical yet easy to understand explanation?

Answer 1

In session hijacking the attacker somehow gets hold of the victims session ID and uses it to impersonate the victim. The attacker essentially takes over the victims session - hence the name.

To do this the attacker needs to find out what the victims session ID is. This can be done in many ways, e.g. MitM or XSS.

In session fixation, the attacker picks a session ID and forces it on the victim. For example, if a website accepts session ID:s in the URL, the attacker can fool the victim to visit http://example.com/?session=123456. The victim does this, and then logs in. When the attacker now browse the site with the session ID 123456 she will be logged in as the victim.

Note how this is sort of the opposite of session hijacking - the attacker sets the victims session ID instead of getting it - but the end result is the same. The attacker knows the session ID and can impersonate the victim.

Finally, session riding is just another name for cross site request forgery (CSRF). See this old answer of mine for an explanation of what it is.

The main difference from the two above is that the attacker does not know the session ID. Instead she abuses the fact that the browser will always send the session cookie with all request the victim makes, even if the victim did not intend to make them.

Answer 2

Session Hijacking: It is a "general term" used for exploitation of the web session control mechanism, which is normally managed for a session token. Now a session can be hijacked in different ways -- almost all the the ways involve somehow getting access to this "session token" (or session cookie depending on if application is using cookies).

Session Fixation: It is a specific type of attack which allows an attacker to hijack user's session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID.

Session Riding: As far as I know, this is another name for Cross-Site Request Forgery attack. This is technically not hijacking of a session, but you leverage the persistence and implicit trust placed in user session cookie/token. Basically, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.