Ethical Hacking: Session Hijacking
Course description
Pluralsight is not an official partner or accredited training center of EC-Council. Session persistence is a fundamental concept in information systems. On the web, for example, which is dependent on the stateless HTTP protocol, session persistence is a key component of features ranging from shopping carts to the ability to logon. At a lower level on the network tier, the TCP protocol relies on sessions for communication between machines such as a client and a server.
Read more about the course
The confidentiality and integrity of this communication can be seriously impacted by a session hijacking attack. Learning how to identify these risks is an essential capability for the ethical hacker. Systems are frequently built insecurely and readily expose these flaws. Conversely, the risks are often easy to defend against by implementing simple patterns within the application. This course walks through both the risks and the defenses. This course is part of the Ethical Hacking Series. http://blog.pluralsight.com/learning-path-ethical-hacking
Watch Online
| # | Lesson Title | Duration |
|---|---|---|
| 1 | Overview | 02:28 |
| 2 | What Is Session Hijacking? | 01:44 |
| 3 | Types of Session Hijacking | 02:59 |
| 4 | Attack Vectors | 03:41 |
| 5 | The Impact of Session Hijacking | 03:27 |
| 6 | Session Hijacking and the OWASP Top 10 | 02:45 |
| 7 | Summary | 01:31 |
| 8 | Overview | 01:44 |
| 9 | The Stateless Nature of HTTP | 02:53 |
| 10 | Persisting State Over HTTP | 05:46 |
| 11 | Session Persistence in Cookies | 08:50 |
| 12 | Session Persistence in the URL | 06:34 |
| 13 | Session Persistence in Hidden Form Fields | 03:22 |
| 14 | Summary | 02:37 |
| 15 | Overview | 02:19 |
| 16 | Hijacking Cookies with Cross Site Scripting | 09:51 |
| 17 | Exposed Cookie Based Session IDs in Logs | 03:48 |
| 18 | Exposed URL Based Session IDs in Logs | 02:52 |
| 19 | Leaking URL Persisted Sessions in the Referrer | 03:57 |
| 20 | Session Sniffing | 05:33 |
| 21 | Session Fixation | 06:41 |
| 22 | Brute Forcing Session IDs | 04:06 |
| 23 | Session Donation | 05:11 |
| 24 | Summary | 03:04 |
| 25 | Overview | 03:05 |
| 26 | Understanding TCP | 09:00 |
| 27 | Reviewing the Three-way Handshake in Wireshark | 05:23 |
| 28 | Generation and Predictability of TCP Sequence Numbers | 04:31 |
| 29 | Blind Hijacking | 02:29 |
| 30 | Man in the Middle Session Sniffing | 01:58 |
| 31 | IP Spoofing | 01:48 |
| 32 | UDP Hijacking | 02:20 |
| 33 | Man in the Browser Attacks | 02:48 |
| 34 | Network Level Session Hijacking in the Wild | 01:27 |
| 35 | Summary | 02:09 |
| 36 | Overview | 02:13 |
| 37 | Use Strong Session IDs | 03:19 |
| 38 | Keep Session IDs Out of the URL | 02:40 |
| 39 | Don’t Reuse Session ID for Auth | 06:34 |
| 40 | Always Flag Session ID Cookies as HTTP Only | 04:04 |
| 41 | Use Transport Layer Security | 04:43 |
| 42 | Always Flag Session ID Cookies as Secure | 05:39 |
| 43 | Session Expiration and Using Session Cookies | 05:59 |
| 44 | Consider Disabling Sliding Sessions | 03:10 |
| 45 | Encourage Users to Log Out | 02:30 |
| 46 | Re-authenticate Before Key Actions | 01:54 |
| 47 | Summary | 03:16 |
| 48 | Overview | 02:00 |
| 49 | Manipulating Session IDs with OWASP ZAP | 05:04 |
| 50 | Testing Session Token Strength with Burp Suite | 09:48 |
| 51 | Dynamic Analysis Testing with NetSparker | 04:39 |
| 52 | Other Tools | 03:53 |
| 53 | Summary | 02:05 |
Comments
0 commentsWant to join the conversation?
Sign in to commentSimilar courses
Advanced Ethical Hacking Bootcamp: Network Hacking & Security
Web security: Injection Attacks with Java & Spring Boot
Bug Bounty - An Advanced Guide to Finding Good Bugs
