CF

Ethical Hacking: Session Hijacking

3h 28m 11s
English
Free

Ethical Hacking: Session Hijacking is a 53-lesson 3 hours 28 minutes self-paced course by Pluralsight. Pluralsight is not an official partner or accredited training center of EC-Council.

Course facts

Lessons
53
Duration
3 hours 28 minutes
Level
All levels
Language
English
Updated
Instructor
Pluralsight
Price
Free

Pluralsight is not an official partner or accredited training center of EC-Council. Session persistence is a fundamental concept in information systems. On the web, for example, which is dependent on the stateless HTTP protocol, session persistence is a key component of features ranging from shopping carts to the ability to logon. At a lower level on the network tier, the TCP protocol relies on sessions for communication between machines such as a client and a server. 

The confidentiality and integrity of this communication can be seriously impacted by a session hijacking attack. Learning how to identify these risks is an essential capability for the ethical hacker. Systems are frequently built insecurely and readily expose these flaws. Conversely, the risks are often easy to defend against by implementing simple patterns within the application. This course walks through both the risks and the defenses. This course is part of the Ethical Hacking Series. http://blog.pluralsight.com/learning-path-ethical-hacking

Who teaches Ethical Hacking: Session Hijacking? Pluralsight

Pluralsight thumbnail

Pluralsight is one of the largest enterprise-focused online technology training platforms in the world, founded in 2004 by Aaron Skonnard and acquired by Vista Equity Partners in 2021. The platform has historically been the dominant choice for corporate IT training, with a catalog of over 7,000 courses covering software development, IT operations, security, data, and cloud across virtually every major vendor and open-source platform.

The instructor roster includes Microsoft Regional Directors, AWS / Azure / GCP MVPs, and named experts in essentially every active technology track. Course material is structured for the corporate-training market: each course covers a specific skill at a defined depth, and Pluralsight's role-based learning paths are widely used by enterprises for upskilling engineering teams.

The CourseFlix listing under this source carries 12 Pluralsight courses — a small slice of the broader platform's catalog. Material is paid; Pluralsight itself runs on a monthly / annual subscription on the original platform, with Pluralsight Skills (individual) and Pluralsight Flow (engineering analytics) as the main product lines.

What lessons are included in Ethical Hacking: Session Hijacking?

  • Space or K: play or pause
  • J: rewind 10 seconds
  • L: forward 10 seconds
  • Left Arrow: rewind 5 seconds
  • Right Arrow: forward 5 seconds
  • Up Arrow: volume up
  • Down Arrow: volume down
  • M: mute or unmute
  • F: toggle fullscreen
  • T: toggle theater mode
  • I: toggle mini player
  • 0 to 9: seek to 0 to 90 percent of the video
  • Shift plus N: next video
  • Shift plus P: previous video
0:00 0:00
#Lesson TitleDuration
1Overview 02:28
2What Is Session Hijacking? 01:44
3Types of Session Hijacking 02:59
4Attack Vectors 03:41
5The Impact of Session Hijacking 03:27
6Session Hijacking and the OWASP Top 10 02:45
7Summary 01:31
8Overview 01:44
9The Stateless Nature of HTTP 02:53
10Persisting State Over HTTP 05:46
11Session Persistence in Cookies 08:50
12Session Persistence in the URL 06:34
13Session Persistence in Hidden Form Fields 03:22
14Summary 02:37
15Overview 02:19
16Hijacking Cookies with Cross Site Scripting 09:51
17Exposed Cookie Based Session IDs in Logs 03:48
18Exposed URL Based Session IDs in Logs 02:52
19Leaking URL Persisted Sessions in the Referrer 03:57
20Session Sniffing 05:33
21Session Fixation 06:41
22Brute Forcing Session IDs 04:06
23Session Donation 05:11
24Summary 03:04
25Overview 03:05
26Understanding TCP 09:00
27Reviewing the Three-way Handshake in Wireshark 05:23
28Generation and Predictability of TCP Sequence Numbers 04:31
29Blind Hijacking 02:29
30Man in the Middle Session Sniffing 01:58
31IP Spoofing 01:48
32UDP Hijacking 02:20
33Man in the Browser Attacks 02:48
34Network Level Session Hijacking in the Wild 01:27
35Summary 02:09
36Overview 02:13
37Use Strong Session IDs 03:19
38Keep Session IDs Out of the URL 02:40
39Don’t Reuse Session ID for Auth 06:34
40Always Flag Session ID Cookies as HTTP Only 04:04
41Use Transport Layer Security 04:43
42Always Flag Session ID Cookies as Secure 05:39
43Session Expiration and Using Session Cookies 05:59
44Consider Disabling Sliding Sessions 03:10
45Encourage Users to Log Out 02:30
46Re-authenticate Before Key Actions 01:54
47Summary 03:16
48Overview 02:00
49Manipulating Session IDs with OWASP ZAP 05:04
50Testing Session Token Strength with Burp Suite 09:48
51Dynamic Analysis Testing with NetSparker 04:39
52Other Tools 03:53
53Summary 02:05

What courses are similar to Ethical Hacking: Session Hijacking?

More courses by Pluralsight

Frequently asked questions

What prerequisites are needed before taking this course?
Before enrolling in the course, students should have a foundational understanding of networking concepts and basic knowledge of web technologies. Familiarity with HTTP, TCP/IP protocols, and basic cybersecurity principles will be beneficial, as the course delves into topics like session persistence in HTTP and TCP, session hijacking techniques, and network-level attacks.
What projects or exercises will I complete during the course?
Throughout the course, students will engage in practical exercises such as manipulating session IDs with OWASP ZAP, testing session token strength using Burp Suite, and conducting dynamic analysis testing with NetSparker. These exercises are designed to provide hands-on experience with the tools and techniques used in session hijacking and security testing.
Who is the target audience for this course?
The course is aimed at cybersecurity professionals, ethical hackers, and IT security enthusiasts who wish to deepen their understanding of session hijacking. It is particularly relevant for those interested in learning about session persistence, attack vectors, and security practices to protect against session hijacking in web and network environments.
How does the depth of this course compare to other cybersecurity courses?
This course provides a detailed exploration of session hijacking, covering both web and network-level aspects. Unlike broader cybersecurity courses, it focuses specifically on session persistence, attack vectors, and practical mitigation strategies. With 53 lessons, it offers a comprehensive view of the topic, including hands-on exercises with industry-standard tools.
What specific tools are covered in the course?
The course includes practical sessions with tools such as OWASP ZAP, Burp Suite, and NetSparker. These tools are used to manipulate session IDs, test session token strength, and perform dynamic analysis testing. These sessions provide students with hands-on experience in analyzing and securing session management in web applications.
What topics are not covered in this course?
While the course focuses extensively on session hijacking, it does not cover broader cybersecurity topics such as malware analysis, cryptography, or system-level security. Additionally, it does not address the accreditation or certification aspects related to official EC-Council programs, as Pluralsight is not an accredited training center.
How much time should I expect to commit to this course?
The course consists of 53 lessons, though the total runtime is not specified. Students should allocate sufficient time to not only watch the lessons but also to engage in the practical exercises with tools like OWASP ZAP and Burp Suite. A reasonable estimate would be several hours of study and practice each week, depending on the student's prior experience and learning pace.