Pluralsight is not an official partner or accredited training center of EC-Council. Session persistence is a fundamental concept in information systems. On the web, for example, which is dependent on the stateless HTTP protocol, session persistence is a key component of features ranging from shopping carts to the ability to logon. At a lower level on the network tier, the TCP protocol relies on sessions for communication between machines such as a client and a server.
Ethical Hacking: Session Hijacking
3h 28m 11s
English
Free
The confidentiality and integrity of this communication can be seriously impacted by a session hijacking attack. Learning how to identify these risks is an essential capability for the ethical hacker. Systems are frequently built insecurely and readily expose these flaws. Conversely, the risks are often easy to defend against by implementing simple patterns within the application. This course walks through both the risks and the defenses. This course is part of the Ethical Hacking Series. http://blog.pluralsight.com/learning-path-ethical-hacking
About the Author: Pluralsight
Pluralsight is one of the largest enterprise-focused online technology training platforms in the world, founded in 2004 by Aaron Skonnard and acquired by Vista Equity Partners in 2021. The platform has historically been the dominant choice for corporate IT training, with a catalog of over 7,000 courses covering software development, IT operations, security, data, and cloud across virtually every major vendor and open-source platform.
The instructor roster includes Microsoft Regional Directors, AWS / Azure / GCP MVPs, and named experts in essentially every active technology track. Course material is structured for the corporate-training market: each course covers a specific skill at a defined depth, and Pluralsight's role-based learning paths are widely used by enterprises for upskilling engineering teams.
The CourseFlix listing under this source carries 12 Pluralsight courses — a small slice of the broader platform's catalog. Material is paid; Pluralsight itself runs on a monthly / annual subscription on the original platform, with Pluralsight Skills (individual) and Pluralsight Flow (engineering analytics) as the main product lines.
Watch Online 53 lessons
- Space or K: play or pause
- J: rewind 10 seconds
- L: forward 10 seconds
- Left Arrow: rewind 5 seconds
- Right Arrow: forward 5 seconds
- Up Arrow: volume up
- Down Arrow: volume down
- M: mute or unmute
- F: toggle fullscreen
- T: toggle theater mode
- I: toggle mini player
- 0 to 9: seek to 0 to 90 percent of the video
- Shift plus N: next video
- Shift plus P: previous video
0:00 0:00
| # | Lesson Title | Duration |
|---|---|---|
| 1 | Overview | 02:28 |
| 2 | What Is Session Hijacking? | 01:44 |
| 3 | Types of Session Hijacking | 02:59 |
| 4 | Attack Vectors | 03:41 |
| 5 | The Impact of Session Hijacking | 03:27 |
| 6 | Session Hijacking and the OWASP Top 10 | 02:45 |
| 7 | Summary | 01:31 |
| 8 | Overview | 01:44 |
| 9 | The Stateless Nature of HTTP | 02:53 |
| 10 | Persisting State Over HTTP | 05:46 |
| 11 | Session Persistence in Cookies | 08:50 |
| 12 | Session Persistence in the URL | 06:34 |
| 13 | Session Persistence in Hidden Form Fields | 03:22 |
| 14 | Summary | 02:37 |
| 15 | Overview | 02:19 |
| 16 | Hijacking Cookies with Cross Site Scripting | 09:51 |
| 17 | Exposed Cookie Based Session IDs in Logs | 03:48 |
| 18 | Exposed URL Based Session IDs in Logs | 02:52 |
| 19 | Leaking URL Persisted Sessions in the Referrer | 03:57 |
| 20 | Session Sniffing | 05:33 |
| 21 | Session Fixation | 06:41 |
| 22 | Brute Forcing Session IDs | 04:06 |
| 23 | Session Donation | 05:11 |
| 24 | Summary | 03:04 |
| 25 | Overview | 03:05 |
| 26 | Understanding TCP | 09:00 |
| 27 | Reviewing the Three-way Handshake in Wireshark | 05:23 |
| 28 | Generation and Predictability of TCP Sequence Numbers | 04:31 |
| 29 | Blind Hijacking | 02:29 |
| 30 | Man in the Middle Session Sniffing | 01:58 |
| 31 | IP Spoofing | 01:48 |
| 32 | UDP Hijacking | 02:20 |
| 33 | Man in the Browser Attacks | 02:48 |
| 34 | Network Level Session Hijacking in the Wild | 01:27 |
| 35 | Summary | 02:09 |
| 36 | Overview | 02:13 |
| 37 | Use Strong Session IDs | 03:19 |
| 38 | Keep Session IDs Out of the URL | 02:40 |
| 39 | Don’t Reuse Session ID for Auth | 06:34 |
| 40 | Always Flag Session ID Cookies as HTTP Only | 04:04 |
| 41 | Use Transport Layer Security | 04:43 |
| 42 | Always Flag Session ID Cookies as Secure | 05:39 |
| 43 | Session Expiration and Using Session Cookies | 05:59 |
| 44 | Consider Disabling Sliding Sessions | 03:10 |
| 45 | Encourage Users to Log Out | 02:30 |
| 46 | Re-authenticate Before Key Actions | 01:54 |
| 47 | Summary | 03:16 |
| 48 | Overview | 02:00 |
| 49 | Manipulating Session IDs with OWASP ZAP | 05:04 |
| 50 | Testing Session Token Strength with Burp Suite | 09:48 |
| 51 | Dynamic Analysis Testing with NetSparker | 04:39 |
| 52 | Other Tools | 03:53 |
| 53 | Summary | 02:05 |
Related courses
-
Updated 2y agoBug Bounty - An Advanced Guide to Finding Good Bugs
By: UdemyBug bounties are evolving year after year and thousands of infosec enthuasiasts are looking to join the boat. Having a great place on that boat requires dedicat10h -
Updated 2y agoThe Complete Cyber Security Course : Hackers Exposed!
By: UdemyLearn a practical skill-set in defeating all online threats, including - advanced hackers, trackers, malware, zero days, exploit kits, cybercriminals and more.12h 6m5/5 -
Updated 11mo agoAdvanced Ethical Hacking Bootcamp: Network Hacking & Security
By: Zero To MasteryElevate your ethical hacking skills to a new level by mastering network exploitation techniques - from Man-in-the-Middle attacks and DNS spoofing to router.7h 30m
Frequently asked questions
What prerequisites are needed before taking this course?
Before enrolling in the course, students should have a foundational understanding of networking concepts and basic knowledge of web technologies. Familiarity with HTTP, TCP/IP protocols, and basic cybersecurity principles will be beneficial, as the course delves into topics like session persistence in HTTP and TCP, session hijacking techniques, and network-level attacks.
What projects or exercises will I complete during the course?
Throughout the course, students will engage in practical exercises such as manipulating session IDs with OWASP ZAP, testing session token strength using Burp Suite, and conducting dynamic analysis testing with NetSparker. These exercises are designed to provide hands-on experience with the tools and techniques used in session hijacking and security testing.
Who is the target audience for this course?
The course is aimed at cybersecurity professionals, ethical hackers, and IT security enthusiasts who wish to deepen their understanding of session hijacking. It is particularly relevant for those interested in learning about session persistence, attack vectors, and security practices to protect against session hijacking in web and network environments.
How does the depth of this course compare to other cybersecurity courses?
This course provides a detailed exploration of session hijacking, covering both web and network-level aspects. Unlike broader cybersecurity courses, it focuses specifically on session persistence, attack vectors, and practical mitigation strategies. With 53 lessons, it offers a comprehensive view of the topic, including hands-on exercises with industry-standard tools.
What specific tools are covered in the course?
The course includes practical sessions with tools such as OWASP ZAP, Burp Suite, and NetSparker. These tools are used to manipulate session IDs, test session token strength, and perform dynamic analysis testing. These sessions provide students with hands-on experience in analyzing and securing session management in web applications.
What topics are not covered in this course?
While the course focuses extensively on session hijacking, it does not cover broader cybersecurity topics such as malware analysis, cryptography, or system-level security. Additionally, it does not address the accreditation or certification aspects related to official EC-Council programs, as Pluralsight is not an accredited training center.
How much time should I expect to commit to this course?
The course consists of 53 lessons, though the total runtime is not specified. Students should allocate sufficient time to not only watch the lessons but also to engage in the practical exercises with tools like OWASP ZAP and Burp Suite. A reasonable estimate would be several hours of study and practice each week, depending on the student's prior experience and learning pace.