10.6 Penetration Testing
Session Hijacking Pen Testing
- Sniff session traffic between two machines using tools such as Wireshark, Capsa Network Analyzer, Windump, etc.
- Use proxy server trojans which changes the proxy settings in the victim's browser.
- Use automated tools such as OWASP Zed Attack Proxy, Burp suite, JHijack, etc. to hijack sessions.
- Crack the session ID if it is URL encoded, HTML encoded, Unicode encoded, Base64 encoded, or Hex Encoded.
- Brute force session IDs with possible range of values for the session ID limited, until the correct session ID is found.