Shahnawaz Backer has just published a new security community paper in the security on dW community resource library that discusses how to use IBM Security Access Manager to help prevent several of the most common session hijacking attacks. Some of the common session hijacking attacks he covers are:
Predictable Session Key/Session Fixation: This kind of attack in possible in a system where an attacker can guess the session key (for ex by monitoring a series of session key given out by the system). The attacker can trick the user to logon to system with the session id fixed
Session Sniffing: An attacker can eavesdrop on the network listening to all unencrypted traffic. Any sire not using SSL will fall vulnerable to this, revealing the session key to the attacker.
Cross Site Scripting(XSS): A website with XSS vulnerability can be tricked into running scripts, providing the attackers the valuable session key available to the browser
Man in browser attacks: Malicious apps sitting in the browser trying to steal confidential information.
This new security community paper will be of interest to anyone who wants to make their web applications more secure against session hijacking attacks.