What Are Session Replay Attacks?

session replay attacks

According to Bleeping Computer, 483 of Alexa’s top 50,000 ranking websites were found to be recording users’ “every move,” including their keystrokes and mouse movements. This sort of information is typically sent to an analytics dashboard where it might be intercepted if not secured properly, in order to extract user input information and other sensitive data. Attacks on session replays can therefore pose a serious security concern for both organizations and end users, as hackers may intercept any data input and record it before a user even clicks to submit the form online.

Session replay attacks, also known as, playback attacks or replay attacks, are network attacks that maliciously “repeat” or “delay” a valid data transmission. A hacker can do this by intercepting a session and stealing a user’s unique session ID (stored as either a cookie, URl, or form field). Now, the hacker is able to masquerade himself or herself as an authorized user, and he or she will be granted full access to do anything that the authorized user can do on a website.

For users, there are major privacy and security implications if websites utilize analytics services that record and insecurely store sensitive information. For example, a report released by security researchers at Princeton University revealed that some analytics dashboards from the study logged passwords, credit card details, social security numbers, dates of birth, and other kinds of information that a hacker could use to commit online fraud like identity theft.

So how do hackers steal a user’s session ID? Stealing a user’s session ID is the first step to a replay attack and is referred to as session hijacking. There are several ways hackers can do this. Session hijacking involves gaining access to a valid session cookie, accomplished typically through sniffing network traffic and through man-in-the-middle (MITM) attacks. In this kind of cyber attack, the hacker hijacks and alters communication between two users who believe they are in direct communication with each other by using a “sniffing” program. A hacker can also exploit a valid session through client-side attacks like cross-site scripting, trojans, malicious JavaScript, and so on.

How might users protect themselves, and what can website owners do to protect their visitors? Due to the nature of how session replay attacks usually unfold, it makes sense that countermeasures to prevent these kinds of attacks overlap with those of application security measures. Hence, traditional firewalls, web application firewalls, anti-virus programs, pop-up blockers, and other spyware-like software work together to prevent session replay attacks.  

Other options include installing updates and patches as soon as they become available so as to avoid falling victim to this kind of attack. Users are also advised to frequently delete stored cookies and other temporary files from their web browsers since cookie hijacking goes hand in hand with session hijacking. Another great tactic to prevent this is to set the HTTPOnly flag on cookies. This prevents Javascript from having access to cookies so they don’t become susceptible to hijacking. Using free Wi-Fi is also not recommended since the risk of session hijacking increases as well due to unsecured networks.

Because session replay attacks can give attackers a website visitor’s identity and authentication information, they can be a serious problem for website owners who are not implementing any of the recommendations previously mentioned. For more on hacking trends, make sure to head over to Cloudbric’s blog!