Session hijacking, also
known as TCP session hijacking, is a method of taking over a Web user session
by surreptitiously obtaining the session ID and masquerading as the authorized
user. Once the user's session ID has been accessed (through session prediction),
the attacker can masquerade as that user and do anything the user is authorized
to do on the network.
http://searchsoftwarequality.techtarget.com/glossary/
An attack in which the
Attacker is able to insert himself or herself between a Claimant and a Verifier
subsequent to a successful authentication exchange between the latter two
parties. The Attacker is able to pose as a Subscriber to the Verifier or vice
versa to control session data exchange. Sessions between the Claimant and the
Relying Party can also be similarly compromised. [NIST-SP800-63:2013]
Take over a session that
someone else has established.
An intrusion technique
whereby a hacker sends a command to an already existing connection between two
machines, in order to wrest control of the connection away from the machine
that initiated it. The hacker's goal is to gain access to a server while
bypassing normal authentication measures.
http://www.watchguard.com/glossary/
See session hijacking
http://www.watchguard.com/glossary/
The result of a users
session being compromised by an attacker. The attacker could reuse this stolen
session to masquerade as the user.
http://www.webappsec.org/projects/glossary/
A string of data provided by
the web server, normally stored within a cookie or URL. A Session ID tracks a
users session, or perhaps just his current session, as he traverse the web
site.
http://www.webappsec.org/projects/glossary/
An attack technique used to
hi-jack another users session by altering a session ID or session credential
value.
http://www.webappsec.org/projects/glossary/
An attack technique used to
create fraudulent session credentials or guess other users current session IDs.
If successful, an attacker could reuse this stolen session to masquerade as
another user.
http://www.webappsec.org/projects/glossary/
When a web site permits an
attacker to reuse old session credentials or session IDs for authorization.
http://www.webappsec.org/projects/glossary/
A form of active wiretapping
in which the attacker seizes control of a previously established communication
association.
http://www.sans.org/security-resources/glossary-of-terms/