Question about session hijacking vs. XSS

mmcabemmcabe Member Posts: 58 ■■□□□□□□□□
This question relates to Security+ 401 but also a general understanding of the difference between two application attacks.

I'm not 100% clear on how to differentiate between session hijacking and XSS when cookies are mentioned in the question. I know the attacker needs a cookie with credentials in order to implement a session hijacking attack--but I thought one of the goals of an XSS attack was also to steal a cookie with credentials (plus other user information if possible).

Is it just the method (sniffing for session hijacking; scripting for XSS)?

I did some Googling and came across several mentions of "XSS session hijacking," which did not help!

Thanks for any help.


  • shochanshochan Member Posts: 980 ■■■■■■■□□□
    You might read through this: Dan's Courses

    He has a ton of videos on YouTube also.
    CompTIA A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+, ISC² CC
  • MooseboostMooseboost Member Posts: 778 ■■■■□□□□□□
    It can be a bit confusing when you think of them.

    Think of XSS as a multi-tool. You can use it to adjust a screw, cut a wire, as pliers... Whereas session hijacking would be a specific task that is more of the end result.

    Being vulnerable to an XSS attack means that it is possible to inject scripts into a page. The end goal here is sometimes to steal something like a cookie but you can also deface a page among other things. The big thing to remember here is that XSS is injecting malicious scripts that can be used for a variety of bad things.

    Session hijacking is simply impersonating a valid session either by stealing the session token or guessing it if the token is predictable. XSS is a common method, but there are numerous other ways. So here, this is a very defined attack.
  • mmcabemmcabe Member Posts: 58 ■■□□□□□□□□
    Thanks very much to you both. I think I now understand why I was confused over a Gibson practice question.

    The question says that a pentester had access to a list of usernames, passwords, login dates, and cookie IDs. The login dates spanned a couple weeks. The possible attack methods included XSS and session hijacking.

    It can't be session hijacking because a session hijacking attack would capture one cookie (from one session) in real time. An XSS attack could be scripted to grab any info that had been retained by the server.

    Is this a correct assumption?
Sign In or Register to comment.