What Is Sidejacking and How Is It Executed?

In this article:

Sidejacking is a cyber-attack during which a malicious user gains unauthorized access over a legitimate user’s access to a website by intercepting and abusing their credentials. It’s also known as session or cookie hijacking and resembles the well-known Man-in-the-Middle attack

The goal of this process of interception and illegal reading of network traffic is to steal the session cookie. Websites that require authentication through a username and password are the most common platforms on which sidejacking can be executed. These are abundant on the internet — including email accounts, social networks, and eCommerce sites. 

Let’s dive into what this threat entails, how it is performed, and the different types of sidejacking based on session cookie theft.  

What Is Sidejacking?

Sidejacking is one of the common security issues these days. In a nutshell, an attacker gains access to a session cookie and abuses it to impersonate the victim user. 

The malicious user can thus execute various activities that otherwise the user would be able to do once they’re logged in to the website. The repercussions of such impersonation can be grave — including identity theft, financial losses, sensitive data download, negative publicity, and more. 

How Sidejacking Is Executed

Session sidejacking is categorized as CAPEC-102 by MITRE. It is a type of session hijacking alongside other attacks such as session fixation, cross-site scripting, and stealing the session token.

In essence, sidejacking works based on identifying an unencrypted — nonsecure sockets layer (SSL) — cookie. An attacker can use a packet sniffer to look for such a session cookie

Once they have found a good target, the malicious user reads the network traffic. They can then employ the unencrypted cookie to present themselves as a regular user with their login credentials. The attacker thus sees all the data sent between the victim user’s browser and the server or webpage. This allows them to steal sensitive information, access important accounts such as social media sites and email services, and impersonate users. 

Sidejacking is particularly easy to execute on a public wireless network that doesn’t require authentication. Websites that don’t use authentication through encryption are also vulnerable to eavesdropping on network traffic. 

Still, the good news is that once a session ends and the legitimate user is logged off, subsequent requests to the server have to be made, and new client authentication is necessary for future sessions. This means the attacker loses unauthorized access at the end of an active session.  

Preventing Sidejacking

Today, modern browsers use different cookie protection techniques to prevent sidejacking and similar security weaknesses. In general, it’s essential to use services that employ SSL/TLS data encryption. 

In addition, users can follow some common cyber security hygiene tips, such as: 

  • Avoid using public hotspots when possible 
  • Use a virtual private network (VPN), especially when accessing the internet through public Wi-Fi hotspots without authentication 
  • Opt-in for websites that employ valid SSL encryption throughout the whole session 
  • Make a habit of logging out from websites

Types of Sidejacking Attacks

What are the most common sidejacking attacks that a malicious user can implement on your session cookies? Here’s a top list, with the names of the sniffing-style attacks often linked to the sniffing tool used. 


The attacker uses a Hamster sniffing tool to find an encrypted cookie and thus intercept the network data exchange. 


In the Ferret sidejacking attack, a malicious user uses the Ferret sniffing tool to access session cookies that pass the network at port 80. 

In fact, it was proven by BlackHat that it’s effortless to run a WiFi sidejacking attack by using Ferret and Hamster. When the Ferret tool is run to sniff web cookies transferred by nearby Wi-Fi users, it writes them to hamster.txt. After that, Hamster is run, which is far from the complex tool — it is a small 77K HTTP proxy that clones the cookies from the text file. After the web browser is set to use the Hamster closes as its HTTP proxy, the attacker needs to go to http://hamster and choose one of the listed active web sessions to side jack Wi-Fi Hotspot users. 

Firesheep and other exploits

Firesheep was a Firefox plugin released in 2010 that enabled anyone to exploit the HTTP session cookies of another user on an unencrypted public Wi-Fi. In essence, this was HTTP sidejacking. 

Later on, other tools had their brief life online before being identified as sidejacking and taken down. Some of them included the WhatsApp Sniffer, which displayed messages of other users on the same network; DroidSheep, which listens and extracts HTTP packets sent via a wireless network; the tool graphical Java app CookieCadger which automated sidejacking and replayed HTTP requests; and others. 

Start a free trial and detect security blind spots on web apps and APIs.


Here are some of the common questions about sidejacking — answered. 

Does VPN prevent session hijacking?

Yes. The VPN hides your IP and creates a secret channel for all of your online actions. 

Can session cookies be hijacked? 

Yes. Sidejacking entails that an attacker is stealing a session cookie. 

How is the theft of cookies used then? 

It allows an attacker to hijack an active web session and impersonate the legitimate user. 

Can cookies steal passwords?

Yes. Attackers want to steal cookies because if there are hashed passwords within a cookie, this gives them immediate access to your profiles without logging in. 

Do you know how to protect your systems from various cyber threats? Crashtest Security’s omnipotent Vulnerability Testing Software is here to help you combat attacks and identify potential security vulnerabilities. 

Get a quick security audit of your website for free now

We are analyzing
Scanning target
Scan status: In progress
Scan target:
Date: 22/03/2023
Crashtest Security Suite will be checking for:
Information disclosure Known vulnerabilities SSL misconfiguration Open ports
Complete your scan request
Please fill in your details receive the
quick security audit by email.
Security specialist is analyzing your scan report.
То verify your identity please provide your phone/mobile:
Thank you.
We have received your request.
As soon as your security audit is ready, we will notify you.