Evolusi Serangan Session Hijacking dan Inovasi Teknik Pencegahannya

Authors

  • Rheva Anindya Wijayanti Politeknik Siber dan Sandi Negara
  • Ahmad Anwary Adzirudin
  • Trystan Adrian Hanggara Wibawa
  • Nathanael Berliano Novanka Putra

DOI:

https://doi.org/10.56706/ik.v19i2.128

Keywords:

Session Hijacking, Lapisan Sesi, Keamanan, Serangan

Abstract

Serangan session hijacking merupakan ancaman serius terhadap keamanan komunikasi daring karena memungkinkan penyerang mengambil alih sesi autentikasi pengguna. Penelitian ini bertujuan mengidentifikasi evolusi teknik serangan session hijacking sekaligus mengevaluasi efektivitas berbagai metode pencegahannya. Metode yang digunakan adalah studi literatur terhadap publikasi pada basis data IEEE Xplore, Scopus, dan Google Scholar menggunakan kata kunci bertema session hijacking dan mitigasi terkait. Pencarian difokuskan pada periode 2012–2024 dengan kriteria inklusi berupa artikel ilmiah berbahasa Inggris atau Indonesia yang membahas serangan dan pencegahannya pada konteks web, IoT, dan jaringan. Sebanyak 32 artikel memenuhi kriteria setelah melalui proses penyaringan. Analisis menunjukkan bahwa serangan dominan adalah man-in-the-middle (MITM) dan sniffing, sedangkan teknik pencegahan yang paling sering dibahas adalah penggunaan TLS/HTTPS, penguatan atribut cookie (Secure, HttpOnly, SameSite), serta penerapan one-time cookie (OTC). Beberapa studi empiris melaporkan bahwa OTC memberikan perlindungan kuat terhadap serangan MITM dengan overhead rata-rata kurang dari 6 milidetik per permintaan. Kontribusi utama penelitian ini adalah penyajian tabel komparatif protokol mitigasi berdasarkan cakupan ancaman, bukti empiris, dan biaya implementasi, serta rekomendasi praktis bagi pengembang sistem untuk memilih kombinasi metode yang sesuai.

References

О. А. Кравчук, “Information technologies in the development of web resources,” Vìsnik Hmelʹnicʹkogo nacìonalʹnogo unìversitetu, vol. 341, no. 5, pp. 334–337, Oct. 2024, doi: 10.31891/2307-5732-2024-341-5-49.

K. Ranjan and C. Sreenivasa, “Securing user sessions,” Apr. 23, 2020.

D. A. Abdulmonim and Z. H. Muhamad, “Comparative Study Between the OSI Model and the TCP/IP Model: Architecture and Protocols in Computer Networking Systems,” Int. J. Eng. Comput. Sci., vol. 13, no. 08, pp. 26358–26372, Aug. 2024, doi: 10.18535/ijecs/v13i08.4880.

J. M. Kizza, “Authentication,” in Guide to Computer Network Security, Springer Int. Publishing, 2024, pp. 215–238, doi: 10.1007/978-3-031-47549-8_10.

H. Chavoshi, A. Salasi, O. Payam, and H. Khaloozadeh, “Man-in-the-Middle Attack Against a Network Control System: Practical Implementation and Detection,” pp. 1–6, Oct. 2023, doi: 10.1109/itms59786.2023.10317671.

L. V. Cherckesova, E. Revyakina, E. Roshchina, and V. Porksheyan, “The development of countermeasures against session hijacking,” E3S Web Conf., vol. 531, p. 03019, Jan. 2024, doi: 10.1051/e3sconf/202453103019.

D. Tank and A. Dalvi, “A Novel Approach to Prevent Session Hijacking Attack,” Int. J. Comput. Appl., vol. 181, no. 14, pp. 28–30, Sep. 2018, doi: 10.5120/IJCA2018917798.

W. Burgers, R. Verdult, and M. Van Eekelen, “Prevent Session Hijacking by Binding the Session to the Cryptographic Network Credentials,” LNCS 8208, [n.d.].

P. De Ryck, L. Desmet, F. Piessens, and W. Joosen, “SecSess: Keeping your session tucked away in your browser,” in Proc. ACM Symp. Appl. Comput., Apr. 2015, pp. 2171–2176, doi: 10.1145/2695664.2695764.

S. S. Manivannan and E. Sathiyamoorthy, “A prevention model for session hijack attacks in wireless networks using strong and encrypted session ID,” Cybern. Inf. Technol., vol. 14, no. 3, pp. 46–60, 2015, doi: 10.2478/cait-2014-0032.

G. Singh et al., “A-BLAZE 2015: International Conference on Futuristic Trends on Computational Analysis and Knowledge Management,” Amity Univ., [n.d.].

S. K. L., “Session-packet inspector mobile agent to prevent encrypted cookies and HTTP POST hijacking in MANET,” J. Eng. Sci. Technol., vol. 11, no. 12, 2016.

P. Kamal, “State of the Art Survey on Session Hijacking,” 2016, doi: 10.17406.

M. Doshi, N. Patel, N. Patel, and Y. Shah, “A review on prevention for session hijacking using one-time cookies,” Res. Gate, 2017. [Online]. Available: https://www.researchgate.net/publication/342391782

Q. Hu and G. P. Hancke, “A Session Hijacking Attack on Physical Layer Key Generation Agreement,” 2017.

O. Koksal and B. Tekinerdogan, “Feature-driven domain analysis of session layer protocols of internet of things,” in Proc. IEEE 2nd Int. Congr. Internet Things (ICIOT), 2017, pp. 105–112, doi: 10.1109/IEEE.ICIOT.2017.19.

N. N. S. Ismail, M. N. M. Warip, S. J. Elias, and R. B. Ahmad, “A preliminary review on web session hijacking,” Int. J. Eng. Technol. (UAE), vol. 7, no. 3, pp. 124–129, 2018, doi: 10.14419/ijet.v7i3.15.17515.

M. Bilal, M. Asif, and A. Bashir, “Assessment of secure OpenID-based DAAA protocol for avoiding session hijacking in web applications,” Secur. Commun. Netw., 2018, doi: 10.1155/2018/6315039.

A. K. Sinha and S. Tripathy, “CookieArmor: Safeguarding against cross-site request forgery and session hijacking,” Secur. Privacy, vol. 2, no. 2, e60, 2019, doi: 10.1002/spy2.60.

IEEE, “2018 IEEE Int. Conf. Electro/Information Technology (EIT),” Oakland Univ., May 2018.

. Kumar Baitha and S. Vinod, “Session hijacking and prevention technique,” Int. J. Eng. Technol., vol. 7, no. 2.6, pp. 193, 2018, doi: 10.14419/ijet.v7i2.6.10566.

A. Kleinmann et al., “Stealthy deception attacks against SCADA systems,” Lect. Notes Comput. Sci., vol. 10683, pp. 93–109, 2018, doi: 10.1007/978-3-319-72817-9_7.

Md. S. Hossain, A. Paul, Md. H. Islam, and M. Atiquzzaman, “Survey of the protection mechanisms to the SSL-based session hijacking attacks,” Netw. Protoc. Algorithms, vol. 10, no. 1, pp. 83, 2018, doi: 10.5296/npa.v10i1.12478.

Q. Hu, B. Du, K. Markantonakis, and G. P. Hancke, “A session hijacking attack against a device-assisted physical layer key agreement,” [n.d.].

R. R. Katta and B. P. Valluri, “United States Patent Topic-of-the-week: Detecting Browser Fingerprint Changes During,” 2019.

Y. B. Choi, Y. L. Loo, and K. Lacroix, “Cookies and sessions: A study of what they are, how they can be stolen and a discussion on security,” Int. J. Adv. Comput. Sci. Appl., vol. 10, no. 1, 2019. [Online]. Available: www.ijacsa.thesai.org

M. M. Naeem, I. Hussain, and M. M. S. Missen, “A survey on registration hijacking attack consequences and protection for session initiation protocol (SIP),” Comput. Netw., vol. 175, 2020, doi: 10.1016/j.comnet.2020.107250.

N. Modi, “Comparative analysis of session features in session hijacking and performance improvement using OTC,” 2020.

T. Singh and Meenakshi, “Prevention of session hijacking using token and session ID reset approach,” Int. J. Inf. Technol. (Singapore), vol. 12, no. 3, pp. 781–788, 2020, doi: 10.1007/s41870-020-00486-w.

M. Ahmad Jonas, M. Shohrab Hossain, R. Islam, H. S. Narman, and M. Atiquzzaman, “An intelligent system for preventing SSL stripping-based session hijacking attacks,” [n.d.].

Moh. Nazir and R. Sikmumbang, Metode Penelitian, Ghalia Indonesia, 2009.

I. Dacosta, S. Chakradeo, M. Ahamad, and P. Traynor, “One-Time Cookies: Preventing Session Hijacking Attacks with Stateless Authentication Tokens,” ACM Transactions on Internet Technology, vol. 12, no. 1, pp. 1–24, 2012, doi: 10.1145/2220352.2220353.

N. Modi, “Comparative analysis of session features in session hijacking and performance improvement using OTC,” International Journal of Scientific Research & Engineering Trends, vol. 6, no. 2, pp. 972–979, 2020.

Downloads

Submitted

02-08-2025

Accepted

09-08-2025

Published

31-08-2025

Issue

Vol. 19 No. 2 (2025)

Section

Articles

License

Copyright (c) 2025 Info Kripto

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.