Session Hijacking Tests

Relevant source files

• CHANGELOG.md
• README.md
• RELEASE_SUMMARY.md
• wshawk/logger.py
• wshawk/session_hijacking_tester.py

Purpose and Scope

The Session Hijacking Tests module validates WebSocket session security by performing six specialized attack scenarios that exploit common session management vulnerabilities. This module is part of WSHawk's offensive testing capabilities and focuses exclusively on session-layer security issues including token reuse, impersonation, and privilege escalation.

For general vulnerability detection (SQL injection, XSS, etc.), see Vulnerability Detection Modules. For browser-based verification methods, see Advanced Verification: Playwright and OAST.

Sources: wshawk/session_hijacking_tester.py L1-L13

README.md L26

CHANGELOG.md L64

---

Module Architecture

The session hijacking testing system operates independently from the main vulnerability scanner but integrates into the overall WSHawk scanning workflow through the WSHawkV2 scanner class.

System Component Diagram

Sources: wshawk/session_hijacking_tester.py L48-L90

wshawk/session_hijacking_tester.py L116-L146

---

SessionHijackingTester Class

The SessionHijackingTester class is instantiated with a target URL and optional authentication configuration. It maintains state across test executions including captured tokens, session data, and test results.

Class Structure

| Component | Type | Purpose | | --- | --- | --- | | target_url | str | WebSocket endpoint to test | | auth_config | Optional[Dict] | Authentication flow configuration | | results | List[SessionTestResult] | Accumulated test results | | captured_tokens | Dict[str, str] | Tokens extracted during testing | | captured_sessions | List[Dict] | Session metadata from responses | | user_sessions | Dict[str, Dict] | User ID to session data mapping |

Sources: wshawk/session_hijacking_tester.py L61-L90

Authentication Configuration

The module supports flexible authentication through the auth_config parameter, which can specify custom field names and payloads:

The _get_auth_payload() method generates authentication messages based on this configuration.

Sources: wshawk/session_hijacking_tester.py L61-L114

CHANGELOG.md L44-L48

---

Vulnerability Test Types

The module implements six distinct session security tests, each corresponding to a SessionVulnType enum value.

SessionVulnType Enumeration

Sources: wshawk/session_hijacking_tester.py L26-L33

---

Test 1: Token Reuse

Attack Scenario

Tests whether authentication tokens remain valid after the session that generated them has been terminated. This vulnerability allows attackers to hijack sessions by capturing and reusing tokens.

Test Workflow

Implementation Details

The test performs two-stage authentication:

1. Token Capture: Authenticates normally and extracts the token from the response using _extract_token() which searches for common field names (token, auth_token, session_token) or uses regex pattern matching.
2. Token Reuse: Closes the first connection, waits 1 second, opens a new connection, and attempts to authenticate using only the captured token.

CVSS Score: 7.5 (HIGH) if vulnerable

Sources: wshawk/session_hijacking_tester.py L148-L198

wshawk/session_hijacking_tester.py L458-L466

---

Test 2: Subscription Spoofing

Attack Scenario

Validates whether users can subscribe to channels they lack authorization to access, including administrative channels, other users' private channels, or system-internal channels.

Test Channels

| Channel Pattern | Purpose | | --- | --- | | admin | Administrative channel | | private_user_123 | Specific user's private channel | | system | System-level channel | | internal | Internal communication channel | | ../admin | Path traversal attempt | | user/admin | Nested admin access |

Vulnerability Detection Logic

CVSS Score: 8.1 (HIGH) if vulnerable

Sources: wshawk/session_hijacking_tester.py L200-L251

wshawk/session_hijacking_tester.py L489-L498

---

Test 3: Impersonation

Attack Scenario

Tests whether authenticated users can perform actions while impersonating other users by manipulating user-identifying fields in WebSocket messages.

Impersonation Attack Vectors

The test attempts four common impersonation patterns where the client specifies user identifiers that differ from their authenticated identity. Successful attacks indicate the server trusts client-provided user data without server-side validation.

CVSS Score: 9.1 (CRITICAL) if vulnerable

Sources: wshawk/session_hijacking_tester.py L253-L305

wshawk/session_hijacking_tester.py L500-L503

---

Test 4: Channel Boundary Violations

Attack Scenario

Attempts to access other users' private channels, direct messages, or restricted resources through channel path manipulation.

Violation Attempts

| Attack Pattern | Target Resource | | --- | --- | | {"action": "read", "channel": "user:user2:private"} | User-specific private channel | | {"action": "read", "channel": "user:admin:messages"} | Admin user messages | | {"action": "subscribe", "channel": "private:user2"} | Another user's private namespace | | {"action": "get_history", "channel": "dm:user2_user3"} | Third-party direct messages |

The _contains_private_data() helper validates whether responses contain data that should be restricted, checking for:

• Common private data indicators (private, message, data, content, user)
• Response length > 50 characters (indicates actual data rather than error message)

CVSS Score: 8.6 (HIGH) if vulnerable

Sources: wshawk/session_hijacking_tester.py L307-L356

wshawk/session_hijacking_tester.py L505-L508

---

Test 5: Session Fixation

Attack Scenario

Tests whether attackers can force victims to use a predetermined session ID, enabling session hijacking by knowing the session identifier in advance.

Attack Methodology

The test generates a predictable session ID (hashlib.md5(b"attacker_session").hexdigest()) and attempts three common patterns for submitting it to the server. If the server echoes back the attacker's session ID, it indicates the server accepts client-controlled session identifiers.

CVSS Score: 7.8 (HIGH) if vulnerable

Sources: wshawk/session_hijacking_tester.py L358-L400

---

Test 6: Privilege Escalation

Attack Scenario

Tests whether users can elevate their privileges through session manipulation by modifying role or permission fields in WebSocket messages.

Escalation Vectors

| Attack Type | Payload Structure | Target | | --- | --- | --- | | Role Update | {"action": "update_role", "role": "admin"} | Direct role modification | | Permission Set | {"action": "set_permissions", "permissions": ["admin", "write", "delete"]} | Bulk permission grant | | Elevation | {"action": "elevate", "to": "admin"} | Explicit elevation request | | Auth Override | {"action": "login", "username": "user1", "password": "pass1", "role": "admin"} | Role injection at login |

The _has_elevated_privileges() helper detects successful escalation by searching for privilege indicators in responses:

• admin, elevated, role, permissions, granted

CVSS Score: 9.8 (CRITICAL) if vulnerable

Sources: wshawk/session_hijacking_tester.py L402-L454

wshawk/session_hijacking_tester.py L510-L513

---

Test Result Data Structure

Each test generates a SessionTestResult dataclass instance containing structured vulnerability information.

SessionTestResult Fields

| Field | Type | Purpose | | --- | --- | --- | | vuln_type | SessionVulnType | Enum identifying the vulnerability category | | is_vulnerable | bool | Whether the vulnerability was confirmed | | confidence | str | Confidence level: LOW, MEDIUM, HIGH, CRITICAL | | description | str | Human-readable vulnerability description | | evidence | Dict | Captured evidence (responses, payloads, etc.) | | recommendation | str | Remediation guidance | | cvss_score | float | CVSS v3.1 base score (0.0-10.0) |

Sources: wshawk/session_hijacking_tester.py L36-L45

---

Helper Methods

The module includes several helper methods that extract and validate session-related data from WebSocket responses.

Extraction Methods

Validation Methods

| Method | Purpose | Success Indicators | Error Indicators | | --- | --- | --- | --- | | _is_auth_success() | Detect successful authentication | success, authenticated, logged in, token, welcome | - | | _is_subscription_success() | Detect successful channel subscription | subscribed, joined, success, channel | error, denied, unauthorized, forbidden | | _is_error_response() | Detect error/rejection | error, denied, unauthorized, forbidden, invalid, failed | - | | _contains_private_data() | Detect private data leak | private, message, data, content, user (length > 50) | - | | _has_elevated_privileges() | Detect privilege elevation | admin, elevated, role, permissions, granted | - |

Sources: wshawk/session_hijacking_tester.py L458-L513

---

Report Generation

The generate_report() method aggregates all test results into a structured report suitable for inclusion in WSHawk's HTML output.

Report Structure

The report only includes entries where is_vulnerable == True, filtering out negative test results to focus on actionable findings.

Sources: wshawk/session_hijacking_tester.py L515-L540

---

Integration with Scanner

The SessionHijackingTester is invoked from the main WSHawkV2 scanner during comprehensive scans.

Execution Flow

Session hijacking tests are typically executed after vulnerability detection tests but before report generation, allowing the scanner to consolidate all findings into a single comprehensive report.

Sources: wshawk/session_hijacking_tester.py L116-L146

---

CVSS Scoring Matrix

Each vulnerability type has an associated CVSS v3.1 base score reflecting its severity:

| Vulnerability Type | CVSS Score | Severity | Rationale | | --- | --- | --- | --- | | Token Reuse | 7.5 | HIGH | Allows session hijacking post-logout | | Subscription Spoofing | 8.1 | HIGH | Unauthorized access to sensitive channels | | Impersonation | 9.1 | CRITICAL | Complete identity takeover | | Channel Violations | 8.6 | HIGH | Privacy breach, unauthorized data access | | Session Fixation | 7.8 | HIGH | Enables predictable session hijacking | | Privilege Escalation | 9.8 | CRITICAL | Complete authorization bypass |

These scores are hardcoded in the result creation logic within each test method.

Sources: wshawk/session_hijacking_tester.py L191

wshawk/session_hijacking_tester.py L244

wshawk/session_hijacking_tester.py L298

wshawk/session_hijacking_tester.py L349

wshawk/session_hijacking_tester.py L390

wshawk/session_hijacking_tester.py L447

---

Standalone Usage

The module can be executed independently for dedicated session security testing:

The module includes a complete standalone test harness at the bottom of the file for direct execution.

Sources: wshawk/session_hijacking_tester.py L544-L572

---

Version History

Session hijacking testing was introduced in WSHawk v2.0.0 as part of the major rewrite. Key changes:

• v2.0.3: Made authentication configurable via auth_config parameter, removing hardcoded credentials
• v2.0.0: Initial implementation with 6 security tests

Sources: CHANGELOG.md L44-L48

CHANGELOG.md L64