Category: Account & Session Attacks
Account & Session Attacks
Browse threats in this category, plus related secure app guides and AI security pages. Each threat page focuses on how the risk shows up in the browser and what isolation changes.
At a glance
- 5 threats in this category
- Last updated: 2026-01-29
Common themes
- account takeover
- cookies
- session
- browser
- identity
- tokens
- auth
- credential stuffing
Threats in Account & Session Attacks
Cookie theft is when attackers steal session cookies from a browser to impersonate a user and access accounts without the password.
Credential stuffing is when attackers use leaked username/password pairs to automatically try logins across many sites until one works.
Man-in-the-browser (MitB) attacks use malware or malicious extensions to manipulate what a user sees in the browser and to steal data from inside sessions.
Session fixation is when an attacker forces a victim to use a session identifier the attacker already knows, then takes over that session after the victim authenticates.
Session hijacking is when an attacker steals or reuses a valid session cookie/token to act as the user without needing the password again.