Ethical Hacking and Penetration Testing Guide



Yüklə 22,44 Mb.
Pdf görüntüsü
səhifə202/235
tarix07.08.2023
ölçüsü22,44 Mb.
#138846
1   ...   198   199   200   201   202   203   204   205   ...   235
Ethical Hacking and Penetration Testing Guide ( PDFDrive )

339
Session Attacks
All session attacks revolve around compromising the session token/ID. A session id is a unique 
piece of token that is used to identify a user on a particular website. A session token is assigned 
when a user browses a website or logs in to a website. It is assigned by the webserver to a client, 
which is then used to keep a track of the activities or for assigning certain privileges on web 
application.
On the client side, a session token is stored as an HTTP cookie and may be sent via GET/
POST or via set-cookie header to the server upon every request the client makes to the server. 
A session ID by no means is an authorization credential; however, it could be used in place for 
authorizing a user without requiring the password. Since a session token is used to identify yourself 
to the server, an attacker who was able to obtain your token somehow can easily impersonate you.
There are several ways to compromise a session token. In the “Network Sniffing” chapter 
(Chapter 6), we looked at how an attacker can perform an MITM attack to steal unencrypted 
tokens going across the wire. In this section, we will take a look at two more attacks on sessions, 
namely, session fixation and session ID prediction.
Guessing Weak Session ID
As we discussed before, a session token/ID is very critical to the user because if an attacker gets 
hold of it, he would be able to take over the session. Therefore, it’s very important to make sure that 
the 
session ID is random
and cannot be predicted or guessed by brute force attacks. It should 
expire
after a certain time of inactivity; also a 
single session should be locked to a single IP address
,
 
making 
it even more difficult for an attacker to reuse the session ID.
If you are relying upon PHP, JSP, etc., libraries to generate tokens, then there should be no 
issues with since they have a good amount of entropy or randomness. However, if you are gener-
ating your own session tokens, then you should make sure that the generated tokens are random 
and cannot be easily guessed.
Let’s talk about how we can analyze the randomness of tokens by using burp suite’s sequencer 
tool.
Step 1
—Our first step would be to capture the response from the target application, which 
would contain the set-cookie header having our session ID.


340
◾ 
Ethical Hacking and Penetration Testing Guide
Step 2
—Next, we would feed the response in burp sequencer, and it will automatically extract 
the session token from it. If it doesn’t, select the session ID from the cookie field.
Step 3
—Next, we will click on “Start Live Capture,” and it will start capturing the tokens; it 
will strip the set-cookie header from the http request, and as the response comes from the 
webserver, it would contain a newly generated session token.


Web Hacking
◾ 
341
Step 4
—Once it generates a minimum of 1000 tokens, click on “Analyze now”; the more the 
number of the tokens generated, the better the analysis would be.
As we can see, the effective entropy is estimated to be 112 bits, which is a fairly good amount 
of randomness for session tokens considering the fact that we captured around 1.7k requests. At 
the bottom of the “Summary” tab, you would see a reliability session, which will tell you more 
details about the session tokens.

Yüklə 22,44 Mb.

Dostları ilə paylaş:
1   ...   198   199   200   201   202   203   204   205   ...   235




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azkurs.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin