342
◾
Ethical Hacking and Penetration Testing Guide
thing to note is that this attack is possible only if you have a token that is already known to you.
As discussed before, that it’s not necessary that we would be assigned a session token only when we
log into a website, however it may also be assigned even before we log into a website and make the
first request to the webserver as this is how some applications are designed.
Requirements for This Attack
◾
An attacker must be able to set/assign a valid session ID via GET request, and the applica-
tion should accept it.
◾
The victim must click on the attacker’s specially crafted link, which would assign the vic-
tim’s account the session ID that an attacker sets in the GET request.
How the Attack Works
◾
An attacker browses a website “Target.com” and has been assigned a session token “abcde”
by the webserver. Note that the attacker is not logged in. The URL is as follows:
http://target.com/session.php?token=abcde
◾
The attacker now sends this URL to the victim. Suppose that the victim is already authenti-
cated on target.com, and he is assigned a session ID of “abcdef.” When the victim clicks on
the link, a cookie is set in the victim’s browser containing the attacker’s session ID “abcde.”
◾
The attacker would now refresh the page and would be logged in to the victim’s account,
since the token is already known to the attacker.
Dostları ilə paylaş: 
