Ethical Hacking and Penetration Testing Guide
Yüklə 22,44 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Guessing Weak Session ID
|
339
Session Attacks All session attacks revolve around compromising the session token/ID. A session id is a unique piece of token that is used to identify a user on a particular website. A session token is assigned when a user browses a website or logs in to a website. It is assigned by the webserver to a client, which is then used to keep a track of the activities or for assigning certain privileges on web application. On the client side, a session token is stored as an HTTP cookie and may be sent via GET/ POST or via set-cookie header to the server upon every request the client makes to the server. A session ID by no means is an authorization credential; however, it could be used in place for authorizing a user without requiring the password. Since a session token is used to identify yourself to the server, an attacker who was able to obtain your token somehow can easily impersonate you. There are several ways to compromise a session token. In the “Network Sniffing” chapter (Chapter 6), we looked at how an attacker can perform an MITM attack to steal unencrypted tokens going across the wire. In this section, we will take a look at two more attacks on sessions, namely, session fixation and session ID prediction. Guessing Weak Session ID As we discussed before, a session token/ID is very critical to the user because if an attacker gets hold of it, he would be able to take over the session. Therefore, it’s very important to make sure that the session ID is random and cannot be predicted or guessed by brute force attacks. It should expire after a certain time of inactivity; also a single session should be locked to a single IP address , making it even more difficult for an attacker to reuse the session ID. If you are relying upon PHP, JSP, etc., libraries to generate tokens, then there should be no issues with since they have a good amount of entropy or randomness. However, if you are gener- ating your own session tokens, then you should make sure that the generated tokens are random and cannot be easily guessed. Let’s talk about how we can analyze the randomness of tokens by using burp suite’s sequencer tool. Step 1 —Our first step would be to capture the response from the target application, which would contain the set-cookie header having our session ID. 340 ◾ Ethical Hacking and Penetration Testing Guide Step 2 —Next, we would feed the response in burp sequencer, and it will automatically extract the session token from it. If it doesn’t, select the session ID from the cookie field. Step 3 —Next, we will click on “Start Live Capture,” and it will start capturing the tokens; it will strip the set-cookie header from the http request, and as the response comes from the webserver, it would contain a newly generated session token. Web Hacking ◾ 341 Step 4 —Once it generates a minimum of 1000 tokens, click on “Analyze now”; the more the number of the tokens generated, the better the analysis would be. As we can see, the effective entropy is estimated to be 112 bits, which is a fairly good amount of randomness for session tokens considering the fact that we captured around 1.7k requests. At the bottom of the “Summary” tab, you would see a reliability session, which will tell you more details about the session tokens. Yüklə 22,44 Mb. Dostları ilə paylaş:
|