Hello everyone, hope you are doing good
Today we will be talking about different session related vulnerabilities. Hang on till end, coz I have a lot to talk about😉
What is Cookie?
Cookies are client-side files that store information of the user on local machine and cannot be accessed by others. When ever a user signs into a web application it stores a huge amount of data on the users local machine in the form of cookie. It has all the information about the activity and surfing of the user in the application. These are not very secure as the information in them is in plain-text format.
What is Session?
Sessions are server-side files that store information of the user on the server of the web application. To describe simply, session is amount of time user interacts with the application. A session starts when the user logs in to the application and ends when user logs out of the application or shut down the system. Since HTTP doesn’t keep track of users information there need to be a mechanism that recognizes the user and allow them to access the application without any restrictions. Sessions come into place to overcome this disadvantage. Every session has a unique session ID and it is stored in the server.
Mostly found Session Vulnerabilities
Authentication Bypass
This is the easiest attack to perform. All we need to do is to capture the authentication request in burp and manipulate the request.
Try changing the parameters
0 -> 1
failure -> success
failure -> “ ” (replace failure with nothing, and a space)
4xx -> 200 OK
Another way is to log in as user1 and capture the cookie and logout.
Now login as user2 but with wrong password.
Capture the request and change the cookie to user1 valid cookie
If the application logs you in then you should be logged in as user1 without their username/password
You can also change the cookies in mid way during any particular action from one user1 to user2. But this should not be allowed by the application
Clear text Transmission of Session Token
When you are being authenticated simply check if the session token is being sent clearly.
Capture the authentication request in Burp and verify that the session token is encrypted. Capture the requests of the application where Session Token is used and verify it is encrypted everywhere
Also check the Session token is not sent in the URL in clear text.
Failure to Invalidate Session
Login to the application in two different browsers, change password in one browser and see if you are getting logged out in the other browser. If not report it.
Login to application and logout immediately. Press back button on top of your browser and refresh the page. If you are still authenticated as user, report it.
Login with two accounts in two different browsers. Exchange the cookies or session tokens of two users and validate their requests. If they are accepted then report it.
Login to application. Capture the session token. Logout from the application. Now login again but this time capture the request and add the previous session token. This token should not be accepted because once the user logs out, the session token should be destroyed. If the application accepts that means the session token is not destroyed.
Missing Secure or HTTPOnly Cookie Flag
If the HttpOnly attribute is set on a cookie, then the cookie’s value cannot be altered by client-side JavaScript. This reduces the risk of client-side attacks such as XSS, as they can be captured by injecting a simple script.
Some other checks that can be implemented
Ensure randomness in cookies and their values
Modify the cookie values and see if they are validated
Remove the token and check for the response
This post is not done yet, there’s more. See you all in the next post with some more information about this vulnerability. Check out my Instagram to know more about Tips and Tricks to finding bugs.
Till then take care and Happy Hacking!!!👋👋
