Hello mates!!!
Today we are going to see about 3 different types of Session related vulnerabilities. They are
Session Fixation
Session Hijacking
Session Puzzling
Let us learn a bit more about each of them
Session Fixation
By the name itself, you would have understood that the session of the victim would be fixed i.e changed or manipulated so the that the attacker can gain control over victim’s session. The main vulnerability which lies here is that the attacker can directly log in as a user once the attack is successful and can have the same session as the victim. Without even having any credentials the attacker can gain access to the victim's account.
Let us see how this works. Here the attacker will trick the victim into using the attacker's session ID to log in using the victim's credentials. Once the victim logs in the attacker can have the session with the victim and do whatever he/she wants with the victim's account.
How to find this
Login in using attacker credentials
Capture the request in Burp and copy the Session ID
Now using a POST method, authenticate into the application using the attacker's session ID and victims credentials
If no new cookie is generated and you are in then there is a Session Fixation vulnerability
Risk
Once the user can have access to victims session, then it is not a difficult task to take over the account or use it for misconduct
Prevention
Implement a new session token, once the user logs in
Make sure the application invalidates the existing session ID before logging a user into an application
Session Hijacking
Session hijacking is simply taking control of the session from the victim. This could be the next step after Session Fixation. This attack compromises the victim's session ID by stealing or randomly predicting it. The session ID can also be gained by performing XSS, MITM attacks too.
How to find this
Log into the application, using the victim's credentials
Go to any secure functionality and capture this request in Burp, copy the session ID
Log into the application, but this time in another browser using attacker credentials
Now use this victim session ID while accessing the same functionality using the attacker's browser and see if a 200 response is possible
If yes, then you just hijacked your victim's session
Risk
Once the session is hijacked, you are the boss of the account you have no access to valid data. Enjoy!!!
Prevention
Always use an encrypted channel for communication
Use HTTPOnly attribute in Cookies
Use HSTS with both Secure and Domain attributes properly set.
Session Puzzling
Session Puzzling also known as Session Variable Overloading, allows the attacker to perform malicious actions against the victim. This vulnerability occurs mostly when the same session variable is used for more than one function throughout an application.
The successful construction of a session puzzle will allow the attacker to bypass authentication enforcement mechanisms, impersonate users, escalate privileges, and even perform actions that are prior considered safe (injection, parameter manipulation). If the attacker could access two functionalities using the same session variables, this vulnerability can be exploited.
How to find this
There are different ways to find this vulnerability. This could be a bit tricky to explain, so I am listing some youtube videos for you to follow and practice.
Risk
Impersonating User
Privilege Escalation
Bypass Authentication
Information theft
Remediation
Make sure to use session variables only for a single consistent purpose.
Reference: OWASP
I hope you have learned something new today. See you all in the next post with a brand new vulnerability. Check out my Instagram to learn more about Tips and Tricks to finding bugs.
Till then take care and Happy Hacking!!!👋👋
