Session Management Flaws
Session Management:
Because HTTP is stateless, before certification defects will involve similar knowledge, since each request after the completion of the link will be disconnected when the client initiated the request again, the server will not recognize a client state, the session management is to solve this problem, one of which is through the session management server-side session management, after the user login authentication succeeds, the server generated by the cookie sessionid returned to the user's browser so that each user will have a unique identification sessionID (detailed ask of your mother promise)
Then stay online to find a mind mapping session management, today a part of the knowledge that the slightest D:
specific article poke [Web secure session management mechanism of the attack]
Hijack a Session session hijacking
Develop their own session ID application developers often forget to combine the complexity and randomness of security necessary. If the user-specific session ID is not complex and random, then the application is vulnerable to violent attacks based on session.
The overall goal:
try to access the session belongs to someone else authenticated.
Many described above, but simply, steal session ID and access their sessions.
Ethereal found under the parameters of a WEAKID cookie, that is, this session identifier, if it wants to access other people but do not know the password and user will definitely have to be identified in accordance with the session ID, here it is
WEAKID=17346-1585019744376
It should be able to do it is find WEAKID law each time the server sent me, and thus indirectly to steal a user's session token, it will capture each of WEAKID delete and re-contracting, repeated several times will find:
WEAKID=17347-1585024090741
WEAKID=17348-1585024185916
WEAKID=17349-1585024216536
After three Ethereal put the package was found in front WEAKID half increased by 1 each time, the second half is the law of increasing, apparently weak-generated ID, what no encryption (usually the session identifier will be stored encrypted in a cookie), then we pass Sequencer this modular automation contracting, we submitted a data, delete the cookie in the WEAKID information is sent to the sequencer module:
After the relevant configuration information, click start live capture automation package and put the copy tokens
Copy the following pages
Do not know why this is out of order (may not charge money, I have here is the community version) but I am with the naked eye found clues in 73982-73984 middle and there is 73,983 this number string, representatives may this token already signed in to this conversation, because the second half is also increasing, you can select the latter part of the last two blasting, I am here only a difference of ten directly to a module reapeater a try
It stands to reason should get congratulations congratulations field, but I failed here (do not know why I could be a problem operation) the general idea is the way to change the software to try again next time.
Spoof an Authentication Cookie authentication cookie deception
If you specify the correct identity verification cookie, many applications will automatically log on to their site users. If you can get the cookie generation algorithm, it can sometimes guess the value of the cookie. Sometimes, cookie will remain on the client computer, and can be stolen by using the other system vulnerabilities. Sometimes, using a cross-site scripting can intercept Cookie.
This course tries to make students aware of the authentication cookie, cookie and to introduce students to a method of identity verification methods to overcome in this lesson.
Users should be able to bypass the authentication check. Log in to see what would happen to use webgoat / webgoat account. You can also try aspect / aspect. When you understand the authentication cookie, please try to log in to change your identity alice
Come here to deceive the authentication cookie to log in Alice, for the first time when landing is not cookie information, and then need to login to the server browser to pass a AuthCookie:
Some studies found that the user name is upside down and backwards shift a letter such as webgoat reverse is taogbew, then move backwards one is ubphcfx, empathy so the user cookie alice will be able to be derived
AuthCookie=65432fdjmb
Ethereal login try:
login successful;
Session Fixation (session fixation)
Server through a unique session ID for identifying a user. If the user is logged in and authorized, it is not necessary to re-authorized at the time of his re-access the application, because the session ID can identify the user. In certain applications, the session ID can be passed in the Get-Request. Attacks began from here.
An attacker can hyperlink victims have selected a session ID to. For example, this can be done by a prepared message, the message looks like an official email from the application of the administrator. If the victim clicks the link and log in, the attacker has selected the session ID authorizes him. An attacker can access the page with the same ID, and are recognized as victims, and unauthorized login.
The overall objective:
The course is divided into several stages. You can either play the assailant, and play the victim. After completing this lesson, it should be understood session fixation is usually how it works. It should also be understood that the use Get-Request of the session ID is a bad idea.
A stage
Here we want to simulate the attacker and the victim experiment
first added after the message needs to be sent the URL parameter SID = 77, and to improve its own Web site (here easily can)
The first step will be prompted to complete successfully;
Stage II, III
Here, the link will enter the trap of the attacker (remember you now, it is a victim):
Follow the prompts to enter your user name and password (here to show that you are now a victim fine without the knowledge)
Stage four
Here, even if the attacker is echoing pair of interface, then go in and see how we should go in Jane's account:
After the parameter value to the value you just set, you will be able to successfully log in:
This series of courses here is over;
to sum up:
The first section is session hijacking, here is the way violence guess solution cookie (session ID), the token predictable.
Section deceive the authentication cookie, observed that the structure cookie cookie is how to authenticate a user's login.
Section attacker lured the victim to use "custom" login session (session ID is fixed).
.
defense:
1. To enhance the complexity of the session identifier (not allow the attacker to guess the session identifier) to encrypt and
2. Set the appropriate session ID effective time
3. The cookie generation algorithm is complicated
4. prohibited Get-Request ID of the session (to prevent session fixation)