Defender's Notes
  • Welcome!
  • Methodology
  • Ethical Hacking
  • Resources/Blogs/Conferences/Labs
  • Writing Vulnerability Reports
  • Linux Tips
  • Certifications
  • Bug Bounty
    • Hints
  • Python
  • PenTesting
    • Recon
    • Network Scanning
    • Reverse Shell Payloads
    • API Security Testing
    • 53 - DNS
    • 21 - ftp
    • 139,445 - SMB
    • 111,2049 - rcpbind
    • Authentication
    • Scripting
    • OSINT
    • Cloud Security
    • Reverse Engineering
    • Password
    • Proxy Chain
    • Steganography
    • Buffer Overflow
  • Windows
    • Recon
    • Golden/Silver Ticket
    • PowerShell for Beginners
    • Windows Priv Escalate
      • Icecast (RPC)
    • Kerberos Attack
  • Web Pentesting
    • 80,443,8080 - Recon
    • Resources
      • Burp Suite
    • Web Vulnerabilities
      • WordPress
      • CSP Bypass
      • JSON Web Tokens
      • Insecure Desensitization
      • Open Redirect
      • Command Injection
      • Path Traversals
      • SSRF
      • SQL Injection
      • IDOR
      • Shellshock
      • Heartbleed
      • Session Attacks/Bypass
      • XSS
      • XXE
      • CSRF
      • File Inclusion (Local/Remote)
      • Drupal
    • OWASP Top 10 2017
      • Top 1: Injection
      • Top 2: Broken Authentication
      • Top 3: Sensitive Data Exposure
      • Top 4: XML External Entities (XXE)
      • Top 5: Broken Access Control
      • Top 6: Security Misconfiguration
      • Top 7: Cross-Site Scripting (XSS)
      • Top 8: Insecure Deserialization
      • Top 9: Using Components with Known Vulnerabilities
      • Top 10: Insufficient Logging & Monitoring
    • OOB
    • Java
    • Python Web Security
  • Linux
    • Upgrading shell
    • Linux Priv Escalate
      • Path Variable Manipulation
      • Systemctl
  • Binary Security
    • AOT
  • Hardware Security
    • Wi-fi
    • Radio
  • Mobile Security
    • Android
    • SMS
  • Videos
    • IppSec Videos
    • The Cyber Mentor
Powered by GitBook
On this page
  • Session Management
  • Session Attacks
  • Session Predictability
  • Session Fixation
  • Session Theft (Hijacking)
  • Session Logout and Timeout (Insufficient Session Expiration)
  • Authentication Bypass
  • Authorization Bypass
  • Resources

Was this helpful?

  1. Web Pentesting
  2. Web Vulnerabilities

Session Attacks/Bypass

Session Management

Session identifiers can be found in

  • Cookies

  • Hidden form fields (Usually as POST parameters)

  • Custom headers

  • URI parameters

Common session identifiers names: JSESSIONID, PHPSESSIONID, ASP.NET_SessionID

Properly configured Session identifiers will have the following:

  • Unpredictability

  • Tamper Resistance

  • Expiration

  • Confidentiality

Cookies are the most common way to implement session identifiers and using common frameworks to manage the cookies make implementation these principles easier.

The above 4 principles give us things to test for.

Session Attacks

Session Predictability

Gather enough session values to be able to analyze level of entropy (randomness). Analysis may require statistical analysis tools/intuition/source code. If pattern is not readily observable a statistically representative sample of values will need to be collected.

Looking at source code, for example, we may be able to find dev puts UserAgent and IP together to create session ID.

Analysis tools to use: BurpSuite Sequencer, ZAP Token Generator, or Google

Session Fixation

When Session ID is set prior to authentication and is not replaced after authentication, session fixation is possible. To verify, review sessionID before and after authentication and verify its the same.

Session Theft (Hijacking)

Session Tokens can be stolen via other forms of attacks for example XSS. An attacker gaining a sessionID means they will have access via account associated to stole sessionID. HTTPOnly flag can prevent access to sessionID stored in cookies.

Session Logout and Timeout (Insufficient Session Expiration)

Sessions that meet a logout state or timeout condition should be invalidated server-side session state. Fail to invalidate sessionID opens reuse to SessionIDs after account logs out or times out. An error should be received or client directed to login page. Associated APIs may be susceptible to this vulnerability.

Authentication Bypass

Authentication bypass can be done by one of the following attacks :

  • Parameter Tampering

  • Direct Page Access

  • SQL Injection

Exploitation of authentication bypass can lead to anonymous access to a resource without any functionality.

Parameter Tampering

Modify parameters used to determine an authenticated state may lead to bypass authentication. Example changing URI parameter LoggedIn=0 to LoggedIn=1.

Add X-Original-URL header to bypass access control. Example:

POST /admin/deleteUser HTTP/1.1
403

POST / HTTP/1.1
X-Original-URL: /admin/deleteUser

200 OK

This may also work with modifying X-Rewrite-Url, X-Forwarded-Url, or X-Forwarded-Path

Direct Page Access

Test by accessing URLs directly without navigating through the site's links (Commonly found via Forced Browsing).

Authorization Bypass

Role enforcement

Insecure Direct Object Reference (IDOR)

Resources

PreviousHeartbleedNextXSS

Last updated 4 years ago

Was this helpful?

Using Burp Repeater:

https://portswigger.net/burp/documentation/desktop/tools/repeater/using
https://portswigger.net/blog/burp-sequencer-101
https://www.quora.com/Whats-the-difference-between-session-fixation-and-session-hijacking
https://www.netsparker.com/blog/web-security/session-hijacking/