Session Attacks/Bypass

Session Management

Session identifiers can be found in

  • Cookies

  • Hidden form fields (Usually as POST parameters)

  • Custom headers

  • URI parameters

Common session identifiers names: JSESSIONID, PHPSESSIONID, ASP.NET_SessionID

Properly configured Session identifiers will have the following:

  • Unpredictability

  • Tamper Resistance

  • Expiration

  • Confidentiality

Cookies are the most common way to implement session identifiers and using common frameworks to manage the cookies make implementation these principles easier.

The above 4 principles give us things to test for.

Session Attacks

Session Predictability

Gather enough session values to be able to analyze level of entropy (randomness). Analysis may require statistical analysis tools/intuition/source code. If pattern is not readily observable a statistically representative sample of values will need to be collected.

Looking at source code, for example, we may be able to find dev puts UserAgent and IP together to create session ID.

Analysis tools to use: BurpSuite Sequencer, ZAP Token Generator, or Google

Session Fixation

When Session ID is set prior to authentication and is not replaced after authentication, session fixation is possible. To verify, review sessionID before and after authentication and verify its the same.

Session Theft (Hijacking)

Session Tokens can be stolen via other forms of attacks for example XSS. An attacker gaining a sessionID means they will have access via account associated to stole sessionID. HTTPOnly flag can prevent access to sessionID stored in cookies.

Session Logout and Timeout (Insufficient Session Expiration)

Sessions that meet a logout state or timeout condition should be invalidated server-side session state. Fail to invalidate sessionID opens reuse to SessionIDs after account logs out or times out. An error should be received or client directed to login page. Associated APIs may be susceptible to this vulnerability.

Authentication Bypass

Authentication bypass can be done by one of the following attacks :

  • Parameter Tampering

  • Direct Page Access

  • SQL Injection

Exploitation of authentication bypass can lead to anonymous access to a resource without any functionality.

Parameter Tampering

Modify parameters used to determine an authenticated state may lead to bypass authentication. Example changing URI parameter LoggedIn=0 to LoggedIn=1.

Add X-Original-URL header to bypass access control. Example:

POST /admin/deleteUser HTTP/1.1

X-Original-URL: /admin/deleteUser

200 OK

This may also work with modifying X-Rewrite-Url, X-Forwarded-Url, or X-Forwarded-Path

Direct Page Access

Test by accessing URLs directly without navigating through the site's links (Commonly found via Forced Browsing).

Authorization Bypass

Role enforcement

Insecure Direct Object Reference (IDOR)


Using Burp Repeater:

Last updated