In this video, learn about session hijacking.
- [Instructor] Cookies are often used for web application authentication. After a user logs into a system, the web server provides a cookie, so that the user doesn't need to continuously log into the system every time he or she requests a new webpage. Presenting the cookie with each request causes the web server to reference the earlier successful login. One major flaw with some web applications is that they don't use random cookies. Instead, they use a guessable value. Let's go ahead and take a look at an example.
Once again, we'll turn to the WebGoat application security demonstration tool and the Zap web proxy. This time, we're using a simple web application that asks for a user name and a password and has a login button. I have two accounts that I know exist on this server, and I'm going to go ahead and start the Zap application proxy, and tell it to intercept the login request. I go back to the application. The first time I'll log on with the WebGoat account, and click the login button.
Zap intercepts that request, and when I step through it, I can see the authentication cookie right here. I'm going to go ahead and make a note of that cookie value, and then go ahead and let this finish. When I return to the application, you can see that I've been logged in as webgoat. I'm now going to log out. Restart Zap. And this time I'm going to go ahead and log in with a user named aspect. Step through this login request, and then note the authentication cookie value for this user.
Let's take a look at the cookies that we've discovered so far. We have two users, and their cookie values, and what we'd like to do is be able to figure out the cookie value for Alice. The first thing we might notice when we look at these values is that they all begin with the same five-digit number. So I'm going to presume that Alice's cookie also begins with 65432. Then they end with a text value. At first glance, this text value looks somewhat random, but the first thing I might realize is that each of these text values is the same length as the username.
After thinking about this for a while, I realize that the text value at the end of the cookie is actually figured out by taking the username, reversing the letters, and then adding one value to each letter. So an A would become a B, a B would become a C, and so on. Once I've done this, I can go ahead and figure out Alice's cookie. I'm now going to return to WebGoat and see if I can use this trick to log in as Alice. I'm going to go ahead and finish out the Zap proxy, log out of WebGoat, get this set up to log in as Alice, restarting the proxy.
And this time, before I let this go through, I'm going to tamper with this request a little bit using a technique known as header manipulation. You can see up here, the cookie JSESSIONID value. I'm going to add to the end of this, a value including the session cookie that I've computed for Alice. 65432fdjmb. And now I'm going to go ahead an let this process finish. When I return to WebGoat, you'll notice that I've now logged in with Alice's username without knowing her password.
In this example, we analyze the login cookie and guess the correct value because it wasn't very carefully constructed. This is a somewhat sophisticated session hijacking attack. A simpler variation of this attack involves eavesdropping on a user's unencrypted connection. If you can simply view the cookie, you don't need to go through all these hoops to figure out the value yourself.
Looking for study partners?Join the CompTIA Security+ SY0-501 Exam study group
The CompTIA Security+ exam is an excellent entry point for a career in information security. The latest version, SY0-501, expands coverage of cloud security, virtualization, and mobile security. This course prepares exam candidates for the critical Threats, Attacks, and Vulnerabilities domain of the exam. By learning about malware, networking and application security exploitations, and social engineering, you'll be prepared to answer questions from the exam—and strengthen your own organization's systems and defenses. Author Mike Chapple, an IT leader with over 15 years of experience, also covers the processes for discovering and mitigating threats and attacks, and conducting penetration testing and scanning for vulnerabilities. Visit certmike.com to join one of his free study groups.
We are a CompTIA Content Publishing Partner. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.
- Comparing viruses, worms, and Trojans
- Backdoors and logic bombs
- Understanding the attacker
- Attack types: from denial of service to brute force attacks
- Preventing insider threats
- Wireless attacks
- Understanding cross-site scripting
- Preventing SQL injection
- Social engineering
- Scanning for vulnerabilities
- Penetration testing
- Assessing the impact of vulnerabilities