Solution for Session Fixation added
git-svn-id: http://webgoat.googlecode.com/svn/trunk@314 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
wirth.marcel
Binary file not shown.
|
After Width: | Height: | Size: 4.9 KiB |
@ -0,0 +1,120 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>Session Fixation</title>
|
||||
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
|
||||
</head>
|
||||
<body>
|
||||
<p><b>Lesson Plan Title:</b> Session Fixation</p>
|
||||
|
||||
<p><b>Concept / Topic To Teach:</b><br/>
|
||||
How to steal a session with a 'Session Fixation'
|
||||
</p>
|
||||
|
||||
<p><b>How the attacks works:</b><br/>
|
||||
A user is recognized by the server by an unique
|
||||
Session ID. If a user has logged in and is authorized
|
||||
he does not have to reauhorize when he revisits the
|
||||
application as the user is recognized by the Session ID.
|
||||
In some applications it is possible to deliver the Session
|
||||
ID in the Get-Request. Here is where the attack starts.
|
||||
</p>
|
||||
<p>An attacker can send a hyperlink to a
|
||||
victim with a choosen Session ID. This can be
|
||||
done for example by a phishing mail. If the victim
|
||||
clicks on the link and loggs in he is authorized by the
|
||||
Session ID the attacker has choosen. The attacker can visit
|
||||
the page with the same ID and is recognized as the victim
|
||||
and gets logged in without authorization.</p>
|
||||
|
||||
<p><b>General Goal(s):</b><br/>
|
||||
This lesson has several stages. You play the attacker but
|
||||
also the victim. After having done this lesson it should be
|
||||
understood how a Session Fixation in general works. It should
|
||||
be also understood that it is a bad idea to use the Get-Request
|
||||
for Session IDs.
|
||||
|
||||
</p>
|
||||
|
||||
<p>
|
||||
<b>Solution:</b><br/>
|
||||
This lesson has 4 stages. In stage 1 and 4 you are Hacker Joe
|
||||
in lesson 2 and 3 you are the victim Jane.
|
||||
|
||||
<p>
|
||||
<b>Stage 1:</b><br>
|
||||
You have to send a phishing mail to Jane with a link containing a Session ID.
|
||||
The mail is already prepared. You only have to alter the link so it includes
|
||||
a Session ID (SID). You can archive this by adding &SID=WHATEVER to
|
||||
the link. Of course can WHATEVER be replaced by any other string.
|
||||
The link should look similar to following:<br>
|
||||
<a href=http://localhost/WebGoat/attack?Screen=46&menu=320&SID=WHATEVER>
|
||||
</p>
|
||||
<div align="center"><font size="2">
|
||||
<img src='lesson_solutions/SessionFixation_files/sf_stage1.png'><br>
|
||||
<b>Image 1: Phishing Mail</b>
|
||||
</font>
|
||||
</div>
|
||||
|
||||
<p>
|
||||
<b>Stage 2:</b><br>
|
||||
Now you are Jane which receives the mail you wrote in stage 1.
|
||||
Point with the mouse on the link and you will notice the
|
||||
SID in the status bar of your browser. This is the easiest
|
||||
stage as you have only to click on the link 'Goat Hills Financial'.
|
||||
</p>
|
||||
<div align="center"><font size="2">
|
||||
<img src='lesson_solutions/SessionFixation_files/sf_stage2.png'><br>
|
||||
<b>Image 2: Received Phishing Mail</b>
|
||||
</font>
|
||||
</div>
|
||||
|
||||
|
||||
<p>
|
||||
<b>Stage 3:</b><br>
|
||||
You are on the login screen of Goat Financial Hills now. In
|
||||
the URL is the SID visible. All
|
||||
you have to do is to log in with your user name Jane
|
||||
and your password tarzan.
|
||||
</p>
|
||||
<div align="center"><font size="2">
|
||||
<img src='lesson_solutions/SessionFixation_files/sf_stage3.png'><br>
|
||||
<b>Image 3: Goat Hills Financial Login Screen</b>
|
||||
</font>
|
||||
</div>
|
||||
|
||||
<p>
|
||||
<b>Stage 4:</b><br>
|
||||
The application switches again to the hacker Joe.
|
||||
There is already a prepared link you have to click on
|
||||
to reach the Goat Hill Financial. In real life this
|
||||
would be different of course. You could directly put the URL
|
||||
in the address bar of your browser.<br><br>
|
||||
|
||||
|
||||
After having clicked on the provied link you reach
|
||||
Goat Hill Financial. Take a look at the URL and
|
||||
you will see that your SID is NOVALIDSESSION.
|
||||
Change this string to the SID you have chosen
|
||||
at the beginning of this lesson and hit enter.</p>
|
||||
<div align="center"><font size="2">
|
||||
<img src='lesson_solutions/SessionFixation_files/sf_stage4_1.png'><br>
|
||||
<b>Image 4: Browser Address Bar Before Changes</b>
|
||||
<br><br>
|
||||
<img src='lesson_solutions/SessionFixation_files/sf_stage4_2.png'><br>
|
||||
<b>Image 5: Browser Address Bar After Changes</b>
|
||||
</font>
|
||||
</div>
|
||||
<br><br>
|
||||
Congratulation! You are logged in as Jane
|
||||
and the lesson was successful.
|
||||
<div align="center"><font size="2">
|
||||
<img src='lesson_solutions/SessionFixation_files/sf_success.png'><br>
|
||||
<b>Image 6: Successful Completion Of The Lesson</b>
|
||||
</font>
|
||||
</div>
|
||||
|
||||
|
||||
</body>
|
||||
</html>
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 66 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 32 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 24 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 9.2 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 7.4 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 42 KiB |
Reference in New Issue
Block a user