dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WIP

Browse Source
This commit is contained in:
Nanne Baars 2023-08-13 12:02:14 +02:00
parent 8f6e47e6d4
commit 46f0411678
No known key found for this signature in database
GPG Key ID: A6D6C06FE4EC14E7
5 changed files with 75 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
src/main/resources/lessons/session_fixation/documentation/SessionFixation_1.adoc Normal file
View File

@ -0,0 +1,30 @@
==== Introduction
Session fixation is a security vulnerability that occurs when an attacker forces a user's session identifier (usually stored in a cookie) to be set to a value chosen by the attacker.
This attack can result in the attacker being able to impersonate the victim's session and gain unauthorized access to their account.
==== How session fixation works
The following steps outline the process of a session fixation attack:
- The attacker obtains a session identifier (SID) from a valid session, either by generating one or through some other means.
- The attacker tricks the victim into clicking on a malicious link that includes the obtained SID.
This link might be sent via email, social engineering, or another method.
- When the victim clicks the malicious link, their browser uses the provided SID to identify the session.
The attacker can then use the same SID to access the victim's session after they log in.
- The attacker now has unauthorized access to the victim's account, effectively taking over their session.
==== Implications and risks
A successful session fixation attack can have serious consequences, including:
- Unauthorized access to the victim's account and sensitive information.
- Ability to perform actions on behalf of the victim.
- Compromise of confidential data.
- Damage to the victim's reputation and trust in the web application.

15
src/main/resources/lessons/session_fixation/documentation/SessionFixation_2.adoc Normal file
View File

@ -0,0 +1,15 @@
==== Preventing session fixation attacks
Most modern web frameworks do a pretty decent job fixing the problem automatically.
Please read up on your framework before.
To defend against session fixation attacks, web developers can implement the following countermeasures:
- Never trust an url parameter: Never pass session identifiers via URLs, as these can be easily manipulated.
- Session regeneration: always change the session identifier upon significant events, such as login or privilege level change.
- Session timeout: Implement a session timeout mechanism that automatically logs out inactive users after a specified period.
This will help when an attacker sends an email to a victim with a link.
This way the link containing the session-id is already timed out.
- Random session identifiers: Generate session identifiers using a strong random number generator to make them difficult to guess or predict.
- Cookie attributes: Set `secure` and `HttpOnly` attributes for cookies to prevent manipulation and unauthorized access.

17
src/main/resources/lessons/session_fixation/documentation/SessionFixation_3.adoc Normal file
View File

@ -0,0 +1,17 @@
==== Let's try
Maybe WebGoat is vulnerable to a session fixation attack?
Create a new account, for example `attacker` and login to WebGoat. Email yourself with the link and click the link and login to WebGoat.
- Endpoint for logging in (POST)
- Goal is to get /users/..../profile this one checks session id cookie
- Email send to a specfic user should immediately login
- XSS should set cookie and endpoint should pick it up.
-
Screen 1 is send email

3
src/main/resources/lessons/session_fixation/documentation/SessionFixation_4.adoc Normal file
View File

@ -0,0 +1,3 @@
=== No longer hackable?
Someone submitted a bug report and the developers made some improvements. Can you still hack them?

10
src/main/resources/lessons/session_fixation/documentation/SessionFixation_intro.adoc Normal file
View File

@ -0,0 +1,10 @@
In this lesson, you will learn about a common web application vulnerability called "Session Fixation." Session fixation is an attack that allows an attacker to set a victim's session identifier, potentially giving them unauthorized access to the victim's account.
We will explore how this attack works, its implications, and how to defend against it.
Goals:
By the end of this lesson, you will be able to:
- Explain what a session fixation attack is and how it works.
- Understand the potential risks and consequences of a successful session fixation attack.
- Implement countermeasures to defend against session fixation attacks in a web application.