Lesson Plan Title: How to Hijack a Session

 

Concept / Topic To Teach:

Application developers who develop their own session IDs frequently forget to incorporate the complexity and randomness necessary for security. If the user specific session ID is not complex and random, then the application is highly susceptible to session-based brute force attacks.

 

General Goal(s):

Try to access an authenticated session belonging to someone else.

 

In this lesson the purpose is to predict the WEAKID value. The WEAKID is used to differentiate authenticated and anonymous users of WebGoat.

 

 

 

Solution:

 

The easiest way to complete this lesson is to use WebScarab's Session ID Analysis.

 

Go to WebScarab and click on the button "SessionID Analysis". Select the last POST request from the "Previous requests" drop-down box.

Figure 1 WebScarabs SessionID Analysis

 

To make sure that WebScarab is able to fetch the WEAKID cookie, you need to click the "Test" button on the bottom of the screen. A pop-up window must be shown like below.

 

Figure 2 SessionID WEAKID discovered

 

If you don’t have a pop-up window with the Extracted Sessionids, you must edit the Request. You must delete the WEAKID value from the request. Without this cookie value, WebGoat will return a HTTP Header "Set-Cookie: WEAKID=value" so WebScarab learns about this value.

 

 

Fetch 50 samples and examine the results. Enter "50" in the "Samples" window and click the button "Fetch". You will not see any information about progress.

 

 

Now you need to go to the tab "Analysis".

 

 

In the "Analysis" pane you see nothing.

You must select the Session Identifier WEAKID value from the drop-down box.

 

 

The WEAKID is divided in 2 parts: the first part is an identifier that is added 1 in every cookie and a time value. The time value is calculated at the moment that you submit the request.

 

Notice that there is sometimes a gap in the first value of the WEAKID, skipping with 1. The value that is missing is the value that you need to know to log on. Now you only need to calculate the timestamp. This can be brute-forced using Crowbar. You know the previous timestamp and the next timestamp so you have a start and end value.
You can download Crowbar for free: http://www.sensepost.com/research/crowbar/

 

 

There is a value 16935 and a value 16937 with a numeric difference of 28110 instead of 14109, so there the WEAKID cookie is located. Copy and paste the raw HTTP request in Crowbar:

Figure 3 Crowbar

 

Change target to localhost and adjust the port.

Create a Base response. Make sure that you see "How to hijack a session" in the middle window.

 

Insert ##1## in the WEAKID parameter where you want to brute-force the value and be aware, that the first part of the WEAKID is the one we are searching for (16936). The WEAKID in Crowbar lookes like this: Cookie: JSESSIONID=...; WEAKID=16936-1163685##1##;
Start the first loop at 363093, the last digits of the last cookie before the authentication cookie and 363203, the first cookie after the authentication cookie. You have to enter these two values in the Parameter1 fields. We have to brute-force these values, but we are sure that they lie between these two boundaries.

Examine the results until you see a different fuzzy logic value (the blue line in Figure 3), right-click it and click on "Show reply".

 

Figure 4 Lesson 12 Completed

 

 

Solution by Erwin Geirnaert ZION SECURITY