main
project
JavaSource
WebContent
META-INF
WEB-INF
css
database
images
javascript
lesson_plans
lesson_solutions
AccessControlMatrix_files
BackDoors_files
BasicAuthentication_files
BlindSqlInjection_files
CSRF_files
ClientSideFiltering_files
ClientSideValidation_files
CommandInjection_files
ConcurrencyCart_files
DOMInjection_files
DOMXSS_files
DOS_Login_files
FailOpenAuthentication_files
ForcedBrowsing_files
ForgotPassword_files
HiddenFieldTampering_files
HtmlClues_files
HttpBasics_files
HttpOnly_files
HttpSplitting_files
InsecureLogin_files
JSONInjection_files
JavaScriptValidation_files
Lab Access Control
Lab SQL Injection
Lab XSS
LogSpoofing_files
MultiLevelLogin1_files
MultiLevelLogin2_files
PasswordStrength_files
PathBasedAccessControl_files
ReflectedXSS_files
RemoteAdminFlaw_files
SessionFixation_files
SilentTransactions_files
SoapRequest_files
SqlNumericInjection_files
SqlStringInjection_files
StoredXSS_files
ThreadSafetyProblem_files
TraceXSS_files
UncheckedEmail_files
WSDLScanning_files
WeakAuthenticationCookie_files
WeakSessionID_files
WsSAXInjection_files
WsSqlInjection_files
XMLInjection_files
XPATHInjection_files
AccessControlMatrix.html
BackDoors.html
BasicAuthentication.html
BlindSqlInjection.html
CSRF.html
ClientSideFiltering.html
ClientSideValidation.html
CommandInjection.html
ConcurrencyCart.html
DOMInjection.html
DOMXSS.html
DOS_Login.html
DangerousEval.html
Encoding.html
FailOpenAuthentication.html
ForcedBrowsing.html
ForgotPassword.html
HiddenFieldTampering.html
HtmlClues.html
HttpBasics.html
HttpOnly.html
HttpSplitting.html
InsecureLogin.html
JSONInjection.html
JavaScriptValidation.html
LogSpoofing.html
MultiLevelLogin1.html
MultiLevelLogin2.html
PasswordStrength.html
PathBasedAccessControl.html
Phishing.html
ReflectedXSS.html
RemoteAdminFlaw.html
SessionFixation.html
SilentTransactions.html
SoapRequest.html
SqlNumericInjection.html
SqlStringInjection.html
StoredXss.html
ThreadSafetyProblem.html
TraceXSS.html
UncheckedEmail.html
WSDLScanning.html
WeakAuthenticationCookie.html
WeakSessionID.html
WsSAXInjection.html
WsSqlInjection.html
XMLInjection.html
XPATHInjection.html
formate.css
lessons
users
main.jsp
sideWindow.jsp
webgoat.jsp
webgoat_challenge.jsp
config
doc
build.xml
Eclipse-Workspace.zip
HOW TO create the WebGoat workspace.txt
build.xml
eclipse.bat
readme.txt
webgoat for SQL Server.bat
webgoat.bat
webgoat.sh
webgoat_8080.bat
webscarab.bat
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@367 4033779f-a91e-0410-96ef-6bf7bf53c507
121 lines
4.3 KiB
HTML
121 lines
4.3 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
|
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
|
<title>Session Fixation</title>
|
|
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
|
|
</head>
|
|
<body>
|
|
<p><b>Lesson Plan Title:</b> Session Fixation</p>
|
|
|
|
<p><b>Concept / Topic To Teach:</b><br/>
|
|
How to steal a session with a 'Session Fixation'
|
|
</p>
|
|
|
|
<p><b>How the attacks works:</b><br/>
|
|
A user is recognized by the server by an unique
|
|
Session ID. If a user has logged in and is authorized
|
|
he does not have to reauthorize when he revisits the
|
|
application as the user is recognized by the Session ID.
|
|
In some applications it is possible to deliver the Session
|
|
ID in the Get-Request. Here is where the attack starts.
|
|
</p>
|
|
<p>An attacker can send a hyperlink to a
|
|
victim with a chosen Session ID. This can be
|
|
done for example by a prepared mail which looks like an
|
|
official mail from the application administrator. If the victim
|
|
clicks on the link and logs in he is authorized by the
|
|
Session ID the attacker has chosen. The attacker can visit
|
|
the page with the same ID and is recognized as the victim
|
|
and gets logged in without authorization.</p>
|
|
|
|
<p><b>General Goal(s):</b><br/>
|
|
This lesson has several stages. You play the attacker but
|
|
also the victim. After having done this lesson it should be
|
|
understood how a Session Fixation in general works. It should
|
|
be also understood that it is a bad idea to use the Get-Request
|
|
for Session IDs.
|
|
|
|
</p>
|
|
|
|
<p>
|
|
<b>Solution:</b><br/>
|
|
This lesson has 4 stages. In stage 1 and 4 you are Hacker Joe
|
|
in lesson 2 and 3 you are the victim Jane.
|
|
|
|
<p>
|
|
<b>Stage 1:</b><br>
|
|
You have to send a prepared mail to Jane which looks like a mail from Goat Hills Financial with a link containing a Session ID.
|
|
The mail is already prepared. You only have to alter the link so it includes
|
|
a Session ID (SID). You can archive this by adding &SID=WHATEVER to
|
|
the link. Of course can WHATEVER be replaced by any other string.
|
|
The link should look similar to following:<br>
|
|
<a href=http://localhostattack?Screen=46&menu=320&SID=WHATEVER>
|
|
</p>
|
|
<div align="left"><font size="2">
|
|
<img src='lesson_solutions/SessionFixation_files/sf_stage1.png'><br>
|
|
<b>Figure 1: Prepared Mail</b>
|
|
</font>
|
|
</div>
|
|
|
|
<p>
|
|
<b>Stage 2:</b><br>
|
|
Now you are Jane which receives the mail you wrote in stage 1.
|
|
Point with the mouse on the link and you will notice the
|
|
SID in the status bar of your browser. This is the easiest
|
|
stage as you have only to click on the link 'Goat Hills Financial'.
|
|
</p>
|
|
<div align="left"><font size="2">
|
|
<img src='lesson_solutions/SessionFixation_files/sf_stage2.png'><br>
|
|
<b>Figure 2: Received Mail</b>
|
|
</font>
|
|
</div>
|
|
|
|
|
|
<p>
|
|
<b>Stage 3:</b><br>
|
|
You are on the login screen of Goat Financial Hills now. In
|
|
the URL is the SID visible. All
|
|
you have to do is to log in with your user name Jane
|
|
and your password tarzan.
|
|
</p>
|
|
<div align="left"><font size="2">
|
|
<img src='lesson_solutions/SessionFixation_files/sf_stage3.png'><br>
|
|
<b>Figure 3: Goat Hills Financial Login Screen</b>
|
|
</font>
|
|
</div>
|
|
|
|
<p>
|
|
<b>Stage 4:</b><br>
|
|
The application switches again to the hacker Joe.
|
|
There is already a prepared link you have to click on
|
|
to reach the Goat Hill Financial. In real life this
|
|
would be different of course. You could directly put the URL
|
|
in the address bar of your browser.<br><br>
|
|
|
|
|
|
After having clicked on the provied link you reach
|
|
Goat Hill Financial. Take a look at the URL and
|
|
you will see that your SID is NOVALIDSESSION.
|
|
Change this string to the SID you have chosen
|
|
at the beginning of this lesson and hit enter.</p>
|
|
<div align="left"><font size="2">
|
|
<img src='lesson_solutions/SessionFixation_files/sf_stage4_1.png'><br>
|
|
<b>Figure 4: Browser Address Bar Before Changes</b>
|
|
<br><br>
|
|
<img src='lesson_solutions/SessionFixation_files/sf_stage4_2.png'><br>
|
|
<b>Figure 5: Browser Address Bar After Changes</b>
|
|
</font>
|
|
</div>
|
|
<br><br>
|
|
Congratulation! You are logged in as Jane
|
|
and the lesson was successful.
|
|
<div align="left"><font size="2">
|
|
<img src='lesson_solutions/SessionFixation_files/sf_success.png'><br>
|
|
<b>Figure 6: Successful Completion Of The Lesson</b>
|
|
</font>
|
|
</div>
|
|
|
|
|
|
</body>
|
|
</html> |