© 2018 Caendra Inc.

| Hera for WAPTv3 | Session Security 1

In these Session Security labs, the student can practice attacks techniques against session
implementations, such as hijacking, session fixation, XSRF, cross-domain data stealing,
guessing session ID and much more

Once you are connected in VPN to the lab environment, all the web applications will be
available at the following URL: http://info.session.site/.

There are three main sections for each type of lab: Video, Lab, Challenges.

• Video section contains web applications used during video lessons. Therefore, if
you need any information about the scenario, the attacks and so on, please refer to
the corresponding video.
• Labs section contains web application where you can practice the techniques of the
specific module and have solutions. You can find them later in this manual
• Challenges labs do not have solutions; otherwise, why call them challenges? If you
study the course and think like a penetration tester, you will achieve the goal!

The best tool is, as usual, your brain. Then you may need of:

• Web Browser
• Burp Suite

Once you have your virtual network ready, configure the following IP address as default
DNS: 10.100.13.37

• WINDOWS: change the property of the TAP network device, adding as first DNS
server of the IP of the server.
• LINUX: add an entry into /etc/resolv.conf file with the IP address of the server

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 2

Please use these credentials to log into the following web applications:

Web app Username Password

http://sessionhijacking.site atk atk
All Arrogant Bank labs (attacker) mike ABC7d8z1
All Arrogant Bank labs (victim) jason 8AqL168a
Tomato lovers 3 tom tomtom
Foo Hosting 3 cmartin ILoveMum

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 3

Arrogant Bank, Inc. is a bank with a modern web interface that will let you perform a
number of operations, such as displaying how much money you have in your account.

Users can access their personal account via a login.

This web application suffers from bad session management. The session identifier is stored
in a cookie and is represented by a numeric value. It is created and incremented (from the
last assigned sessionID) each time a customer logs into the system. By exploiting this
weakness, an attacker can guess a valid session identifier assigned to another logged-in
user and impersonate his session.

• Impersonate the session of a different logged-in user

• How the session mechanism works

• How to understand the importance of the sessionID generation mechanism
• How to guess a valid sessionID
• How to use Burp proxy to update the session cookie

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 4

Arrogant Bank Inc. is a bank with a modern web interface that will let you perform a
number of operations, such as ….hmmm…. knowing how much money you have in the
account.

Users can access their private area through credentials.

Arrogant Bank includes an important feature: a feedback area where users can leave
comments and suggestions about services offered by the online bank.

The web application is affected by a persistent XSS. Sessions are implemented through
cookies and cookies do not have the HTTPOnly flag set.

To install a persistent XSS on the feedback page that will steal the Session cookie.

• How the session mechanism works

• Understanding Session cookies
• How to exploit persistent XSS
• How to hijack sessions through XSS

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 5

Arrogant Bank Inc. is a bank with a modern web interface that will let you perform a
number of operation, such as ….hmmm…. knowing how much money you have in the
account.

Users can access their private area through login.

The web application suffers from Session fixation vulnerability. SessionID is embedded in
URL and can be “fixated” by an attacker and used to impersonate the victim.

To ride your victim’s session by fixating an arbitrary Session ID.

• How the session mechanism works

• How to impersonate sessions through Session Fixation

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 6

Arrogant Bank Inc. is a bank with a modern web interface.

Customers can access their private area providing valid credentials. The private area
allows them to use the e-Transfer feature to send money directly to other customers with a
checking account in the same bank.

The web application suffers from CSRF vulnerability. An attacker can induce a logged user
to perform a money transfer simply letting the victim visit a malicious page. This page is
under attacker’s control, and it is hosted on a third domain (so different from the bank
domain).

Forcing a logged customer to perform a money transfer through a CSRF.

• How the session mechanism works

• CSRF vulnerabilities
• How to exploit a CSRF vulnerability

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 7

Arrogant Bank Inc. is a bank with a modern web interface.

Customers can access their private area providing valid credentials.

Moreover, they can check their balance and through the e-Transfer feature send money
directly to other customers with a checking account in the same bank.

Web application stores information about the checking accounts by using JavaScript. This
vulnerability could permit an attacker to create a malicious page stealing information
about the customer visiting it.

Stealing checking account information of a logged customer.

• How to perform cross-domain attacks

• How to steal information from JavaScript files

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 8

Arrogant Bank Inc. is a bank with a modern web interface that will let you perform a
number of operation, such as ….hmmm…. knowing how much money you have in the
account.

Users can access their private area through login.

The web application suffers from bad session management. The session identifier is stored
in a cookie, and it is generated by using a fixed component and a random one. Simply by
analyzing deeper how the sessionIDs are generated, an attacker can guess which sessionID
is used by the victim and impersonate his session account.

Impersonate the session of a logged user

• How the session mechanism works

• How to understand goodness of the sessionID generation mechanism
• How to guess a valid sessionID
• How to use Burp proxy to update the session cookie
• How to use Burp to analyze the goodness of the sessionID generation mechanism
(Burp Sequencer)
• How to use Burp Intruder

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 9

Tomato is a small website for Tomato fans. They share recipes and photos of delicious
tomatoes. There is a Blogging feature that enables members to post their own articles on
the website if they are authenticated.

• You are given the username tom and password tomtom.

You have to exploit a CSRF vulnerability present in the web application. You are required to
build an exploit so that a new blog post, authored by “Admin,” will appear on the blogs page
as soon as the Admin visits the blogs page (so just admin’s visit to a page will trigger the
exploit and make an embarrassing blog post appear).

You do not know Admin’s credentials, and you do not have to find it.

A CSRF payload can be triggered by having the victim surreptitiously issue an HTTP
request that performs some action on his behalf “riding” his authenticated session.

As soon as you have built your payload, you can simulate an authenticated visit of the
Admin to the blogs page by clicking the link that you find on the top right of the Blogs page.

• If you manage to have the Admin post a message, you will find the secret
within the blog post.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 10

Foo Hosting is a hosting website offering the cheapest web hosting services on the web. As
every web hosting company, Foo Hosting provides to its customer's very competitive fares,
open support tickets, and other related services.

The web application is vulnerable to “unrestricted file upload,” and your goal is to catch
some information about your competitor: William Lete!

We know that Mr. Lete has a problem with a server. He has just opened a ticket asking for
support. We also know that he has sent the server address and the RDP credentials!

Oh, one more thing. Mr. Lete has forgotten to logout, and so his session is still alive.

You are Martin Cameron; your credentials are cmartin/ILoveMum.

• You have to find the RDP password and the session identifier related to his
session (the content of the cookie PHPSESSID)

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 11

Please go ahead, only if you are really stuck or if you have
completed the labs.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 12

Run Burp suite, configure your scope and configure the Proxy to intercept requests.

Open the attacker’s browser (e.g., Mozilla) and go to the main page of the web application.
Login using the following credentials:

• Username: mike
• Password: ABC7d8z1

Through Burp proxy, you will notice that after a successful login, a cookie has been
installed on the attacker’s browser. The cookie has the following data:

• Name: SESSID
• Value: 0000001

Cookie SESSID, as the name suggests, is used by the web application to manage the session
mechanism. Through this id, the web server binds HTTP requests coming back from Mike’s
browser to his account data stored on the web server and will not ask for credentials again
(the web server retains that status through different pages).

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 13

Note that the session cookie has been installed on the browser. If you delete browser
cookies or simply change browsers, you must login again.

You probably noticed that the value of sessionID is represented by the string 0000001, so
its numerical value is 1. Keep this value in mind.

The image above shows an HTTP request sent by the browser to request the myaccount
page. The Cookie header used by the session mechanism allows the web server to
recognize the logged-in user.

The attacker’s goal is to determine any correlation between two session identifiers
provided by the web application. We can get another sessionID and compare them both.

The simplest way to obtain a new sessionID is to login again. Use the same credentials:

• Username: mike
• Password: ABC7d8z1

Through Burp proxy, you will notice that after the second login the following cookie is
installed on the browser:

• Name: SESSID
• Value: 0000002

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 14

If you remember, the previous sessionID, you may have noticed already that the new
sessionID is the old one incremented by 1.

It seems that sessionID’s are just increased each time a user performs a successful. This is a
seriously vulnerable way to manage sessions and allows an attacker to easily guess the
sessionID’s of other logged-in users.

We can conclude that the session identifier provided by the web application is predictable
and that the web application suffers from the predictable session identifier vulnerability.

A successful attack involves a malicious user predicting an active sessionID numerically

close to the one assigned to the other user on their login.

Open a second browser (for example, Google Chrome) and login with the following
credentials:

• Username: jason
• Password: 8AqL168a

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 15

You are the victim, and you are given a new session ID.

As the attacker, now you should guess a valid session identifier used by another logged-in
user. You know that the last identifiers assigned were 0000001 and 0000002.

So, you should start checking sessionID’s from 0000003.

This will be someone who has logged-in to the web application after you.

You can use Burp proxy to intercept your attacking requests and change the value of the
sessionID before the requests are sent to the server.

When Burp alerts you about a new intercepted request, update the cookie with the value
0000003 and forward the request.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 16

Alternatively, you can use Cookie Monster or any other means to modify the cookie in your
web browser.

When we issue this request, we are impersonating another user account. The new
sessionID you used was actually assigned by the web application to another user: Jason.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 17

Let us analyze the security of a session ID using a tool like Burp Sequencer.

Please note that Burp uses the term “token” to refer, in a more generic manner, to all ID’s
generated by a web application that are supposed to be random or unpredictable.

Identify the login request within Burp and send it to Sequencer

The request must be one that will, in the response, set the session cookie.

Now we will work on the HTTP response that will set our session cookie. We will do a
manual selection, highlighting the sessionID within the Set-Cookie header in the
response. The sequencer will immediately identify a pattern to extract the sessionID.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 18

At this point, we can click on Start capture (screen above) to perform a number of logins
and to obtain a corresponding number of session ID’s to be analyzed. A minimum of 100
tokens is necessary to perform an analysis.

Click on Analyze when you are done. This will be the result:

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 19

Of course, the randomness of the session ID’s is recognized by Burp as extremely poor, and
there really is no entropy.

Please note that for more reliable statistical analysis, you will have to collect many more
than 135 tokens (around 1000 begins to be acceptable).

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 20

This type of attack requires the attacker to interact in some manner with the victim. Tasks
marked in red are run by the attacker, while tasks in green are run by the victim.

Open the browser (for example Mozilla) and go to the main page of the web application.
Login with the following credentials:

• Username: mike
• Password: ABC7d8z1

The web form in the feedback area suffers from a persistent XSS in the message parameter.
The attacker can exploit this vulnerability to steal visitors session cookies.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 21

As the attacker, you want to execute JavaScript through the persistent XSS. This JavaScript
is meant to read the victim’s cookie and to give it to you in some way.

You have multiple ways to do so. For example, you can have a server listening for cookies.
In this case, we will see a very simple way to accomplish the task. The following code will
steal the session cookie of any visitor and will insert it in a hidden block of the feedback
page permanently. This way, you can come back to the page later and see sessionID’s in the
web page source code.

Note that cookie stealing is possible only because it can be accessed by JavaScript
(HttpOnly flag is not set).

The XSS payload is embedded within the message of the feedback. This is a proposed
payload:

<div style="display: none;">

<img src="fgfdgNotExistent" onerror=
"document.getElementById('form').onsubmit=function () {
var hidden='<span style=\'display:none;\'>
'+document.cookie+'</span>';
document.getElementById('message').value+=hidden;}"/>
</div>

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 22

The payload will:

1. Create a hidden div below the actual message

<div style="display: none;">
This div will contain the actual payload and is used to hide the image.
2. Create an image with a non-existent path. This will trigger an error (because
the image cannot be found), caught by the onerror event, that contains the
actual payload <img src="fgfdgNotExistent" onerror=[PAYLOAD]
3. The payload will simply create a hidden span that will contain the
document.cookie object value. This span will be appended to the object
with ID being message. This object happens to be the Textarea form element
that the victim will have to submit.
4. What happens is: the victim will submit his own message plus his own session
cookie. Evil eh?

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 23

To mimic the victim, Open a second browser (for example Google Chrome), and log in with
the following credentials:

• Username: jason
• Password: 8AqL168a

Head to the Feedback page. This page contains the malicious code. Can you see it? If all
went well in Task 2, you should NOT notice anything suspicious.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 24

Leave your feedback:

Done. You can now close the browser.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 25

By inspecting the source code of the feedback page, you can get the stolen cookie info. It
has been posted in a hidden span by the victim user.

This kind of exploitation is a variation of what you find everywhere on the internet, a small
web server that receives the cookie sent by the JavaScript Payload.

Feel free to create your own JavaScript payload to retrieve the session cookie without
leaving traces on the web page source code.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 26

As the attacker, open the browser (for example Mozilla) and go to the main page of the web
application. You will notice that the URL of the index page includes the following string:

• SESSID = <randomToken>

As you can see, SessionID is embedded in the URL, and it has been assigned by a web server
regardless of the unauthenticated status of the visitor.

The attacker can perform a login operation with his credentials:

• User: mike
• Password: ABC7d8z1

After login, SessionID is not updated, so our web application is vulnerable to Session
Fixation attacks.

What we need to do is to force the victim to login to the vulnerable website using a URL
that contains an arbitrary sessionID.

SESSID=ovCx25cVNDS0fSCrWyAr

We can send it by e-mail, social networks, or by any other means.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 27

The image shows a Skype conversion where the attacker interacts with the victim sending
the malicious link.

To mimic the victim, open a second browser (for example Google Chrome), use the link
forged at the previous step and log in with the following credentials:

• Username: jason
• Password: 8AqL168a

The victim (you in this case) has successfully logged in using a SessionID that had been
selected by the attacker!

Now, the session is owned by the victim, and its ID is known by the attacker. Please note
that the victim will NOT notice anything suspicious because log-in operation went through
just fine.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 28

You, as the attacker, can just reload the page using the fixated session and verify that you
are now into Jason’s account.

You do not know Jason’s credentials but thanks to the Session Fixation vulnerability, you
have successfully exploited his session.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 29

This type of attack requires the attacker to interact in some manner with the victim. Tasks
marked in red are run by the attacker, while tasks in green are run by the victim.

Open the attacker browser (for example Mozilla) and go to the Arrogant Bank home page.
Login with the following credentials:

• Username: mike
• Password: ABC7d8z1

You will notice that ArrogantBank is offering a new service: e-Transfer. With this feature, a
logged user will be able to send money to another customer of the same bank.

Let us examine how the service works. To do this, we will enable Burp proxy to intercept
all the HTTP requests leaving the browser. After that, we will start a test money transfer,
and we will observe which parameters are sent by the browser with the requests.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 30

After pressing the submit button Burp proxy will intercept the following request:

Please note that money transfer is performed using an HTTP request and that the following
parameters are embedded in the URL

• accountNumber – receiver’s account number

• swift – receiver’s swift code
• amount –amount of money to transfer

There is no unpredictable token sent with the request so you can conclude that web
application is vulnerable to CSRF in the script startCreditTransfer.php.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 31

The attacker must build a payload to force the victim into sending him money. Therefore,
the payload will include the attacker account number and the desired money:

• accountNumber : 99999999992
• swiftCode : B4F15S6S
• amount : <wanted Money>

According to the web application logic, the payload will be embedded in the following URL:

http://<webSite>/startCreditTransfer.php?amount=100&accountNumbe
r=99999999992&swift=B4F15S6S

By simply loading that URL, an authenticated victim will send money to the attacker.

There are many ways to let a logged user load a URL. The most trivial is to send a link to the
victim in hope that he will click on it.

In this case, the victim could become suspicious, as he would see the webpage of
ArrogantBank with the result of the money transfer.

Another, better and stealthier, way to achieve the same goal is to embed the CSRF payload
URL in the SRC attribute of an Image within an HTML page. Same-origin does not apply; we
are just requesting an external resource without having to read the response.

The Image tag can be embedded in any page that the victim trusts (Facebook, Third party
Forums, Your website)

This method works best for a number of reasons:

• CSRF payload with the suspicious request won’t appear in the link that we send
to the victim
• The victim doesn’t see the output of the request
• Higher chances that the victim will visit the page with the Image than a link that
includes long and suspicious content

Therefore, the attacker can use a personal website under his control on a different domain
to host the following malicious code:

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 32

<div id="attackPoint" style="display:none;"> <img
src="http://s1-
183l1s6w8g.roma.coliseumlab.net/startCreditTransfer.php?amou
nt=100&accountNumber=99999999992&swift=B4F15S6S" /> </div>

For educational purposes, we have already created a feedback message from an attacker.
This message has a link to a page that embeds the above image. When you visit the
feedback page you should see it:

Link to the
malicious page

The My site input field of the form was used to include the link.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 33

Now let us pretend to be a victim. Open a second browser (for example Google Chrome),
and log in with the following credentials:

• Username: jason
• Password: 8AqL168a

Note that you should have $2599 in your account. Whatever the amount is, please note it
down.

Now move to the feedback area. Please click on the link to the malicious page.

When you do, you will land to the attacker’s web page that embeds the malicious hidden
image. You can verify so by inspecting the web page source code:

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 34

By now, the Arrogant web server has elaborated the money transfer request in the
background as if it had been initiated voluntarily by the victim.

Now visit your Myaccount page again and verify your total money.

It should be $100 less than before. Where did those dollars go?

You can just log in again as Mike and see ☺

The attack has been completed!

Note that if web application had had an anti-CSRF token, the attacker could not have built
the URL payload without guessing that token. Any unpredictable token would have made
the application safe from CSRF.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 35

This type of attack requires the attacker to interact in some manner with the victim. Tasks
marked in red are run by the attacker, while tasks in green are run by the victim.

Open the attacker browser (for example Mozilla) and go to the Arrogant Bank home page.
Login with the following credentials:

• Username: mike
• Password: ABC7d8z1

Enable Burp proxy to intercept all the HTTP responses coming to the browser.

You can see that checking account information is stored in JavaScript variables, provided
by the URL balance.php. This resource acts as a JavaScript library file so that it can be
imported by any web page regardless of its domain origin.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 36

The attacker can build an html page in a domain under his control. This page will access
the JavaScript variables owned by the unlucky bank customer.

The exploit code will have a similar structure:

Note that the JavaScript variables can be loaded only if a logged user loads the malicious
page. Unauthenticated users will get an empty file.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 37

To be sure the page is loaded by an authenticated user, the attacker can use the Feedback
area to spread a link to his malicious web site. A customer opening that link will become a
victim.

Open a second browser (for example Google Chrome), and login with the following
credentials:

• Username: jason
• Password: 8AqL168a

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 38

Go to the feedback area and open the link provided by Mike.

The browser will load the JavaScript variables related to the logged session and will steal
checking account information:

For education purposes, the malicious page will show you all the stolen information. In a
real-world attack, this information is secretly retrieved and collected by the attacker.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 39

Run Burp suite, configure your scope and configure the Proxy to intercept requests.

Open the attacker browser (for example Mozilla) and go to the main page of the web
application. Login with the following credentials:

• Username: mike
• Password: ABC7d8z1

Web application assigned the following sessionID: 0116d696b65

Different from the previous battle, this sessionID does not seem to be a numerical value.

Let us analyze the goodness of the session IDs assigned by the web application using a tool
like Burp Sequencer. Our goal is analyzing possible correlations of sessionIDs.

Please note that Burp uses the term “token” to refer, in a more generic manner, to all those
ID’s generated by a web application that are supposed to be random or unpredictable.

Identify the login request within Burp and send it to Sequencer

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 40

The request must be exactly the one that will, in return, set the session cookie in the
response.

Now we will work on the HTTP response that will set our session cookie. We will do a
manual selection, highlighting the sessionID within the Set-Cookie header in the
response. Sequencer will immediately identify a pattern to extract the sessionID.

At this point, we can click on Start capture (screen above) to perform a number of logins
and to obtain a corresponding number of session ID’s to be analyzed. A minimum of 100
tokens is necessary to perform an analysis.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 41

Click on Analyze now once done. This will be the result:

Of course, the randomness of the session ID’s is recognized to be extremely poor, and
there’s really no entropy.
Please note that for more reliable statistical analysis you will have to collect much more
than 135 tokens (around 1000 begins to be acceptable).

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 42

Now let us analyze the randomness of each character composing the sessionID.

The chart shows that chars at the second and third position are generated in a random
manner, differently from the others assuming always the same values.

Coming back to our sessionID (that received at first login) we have highlighted in green the
random portion of the sessionID.

0116d696b65
We can conclude that sessionIDs include a fixed component (9 chars) and a random
component (2 chars).

However, the fixed component could depend from the current user logged or from some
other field (hidden to us). Therefore, we are not sure that it is the same for all the users.

Before bruteforcing the web application let us inspect deeper the ending fixed component,
in our case 6d696b65.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 43

At first sight, it seems to be a result of a well-known function. If you analyze it deeper, you
will find out that it represents the hexadecimal conversion of the string ‘mike.’

Now we can depict the structure of our sessionID:

0<XX><hex(loggedUsername)>

So, fixed a username, only two chars are effectively generated in a random manner.
However, if the attacker does not know the username of the logged victim, the previous
statement is wrong!

This is a classic example where the human interaction is fundamental to the pentesting
process.

We can conclude that the guessing attack can be run easily if the attacker knows the victim
username because he will have to bruteforce only two components of the sessionID.

Differently, the attack could be very hard because he will have to bruteforce 2 + N
components of the sessionID, where N is the length of the victim username, and it is not
known.

Open a second browser (for example Google Chrome) and login with the following
credentials:

• Username: jason
• Password: 8AqL168a

As a victim, you are now given a new session ID.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 44

As the attacker now, you must guess a valid session identifier used by another logged user.
If you know the victim username, the attack will be fast because the sessionID has a fixed
component depending on the username. And you know it, it’s jason.

• ‘jason’ converted to hexadecimal is 6a61736f6e

Therefore, the sessionID has this format:

0XY6a61736f6e
Now we must bruteforce only the green portion of the previous wildcard.

We can use Burp Intruder to start this attack. We will use the myaccount.php page as target
because the HTTP response from this page returns the status code 200 if the request has
been authenticated (so with a right sessionID) and the status code 302 otherwise.

Burp intruder will perform HTTP requests to the myaccount.php page specifying a
different sessionID to each attempt.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 45

Let us configure Burp Suite Intruder:

1 – Selecting the element you want to bruteforce enclosing it within two chars §.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 46

2 – Selecting the type of attack (brute force), the character set, the length

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 47

3 – Start the attack

Now Burp Suite is performing HTTP requests to the myaccount.php page.

When all the HTTP requests have been performed, analyze the responses. All the responses
will have a status code 302 except the authenticated request.

You can also add grep-match options for the username, since the application shows (in
myaccount.php) the username of the user logged, or use the Filter options

Therefore, you will analyze only the HTTP request returning a 200 status code. You will see
that the guessed sessionID is 0236a61736f6e.

© 2018 Caendra Inc. | Hera for WAPTv3 | Session Security 48