Breaking The sessions

Sessions are important for security. If an attacker can break a session/cookie of a active user then he or she can access that account as the user without any password. Some attackers don't care about it because maybe they don't know much about it or they feel boring. But how a serious hacker take advantage ? Just they want to get the password easily or by just a sql injection? No, It is not. Actually  a serious hacker look for a hint(Simple vulnerability+Free simple tools) which can make him to go ahead. Anyway, I will explain a little about breaking the sessions because you need to research yourself to learn something good.



When we deal with sessions :

When We can register to a website, Can login, transfer data etc. The session is active until we log out. If the site does not manage sessions for a active account then we may need to log in every second.
Anyway, when the user login and the website save the sessions for next time login(Cookie?). What about when we see like "Keep me logged in always in this site" ? If you even brows the site after 3 days then still you will see that you are logged in without username and password. So If we attempt to log in for first time against a website then the site will do:

1.
set a cookie = dXNlcj1leHBsb2l0O2VtYWlsPXNlY0Bkb21haW4uY29tO2lwPTEuMS4xLjE7

2. Session= dXNlcj1leHBsb2l0O2VtYWlsPXNlY0Bkb21haW4uY29tO2lwPTEuMS4xLjE7

  So i think that now you know how "session" works.


If the session is compromised by someone then he/she can use this session to log in against the user without any password.

How A hacker can break the sessions:

There are Some way breaking the sessions. Developer often doing mistake when managing the sessions. Most vulnerablites are :

1. Time based.
2. Meaningful
3. Predictable.

Just for understanding i am explaining "Meaningful session vulnerability"

Suppose we logged to our bank "www.bank.com" and our username is "exploit" and password "SecUritYY" . After logged on the site we saw on the address bar , the url is like:

http://www.bank.com/accounts/hacker/test/index.php?phpsessionid=dXNlcj1leHBsb2l0O2VtYWlsPXNlY0Bkb21haW4uY29tO2lwPTEuMS4xLjE7
It is really doubtful the URL address. It is using base64 as session id. So if we decode the base64 value then we get:

user=exploit;email=sec@domain.com;ip=1.1.1.1;

We see some juicy information but not the password. But still we can use this session to attack other accounts.How?

If we know any correct username,email,ip(Require some social engineering?) then we can make a new session to break the target account. For example, Our victim's information(I got some information by SE):

user: dollar
email: giveme@victime.org
ip: 1.1.1.2 (Lol This fool clicked on a link)

Now we can encode these information as base64 and edit your cookie or submit directly on URL bar(Because it is GET method). I really hope you logged in then transfer some $$$ to your account? ;)


Hope you understand something about attacking the session...



Special Note: You should research seriously otherwise you will not learn anything from a ready tutorial(Such as free tutorial). You should find out the way from a very simple hint. Don't think anyone will do everything for you. Just remember, Self help is best help(Just sometime need hints?)



If you get any mistake/errors then please feel free to contact me(I love to fix myself)


Good Luck guys!!!