Friday 8 May 2015

Testing Of Broken Session Management & Authorization By Burp

Hello all folks ,Nice to meet you again guyzz !

Today we will see that how we can do Testing  Of Broken Session Management & Authorization By Burp Suite Quickly against an large application which contents thousands of pages , Like financial application also like banking application.

This can be very informative for those new guyz who dont know about it and for those also who also know about it already , i am just showing you that how we can do this more quickly with some percentage of accuracy because nothing is perfect ! :)


1.Testing Session Management

While doing VAPT or Bug Bounties you often find that an authenticated page can be accessible in without getting loggedin which allow an un-authenticated user to access private or authenticated pages i.e. Suppose you have an application like http://anywebapp/admin.php which have Admin Role.After entering valid user credentials application redirect you to the authenticated page like http://anywebapp/admin/mypage.php, Now you will find many authenticated page there like adding new user , managing logged in user , which have different different URL like http://anywebapp/admin/manageusers.php or http://anywebapp/admin/addnewcontent.php which are common in these days.

Now if the application have 10-20 authenticated pages , you can simply try to access that authenticated pages in "Private Browsing" (un-authenticated session)   by this you can test that , is there any session management related issue which allow me to access that page without asking any authentication which also normal in now days. looks cool

But what you will do if the application which you are testing have 100 or more pages which normal in BSFI Application Or Any Other Banking Application and you have to test that the same vulnerability which i describe.Looks hard and tough to copy paste every page and test in "Private Browsing"

So here we go ! We can quickly test this vulnerability by using Burp Suite.

1. First of all crawl the whole application as any role which you want to test like "Admin"

For demo i am using DVWA a vulnerable web application , I have also created a demo link called "hidden.php" for as working POC .
Spider The URL ( Click To Enlarge The Image )

As choosing spider , Burp will automatically crawl the whole application. As we are crawling an page which have a login form , then burp will ask you for the Authentication prompt for login fields, So i entered my login details
             Asking For Authentication  ( Click To Enlarge The Image )

2.After some time , Burp completed his crawling

3.If you enlarge this image you will see that there is URL called "" is there , This page is only accessible when user got authenticated , Here is the preview of this page

4.Now we have to logged out from the application , but before this we will copy all crawled URL from our web application , By right click on the domain in target tab

5.Now paste all url in an text editor i am using notepad  and use find and replace function to remove all things

6. After removing all domain values , Now we have  plain URL

7. Now logged out from the application and intercept and unauthenticated request and select the url as attack point

8. And now load our text file which contents our plain URL which we have copied from after crawling the application

And yaa kindly unchecked the URL encode the payloads options in payload tab as Payload Processing  Option and

9. Now start attack

9. As you can see in this screen shot many pages comes with 302 response and some pages are comes with 200 response code , Now you can differentiate the result , All non-accessible pages are comes with 302 response code , excluding our one page called "hidden.php" is comes with 200 response code , which indicate that this page is accessible in an un-authenticated session.

By looking on all of these response which can clearly say that one of the page "hidden.php" is accessible in an un-authenticated session, Which indicate Session Management Issue , This trick will help you identify the same issue if you are testing an larger application which contents 100 or more pages ,

Note- Now you can also use this same technique for testing Missing Functional Level Access Control vulnerability where an normal user can access the page of admin which he is not authorized for , What you need to do is first crawl the all Pages Of Admin Section while testing , Then saved them in a text file like we do before. Now logged in as normal user role which have limited page to for access, Now intercept an authenticated request of normal user and try a intruder attack to know that which page and normal user access behalf of Admin user.

This is all about "Testing Of Broken Session Management & Authorization By Burp" .Thanks for reading , if you have any suggestion then please comments are below.

No comments:

Post a Comment