1
00:00:00,330 --> 00:00:02,040
‫Session management testing.

2
00:00:03,070 --> 00:00:08,490
‫As I mentioned before, HDP is a state less protocol.

3
00:00:09,520 --> 00:00:16,930
‫So does that mean exactly it just means that at least two consecutive requests to the same domain are

4
00:00:16,930 --> 00:00:19,360
‫not associated by the Web server?

5
00:00:20,790 --> 00:00:28,500
‫So Web servers cannot bind these requests and perform user based tasks to accomplish this, Web server

6
00:00:28,510 --> 00:00:34,950
‫set cookies to the related HTTP responses by adding the set cookie header.

7
00:00:35,810 --> 00:00:42,310
‫And here, cookies can store a unique session information for each user to interact with the application

8
00:00:43,070 --> 00:00:49,780
‫so the application can differentiate between users based on these unique session identifiers.

9
00:00:50,690 --> 00:00:55,280
‫So that's why session management is one of the core components of a Web application.

10
00:00:56,910 --> 00:00:58,240
‫And we strongly need it.

11
00:00:58,260 --> 00:01:06,510
‫It's essential it helps to control, maintain and follow the state of the users or any other entity

12
00:01:06,510 --> 00:01:08,190
‫that interacts with the application.

13
00:01:09,390 --> 00:01:18,030
‫So session management broadly covers anything from how the user authentication is performed all the

14
00:01:18,030 --> 00:01:20,940
‫way to what happens to them until they log out.

15
00:01:22,470 --> 00:01:30,150
‫So in this section we are going to examine cookies in great detail and then cover some of the necessary

16
00:01:30,150 --> 00:01:31,320
‫session controls.

17
00:01:31,950 --> 00:01:38,190
‫Then we're going to continue with two very popular session management vulnerabilities, session fixation

18
00:01:38,610 --> 00:01:41,160
‫and cross site request forgery.

19
00:01:41,730 --> 00:01:45,380
‫OK, so let's dive right in now.

20
00:01:45,930 --> 00:01:49,510
‫You, of course, know what cookies are and what they're used for.

21
00:01:49,540 --> 00:01:53,280
‫I don't want to, you know, add something else to the definition.

22
00:01:55,410 --> 00:02:01,260
‫So when a Web server sets a cookie with a set cookie header, it can also add some other parameters

23
00:02:01,260 --> 00:02:02,010
‫to that header.

24
00:02:03,000 --> 00:02:08,580
‫And we can assume that they are part of their configuration and security parameters of the cookie,

25
00:02:08,580 --> 00:02:08,880
‫right.

26
00:02:10,020 --> 00:02:15,870
‫So with these parameters, a Web server can define the cookie policy of the application.

27
00:02:17,200 --> 00:02:21,550
‫So each of these cookie attributes can impact the application security.

28
00:02:22,510 --> 00:02:23,100
‫Makes sense.

29
00:02:24,280 --> 00:02:28,360
‫So the next couple of lessons, we're going to cover cookie attributes.

30
00:02:30,640 --> 00:02:35,980
‫So open Kelley and logging to be web and enable Foxe proxy.

31
00:02:37,070 --> 00:02:44,990
‫Then open HDB only cookies from the drop down menu, now when you click on the hack button, Berp will

32
00:02:44,990 --> 00:02:48,950
‫get the first request and that's what we're looking at here.

33
00:02:49,860 --> 00:02:56,900
‫So let's forward it and it will redirect us to the associated page, so forward it again.

34
00:02:58,750 --> 00:03:04,060
‫And then the browser automatically requests the redirected page forwarded.

35
00:03:05,330 --> 00:03:07,760
‫OK, so this is the response that I want to capture.

36
00:03:09,430 --> 00:03:15,940
‫Here, the application set another cookie, top security with a value no.

37
00:03:17,270 --> 00:03:21,650
‫And also, there are some other parameters for that cookie it.

38
00:03:22,550 --> 00:03:30,790
‫It has expired and HARTH parameters so expires tells the browser the point in time when the cookies

39
00:03:30,800 --> 00:03:31,400
‫not valid.

40
00:03:33,040 --> 00:03:40,180
‫This parameter causes the browser to store the cookie into persistent storage until the specified date

41
00:03:40,180 --> 00:03:41,440
‫value that was set.

42
00:03:42,440 --> 00:03:50,240
‫It is used to define the persistent cookies and it is reused in subsequent browser sessions until the

43
00:03:50,240 --> 00:03:51,540
‫expiration date is reached.

44
00:03:52,730 --> 00:04:00,140
‫So if this attribute is not set, the cookie is used only in the current browser session.

45
00:04:01,230 --> 00:04:05,400
‫And a path tells the browser for which path is cookie is valid.

46
00:04:06,600 --> 00:04:10,920
‫So the path parameters used for locking down the cookie to a particular path on the server.

47
00:04:12,230 --> 00:04:20,270
‫If the domain specified is apt dotcom and the path is set to mail, the cookie would only be sent to

48
00:04:20,270 --> 00:04:22,990
‫the pages inside app dotcom SGML.

49
00:04:23,060 --> 00:04:23,420
‫OK.

50
00:04:24,710 --> 00:04:29,870
‫And top security is valid for all the applications directorate.

51
00:04:31,490 --> 00:04:32,570
‫OK, so forward it.

52
00:04:33,490 --> 00:04:36,970
‫Disable interception and go to the browser.

53
00:04:38,670 --> 00:04:42,990
‫Now the developer prepares a simple page to watch how cookies behave.

54
00:04:44,050 --> 00:04:47,590
‫So click the cookies button to see your current cookies.

55
00:04:48,640 --> 00:04:50,980
‫All right, so we have three cookies with these values.

56
00:04:51,830 --> 00:04:58,170
‫And if you click here, the JavaScript alert code will execute and show the cookies.

57
00:04:58,880 --> 00:05:03,560
‫So what we're looking at here is three of the cookies are shown in the alert message.

58
00:05:04,310 --> 00:05:06,830
‫Now enable berp interception.

59
00:05:08,030 --> 00:05:10,880
‫OK, let's change the level to medium.

60
00:05:12,900 --> 00:05:14,610
‫And forward their request.

61
00:05:16,410 --> 00:05:24,330
‫And the levels changed, so I'm going to forward until I see, you know, Cookie, OK, and there is

62
00:05:24,330 --> 00:05:25,100
‫a new cookie here.

63
00:05:25,740 --> 00:05:29,250
‫It's the same name, but with a value maybe.

64
00:05:30,450 --> 00:05:37,620
‫Expire and path parameters are still present and there is one more parameter HTP only.

65
00:05:38,370 --> 00:05:45,840
‫So this parameter is set to mitigate the risk posed by cross site scripting attacks, since it does

66
00:05:45,840 --> 00:05:50,310
‫not allow the cookie to be accessed via a client side script such as JavaScript.

67
00:05:51,920 --> 00:05:58,700
‫So if this attribute is set, the cookie cannot be directly accessed via client side JavaScript, right?

68
00:06:00,130 --> 00:06:04,210
‫All right, so forward the response and go to the page.

69
00:06:05,370 --> 00:06:09,570
‫Now click to see cookies, so we have three cookies again.

70
00:06:10,200 --> 00:06:13,860
‫All right, so quick to have you with JavaScript.

71
00:06:14,920 --> 00:06:19,390
‫And you see the top security cookie is not the message now.

72
00:06:20,790 --> 00:06:24,150
‫Because JavaScript cannot reach HDP only cookies.

73
00:06:25,190 --> 00:06:30,380
‫So this is true, there is no exploit in the browser and the server software.

74
00:06:32,880 --> 00:06:36,690
‫Now, there's not a significant difference if you go to high level.

75
00:06:38,010 --> 00:06:42,510
‫So I'm just going to view the code, go to terminal, opened up this page.

76
00:06:44,590 --> 00:06:45,820
‫Scroll down a little bit.

77
00:06:46,800 --> 00:06:48,180
‫All right, so here's the code.

78
00:06:49,180 --> 00:06:55,810
‫The set cookie function defines the cookie with its attributes and weight is parameter, and the argument

79
00:06:55,810 --> 00:07:00,940
‫specifies HDTV only and is set for medium and high level.

80
00:07:01,910 --> 00:07:08,240
‫In case you're doubting me earlier, but the high level is different only because of the expiration

81
00:07:08,240 --> 00:07:08,720
‫value.

82
00:07:10,000 --> 00:07:14,110
‫All right, so let's let's now look at another important parameter.