1 00:00:01,010 --> 00:00:06,050 ‫So some Web application servers set an anonymous session ID cookie prior to login. 2 00:00:07,080 --> 00:00:14,730 ‫And session fixation vulnerabilities typically arise when an application does not renew this anonymous 3 00:00:14,730 --> 00:00:18,060 ‫session and after a successful login. 4 00:00:19,080 --> 00:00:25,600 ‫So this means the anonymous session indeed is upgraded to an authenticated session and. 5 00:00:26,990 --> 00:00:32,300 ‫I don't know about you, but it occurs to me that this is a very bad implementation of development and 6 00:00:32,300 --> 00:00:33,560 ‫server configuration. 7 00:00:34,800 --> 00:00:42,210 ‫However, the worst is that some Web applications and servers accept arbitrary session IDs submitted 8 00:00:42,210 --> 00:00:47,970 ‫by users, even if these were not previously issued by the server itself. 9 00:00:49,100 --> 00:00:51,760 ‫I don't know, is it just me or does that seem like a problem? 10 00:00:53,250 --> 00:00:59,700 ‫So when an unrecognized token is received, the service simply creates a new session for it and handles 11 00:00:59,700 --> 00:01:03,750 ‫it exactly as if it were a new token generated by the server. 12 00:01:05,310 --> 00:01:13,440 ‫So we enforce the victim to use this anonymous session identifier, then we can accomplish a session 13 00:01:13,440 --> 00:01:14,730 ‫fixation attack. 14 00:01:16,350 --> 00:01:19,350 ‫So open up COWEY, and log in to be Web. 15 00:01:20,360 --> 00:01:24,350 ‫Then open session ID in your URL under this session management section. 16 00:01:25,880 --> 00:01:30,350 ‫And as soon as you open the page, you will see the session and value of yourself in the early. 17 00:01:31,980 --> 00:01:37,050 ‫Sometimes applications can use a session in value this way for whatever reason. 18 00:01:38,180 --> 00:01:41,960 ‫I don't think it's a good way and we're going to see why. 19 00:01:43,010 --> 00:01:47,000 ‫So the first reason is the heightened value will be saved in log files. 20 00:01:48,010 --> 00:01:52,720 ‫OK, so go to B box and view the Apache access file. 21 00:01:54,610 --> 00:01:57,520 ‫And scroll down to see the latest request. 22 00:01:58,660 --> 00:01:59,950 ‫And this is what happens. 23 00:02:00,920 --> 00:02:07,640 ‫Session and drivers in the euro, but as I say, the worst is if you're able to force the application 24 00:02:07,640 --> 00:02:10,400 ‫to create a session with an arbitrary value. 25 00:02:11,900 --> 00:02:17,750 ‫OK, so go back to Kawi and be there's no option for a session fixation. 26 00:02:18,760 --> 00:02:23,020 ‫So you can import the sample application from this, your URL to use it. 27 00:02:24,540 --> 00:02:30,360 ‫Imported into the web, rude of B box and use it there. 28 00:02:32,670 --> 00:02:41,670 ‫So now what we're going to do is, OK, so first I'm going to get a session ID prior to log in, so 29 00:02:42,000 --> 00:02:45,130 ‫go to SRF home dot p. 30 00:02:48,850 --> 00:02:54,370 ‫This page needs authentication, so it will send you to as log in to BHP. 31 00:02:55,650 --> 00:03:01,890 ‫And this is the login page now below, you'll see the session ID defined by the server. 32 00:03:02,750 --> 00:03:05,810 ‫So just for ease of use, I'll just print it to page. 33 00:03:06,950 --> 00:03:14,720 ‫And the login form has default values and again, for ease of use, you can see here from the source 34 00:03:14,720 --> 00:03:15,800 ‫better, I think. 35 00:03:17,890 --> 00:03:22,330 ‫Then I will carry this you URL that contains a login page. 36 00:03:23,530 --> 00:03:26,350 ‫Or you can actually use any page that needs authentication. 37 00:03:27,330 --> 00:03:28,620 ‫And pasted here. 38 00:03:30,360 --> 00:03:32,550 ‫Then copy the session value. 39 00:03:33,840 --> 00:03:37,320 ‫After the question mark, questionmark it here as well. 40 00:03:38,950 --> 00:03:44,800 ‫So until now is a hacker or a pen tester, I created a new URL that contains a session value, right? 41 00:03:45,770 --> 00:03:49,340 ‫And now I need to send this URL to the victim somehow. 42 00:03:50,590 --> 00:03:55,530 ‫So this may be, I don't know, a phishing e-mail or whatever you may think of. 43 00:03:56,640 --> 00:04:04,470 ‫But for now, I'm just going to copy and open it in another browser to show you, so go to Firefox and 44 00:04:04,470 --> 00:04:05,400 ‫paste the URL. 45 00:04:06,680 --> 00:04:09,140 ‫Now, before sending enable Foxe proxy. 46 00:04:10,200 --> 00:04:12,600 ‫And activate burp and interception mode. 47 00:04:14,060 --> 00:04:20,570 ‫All right, so now I'm going to divide my screen so that you can see Berp and Firefox's and send. 48 00:04:21,770 --> 00:04:28,310 ‫And what you're seeing here is we're defining a session indeed from the euro, so forward it. 49 00:04:29,630 --> 00:04:31,520 ‫And here's the login page. 50 00:04:32,620 --> 00:04:36,010 ‫But with a session that we provided. 51 00:04:37,430 --> 00:04:38,630 ‫All right, so forward it. 52 00:04:39,720 --> 00:04:42,870 ‫Now the victim opens the link we sent. 53 00:04:44,360 --> 00:04:50,030 ‫Then the user will log in and I'm logging in as the other user admin. 54 00:04:50,370 --> 00:04:52,940 ‫One, two, three, four, five and log in. 55 00:04:53,980 --> 00:04:55,450 ‫Burp, intercepts of request. 56 00:04:56,570 --> 00:05:03,670 ‫And as you can see, it did indeed use this session that we provided the login information is true. 57 00:05:04,370 --> 00:05:07,040 ‫So the victim is redirected to the home page. 58 00:05:08,150 --> 00:05:12,290 ‫And then finally, the home page is open for the victim, so. 59 00:05:13,650 --> 00:05:16,170 ‫What are you going to do is a pen testor? 60 00:05:17,370 --> 00:05:24,660 ‫Just go to Chrom and refresh the page or go to home, because the session is authenticated now. 61 00:05:25,840 --> 00:05:27,970 ‫You see, we share the victim session. 62 00:05:29,740 --> 00:05:35,350 ‫So accepting the sessions in your cell has got to be reported.