Cross-Site attack to achieve http session hijacking

A Web application judges and tracks different users in two ways: Cookie or Session (also called Session Cookie ). The Cookie is stored on the Local Computer and has a long expiration time, therefore, the attack method against cookies is generally *******************. Then, the Cookie is forged to impersonate the user; because the Session is stored on the server, it is often difficult to use it because it becomes invalid (expired soon) as the Session is logged out. Therefore, Session authentication is more secure than Cookie authentication.
Of course, Session exploitation is not the same as Session exploitation. This article uses a small example to implement a simple HTTP Session hijacking.

Take ASP as an example. How does the ASP program obtain the client Session? Through packet capture, we can find that the Cookie field of the HTTP request has an ASPSESSIONIDXXXXXXXX (X is a random letter) value. The ASP program uses this value to determine the Session. If we get the postmaster's ASPSESSIONIDXXXXXXXX and its value and submit it to the server before the end of this session, then our identity will be the postmaster!

How can we get the Session? The answer is cross-site. Because the document. cookie () method of JavaScript reads the Cookie, including session cookies.

If you are concerned about Web security, I believe you have seen the script program that records cross-site Cookie requests. We also need a similar program, but the function is not a record, but forward immediately (because the current session may expire at any time because the Administrator exits ). This program can be implemented using ASP, PHP, Perl or even C.

To write this program, you must also have a good understanding of the program to be attacked, because you need to submit various requests. Now let's take a look at the cross-site programs in this example.

I am honored to have selected WebAdmin 1.4. Hey, I am sure that the program I wrote knows the most clearly where the vulnerability exists. For a brief introduction, WebAdmin is a webshell under ASP. Net, which uses Session authentication. The cross-site URL of version 1.4 exists in directory browsing.

So I constructed the path "E:" In SRC :". This code submits the current cookie as a parameter to the www.0x54.org/test/cc.aspfile.

The content of the CC. asp file is as follows:

The purpose of this file is to obtain the Administrator session and use the WebAdmin file editing function to view E: mywebwebadmin.aspxfile of 222.210.115.125 (the attacked web server is actually my local computer) and store the content in the.txt file. The serverxmlhttp component is used for data submission. It has similarities and differences with XMLHTTP. For details, see serverxmlhttp vs XMLHTTP.

Ready. log on to WebAdmin first and then access the constructed cross-site URL. Then, go to http: // www. ***. org/test/a.txt.

You can also try to export cc.asp in one go. The generated a.txt file will be the source file of the login interface.

Haha, now we warmly celebrate the successful conclusion of this http session hijacking test. In general, it is very difficult to launch such an attack. However, we can say that in the field of technology, in addition to copying other people's code, is there anything that can be done without effort?