Who moved my strings-session hijacking

Who moved my strings-session hijacking

Let's take a look at the most common example-session hijacking, as shown in 10-2.

Figure 10-2 session hijacking description

As shown in figure 10-2, the normal login website of the victim Alice is www.buybook.com, and her session
The ID is 1234567. The attacker Bob obtains Alice's session ID and user logon information in the cookie through network sniffing, so that he can simulate Alice's login and operations, at this moment, Alice may not know.

The most common way to obtain the session ID is the XSS described above. The following describes how to simulate session hijacking.

Login we normally log on to a website (Google Chrome is used here). The username for logon is admin, And the JSESSIONID after logon is recorded, as shown in 10-3.

Figure 10-3 normal logon session ID

When we open another browser Firefox, we try to access a private link: http: // localhost/puzzlemall/private/viewprofile. jsp. Then the browser will prompt us to log on. This indicates that this link can be viewed only after logon, as shown in Figure 10-4.

Figure 10-4 we are attempting to access a Private Link

➌ Enable webscrab and enable the "intercept requests" function in the proxy, set the Firefox proxy to the IP address and port (8008) of webscrab, and then access this private link again, webscrab intercepts this request, modifies jsessionid to the jsessionid of the admin user above, as shown in 10-5, and submits the request.

Figure 10-5 capture and modify a request using webscrab

Then, we will find that the admin user's profile page is displayed. This indicates that we have successfully logged on as the admin user, as shown in 10-6. Of course, this example is just a simulation of session hijacking. In the actual network, JSESSIONID is often leaked through XSS (or not sniffed through a secure protocol ).

Figure 10-6 the private page is successfully accessed using others' sessions

This article is excerpted from Web Application Security Threats and prevention-based on OWASP top 10 and esapi

Edited by Wang Wenjun Li jianmeng

Published by Electronic Industry Publishing House