A1:2021 | Hijack a Session (2) | Cycubix Docs
PreviousA1:2021 | Hijack a Session (1) | Cycubix DocsNextA1:2021 | Insecure Direct Object Reference | Cycubix Docs
Last updated
Was this helpful?
Last updated
Was this helpful?
In this lesson we are trying to predict the 'hijack_cookie' value. The 'hijack_cookie' is used to differentiate authenticated and anonymous users of WebGoat.
a) Intercepting the session
Turn on Burp interceptor and click the set on break to start intercepting the HTTP with ZAP.
Go to WebGoat Hijack a Session.
Go to Burp and find the request on HTTP History. Go to ZAP and see the request on HijackSession/Post:loggin.
Send the POST request to the Repeater (Burp) or the Manual Request Editor (ZAP).
Once open in the Repeater / Manual Request Editor, hit "Send" Multiple Times. Server will reply with a Value Set Cookie.
Copy the values of the "Set Cookie".
Close the intercepter or set on the Break.
Identify a pattern in the Hijack Cookie number, as you keep on hitting send.
Burp
8538432081538402370-1717442040234
8538432081538402372-1717442064847
8538432081538402373-1717442084267
8538432081538402374-1717442095000
8538432081538402376-1717442105856
8538432081538402377-1717442130639
Zap
4687571708252441137-1717631583295
4687571708252441139-1717631609012
We can identify a pattern where the last number of the session ID increase by one, except in some cases where they increase by two. This means that an anonymous user, which suggests that the user had logged in during that period.
Based on hints, it's guessed that the number after "hijack_cookie" is a timestamp. To get the "hijack_cookie" of an anonymous user, watch the changing digits of the first part of the "hijack_cookie" to find the user's first half. The second half is a timestamp that needs brute force within a specific range based on the user's login time difference.
b) Brute Force Attack
ZAP
The first half of the "Hijack Cookie" falls between "4687571708252441137" and "4687571708252441139", meaning "4687571708252441138". For the second half it must fall between "1717631583295 " and "1717631609012".
Send POST to Manual Request Editor and Add the hijack_cookie value=4687571708252441138-1717631583295.
Once you loaded the predicted value of the hijack_cookie, hit send.
Tips: In this exercise was not necessary, but the Intruder with ZAP is called FUZZ. You can add a payload and range of values for the predicted Hijack_Cookie, hit the fuzzer and find the predicted value of the hijack_cookie.
Burp
The first half of the "Hijack Cookie" falls between "8538432081538402370" and "8538432081538402372", meaning "8538432081538402371". For the second half it must fall between "1717442040234" and "1717442064847".
Send POST request to the intruder.
In the intruder, press the button "Clear" on the upper right side of the screen.
Add your hijack_cookie value. In this case: 8538432081538402371-1717442040234. Select the last digits of the timestamp that will be subject to the brute force attack.
Go to payloads.
Select the range of numbers according to the sequence mentioned above: 8538432081538402371-1717442040234/1717442064847.
Hit the "Attack" Button.
If you receive a "500 Internal Server Error" response in the Repeater, restart your container in Docker.
If the range of numbers selected on the payload do not provide the solution for the completion of the assignment, go back to the post request and identify a new sequence of hijack_cookies to find a new range of numbers. Don't get frustrated if you need to do this step again...it happens.
During this exercise it is possible that Proxy service stops, and connection to listener fails. In this case, close the broswer, turn interceptor off. Restart interceptor and Try login in again to Webgoat .
