A1:2021 | Hijack a Session (2) | Cycubix Docs

In this lesson we are trying to predict the 'hijack_cookie' value. The 'hijack_cookie' is used to differentiate authenticated and anonymous users of WebGoat.


Check the 'hijack_cookie' cookie value and think about its format.

The 'hijack_cookie' is divided in two parts and has the following format '"long number"-"another long number"'.

The 'hijack_cookie' is divided in two parts and has the following format '"sequential number"-"unix epoch time"'.

Try to send multiple requests to force the creation of new cookies and check if there's any pattern.

Sometimes, authorized users logs into the application.

Solution with Burp and ZAP

a) Intercepting the session

  1. Turn on Burp interceptor and click the set on break to start intercepting the HTTP with ZAP.

  2. Go to WebGoat Hijack a Session.

  3. Go to Burp and find the request on HTTP History. Go to ZAP and see the request on HijackSession/Post:loggin.

  1. Send the POST request to the Repeater (Burp) or the Manual Request Editor (ZAP).

  1. Once open in the Repeater / Manual Request Editor, hit "Send" Multiple Times. Server will reply with a Value Set Cookie.

  2. Copy the values of the "Set Cookie".

  3. Close the intercepter or set on the Break.

  1. Identify a pattern in the Hijack Cookie number, as you keep on hitting send.











We can identify a pattern where the last number of the session ID increase by one, except in some cases where they increase by two. This means that an anonymous user, which suggests that the user had logged in during that period.

Based on hints, it's guessed that the number after "hijack_cookie" is a timestamp. To get the "hijack_cookie" of an anonymous user, watch the changing digits of the first part of the "hijack_cookie" to find the user's first half. The second half is a timestamp that needs brute force within a specific range based on the user's login time difference.

b) Brute Force Attack


  • The first half of the "Hijack Cookie" falls between "4687571708252441137" and "4687571708252441139", meaning "4687571708252441138". For the second half it must fall between "1717631583295 " and "1717631609012".

  • Send POST to Manual Request Editor and Add the hijack_cookie value=4687571708252441138-1717631583295.

  • Once you loaded the predicted value of the hijack_cookie, hit send.

Tips: In this exercise was not necessary, but the Intruder with ZAP is called FUZZ. You can add a payload and range of values for the predicted Hijack_Cookie, hit the fuzzer and find the predicted value of the hijack_cookie.


  • The first half of the "Hijack Cookie" falls between "8538432081538402370" and "8538432081538402372", meaning "8538432081538402371". For the second half it must fall between "1717442040234" and "1717442064847".

  1. Send POST request to the intruder.

  1. In the intruder, press the button "Clear" on the upper right side of the screen.

  1. Add your hijack_cookie value. In this case: 8538432081538402371-1717442040234. Select the last digits of the timestamp that will be subject to the brute force attack.

  2. Go to payloads.

Select the range of numbers according to the sequence mentioned above: 8538432081538402371-1717442040234/1717442064847.

  1. Hit the "Attack" Button.


  1. During this exercise it is possible that Proxy service stops, and connection to listener fails. In this case, close the broswer, turn interceptor off. Restart interceptor and Try login in again to Webgoat http://localhost:8080/WebGoat.

  2. If you receive a "500 Internal Server Error" response in the Repeater, restart your container in Docker.

  3. If the range of numbers selected on the payload do not provide the solution for the completion of the assignment, go back to the post request and identify a new sequence of hijack_cookies to find a new range of numbers. Don't get frustrated if you need to do this step again...it happens.

Last updated