Skip to main content

Session Hijacking and Fixation


Session hijacking basically refers to hijacking a server's particular session where as Session Fixation means authenticating a user without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

The combined attack of  Session Hijacking and Session Fixation gives a malicious user full access as an authenticated use.

Web Applications requires Cookies to store temporary data. Sometimes these cookies stores session ID of a logged in user.This enables the user to be uniquely identified by the server till he logs out and the session is being destroyed.


The attack can be represented as follow




For this demonstration I am using 

  • Firefox Browser ( Attacker )
  • Comodo IceDragon Browser ( Victim )
  • Tamper data ( Firefox Addon )
  • This tutorial requires Cookie Stealing Methods. If you dont know about it check my previous post.
                                                                             CAUTION
"This tutorial should be used for educational purpose only. I won't be responsible if you misuse this techniques and get yourself in trouble.Performing such attacks without the permission of the owner can lead to serious trouble."



Let the attacker user first logs in using his own credentials

 Now this is the information displayed about the attacker after logging in



Now the attacker goes to a forum and inject the malicious script 





What exactly happen at this level is that the script injected contains a redirection to a cookie stealer script.This cookie catcher script stores the cookie information in a log file and later this log file is used to extract the information about the cookies. After injecting the code the attacker waits for the victim to log and enter the  forum.

Now the victim  logs in

 Now this is the information displayed about the victim after logging in



Once the victim enter the forum page the cookies are retrieved and the page is redirected to the cookie catcher page and the cookie information  gets logged in the log file



Now the attacker copies this session ID and manipulates his existing session ID with the hijacked  session ID.



And now if the attacker checks the information then he will find that the  information of the user will be displayed whose session has been hijacked . That means the attacker has hacked into the account of another user as a authentic user.



Thank You




Popular posts from this blog

KringleCon : Sans Holiday Hack 2018 Writeup

SANS HOLIDAY HACK 2018 Writeup , KRINGLECON The objectives  Orientation Challenge  Directory Browsing  de Bruijn Sequences  Data Repo Analysis  AD Privilege Discovery  Badge Manipulation  HR Incident Response  Network Traffic Forensics  Ransomware Recovery  Who Is Behind It All? First I go to Bushy Evergreen and try to solve the terminal challenge . Solving it is fairly easy , Escape_Key followed by  ":q" without quotes After this we move to the kiosk and solve the questions The question were based on the themes of previous Holiday Hack Challenges. Once we answer it correctly we get the flag. For this I visited Minty Candycane and I tried to solve the terminal challenge.  The application has command injection vulnerability , so injecting a system command with the server ip allows execution of the command. So first I perform an `ls` operation to list of the directory contents , followed by a cat of t

Linux Privilege Escalation : SUID Binaries

After my OSCP Lab days are over I decided to do a little research and learn more on Privilege Escalation as it is my weak area.So over some series of blog post I am going to share with you some information of what I have learnt so far. The methods mentioned over here are not my own. This is something what I have learnt by reading articles, blogs and solving CTFs SUID - Set User ID The binaries which has suid enabled, runs with elevated privileges. Suppose you are logged in as non root user, but this suid bit enabled binaries can run with root privileges. How does a SUID Bit enable binary looks like ? -r- s r-x---  1 hack-me-bak-cracked hack-me-bak         7160 Aug 11  2015 bak How to find all the SUID enabled binaries ? hack-me-bak2@challenge02:~$ find / -perm -u=s 2>/dev/null /bin/su /bin/fusermount /bin/umount /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/gpasswd /usr/bin/newgrp /usr/bin

Bluetooth Low Energy : Build, Recon,Enumerate and Attack !

Introduction In this post I will try to share some information on bluetooth low energy protocol. Bluetooth Low Energy ( BLE ) is Bluetooth 4.0.It has been widely used in creating "smart" devices like bulbs that can be controlled by mobile apps, or electrical switches that can be controlled by mobile apps. The terms Low Energy refers to multiple distinctive features that is operating on low power and lower data transfer. Code BLE Internals and Working The next thing what we need to know is a profile. Now every bluetooth device can be categorized based on certain specification which makes it easy. Here we will take a close look into two profiles of Bluetooth which is specifically designed for BLE. Generic Access Profile (GAP) - This profiles describes how two BLE devices defines discovery and establishment of connection with each other. There are two types of data payload that can be used. The Advertising Data Payload and Scan Response Payload . The GAP uses br