Sunday, April 19, 2009

Steal the Session…

As we all know HTTP is a stateless protocol so how your web application maintain the state of a user/client. You all know it – this thing is called as ‘Session’. Server initiates a session as soon as any client request him for something (HTTP Request).

So when I log in to any web application using my registered user id and password, server maintains a session which is basically a long unique alphanumeric id. Just think like a hacker, this long unique alphanumeric id is your KEY to log in to website. Believe me its not very easy but not very difficult also ;).

There is one technique under which people use lot of real data and analyze that to get the clue of the formula used for generating the session id.

I will share a very simple technique which can be called as session stealing but here comes a condition which should be fulfilled.

Normally people feel that when they log into a website using their user id and password only then a session gets created BUT as I said above, server generates a session as soon as client does its first HTTP Request. So when client/browser asks for the web page in which user had to enter his details, a session get created.

1 - Open any page which asks for your user id and password

2- Type in the address bar of the browser:: javascript:alert(document.cookie);

This will give your session id. Secure websites change the session id as you logs into the website but some foolish webmasters don’t do that. If you know any website like that:

1- Open the webpage which asks for your login details

2- Type in the address bar of the browser:: javascript:alert(document.cookie);

3- Note down this id and ask any of your friend to log into that website using his details. (Obviously through the same Login webpage)

4- Use any other PC and open that Login page and type in the address bar::   javascript:alert(document.cookie="XXX");

Replace XXX with the value which you noted earlier. (In the 3rd step)

Its done. You have successfully stolen your friend’s session. Now hit any internal URL of the website and it will not ask you for login ;)

Fix: Not difficult, just do not forget to change the session id after a user logs into your website/system.