Sunday, April 19, 2009

Steal the Session…

As we all know HTTP is a stateless protocol so how your web application maintain the state of a user/client. You all know it – this thing is called as ‘Session’. Server initiates a session as soon as any client request him for something (HTTP Request).

So when I log in to any web application using my registered user id and password, server maintains a session which is basically a long unique alphanumeric id. Just think like a hacker, this long unique alphanumeric id is your KEY to log in to website. Believe me its not very easy but not very difficult also ;).

There is one technique under which people use lot of real data and analyze that to get the clue of the formula used for generating the session id.

I will share a very simple technique which can be called as session stealing but here comes a condition which should be fulfilled.

Normally people feel that when they log into a website using their user id and password only then a session gets created BUT as I said above, server generates a session as soon as client does its first HTTP Request. So when client/browser asks for the web page in which user had to enter his details, a session get created.

1 - Open any page which asks for your user id and password

2- Type in the address bar of the browser:: javascript:alert(document.cookie);

This will give your session id. Secure websites change the session id as you logs into the website but some foolish webmasters don’t do that. If you know any website like that:

1- Open the webpage which asks for your login details

2- Type in the address bar of the browser:: javascript:alert(document.cookie);

3- Note down this id and ask any of your friend to log into that website using his details. (Obviously through the same Login webpage)

4- Use any other PC and open that Login page and type in the address bar::   javascript:alert(document.cookie="XXX");

Replace XXX with the value which you noted earlier. (In the 3rd step)

Its done. You have successfully stolen your friend’s session. Now hit any internal URL of the website and it will not ask you for login ;)

Fix: Not difficult, just do not forget to change the session id after a user logs into your website/system.


  1. The real question is how to steal the session id with out the user being aware. What would you do with a site that was suceptible to persistent XSS?

  2. :) obviously that is the real one. Using any web proxy tool, You can trap HTTP requests/responses and collect different session ids for a particular application and you need to find a pattern among them. If you can crack the pattern, that application don't have any chance against you. You are the hacker my friend....

    There are more than 95% instances where we can find SQL injection if a site is susceptible to persistent XSS I would prefer to get access to DBs. In other 5% instances, you need to see what is the importance of data and ecide your plan for example if you want some specific data posted to your underground server whenever user is viewing that data etc...

    Thanks for writing Scott..

  3. how can we enter address of page and this script together.......

  4. its not working for me
    the second part where u log in it just sends me back the original code?????????????????

  5. Step 4 - javascript:alert(document.cookie="XXX"); - needs additional parameter to set the cookie properly ..

    @Pankaj - You may want to know who am I :-) .. any plans of stepping out of India especially Australia (i guess you had one) :) Cheers!!

  6. he he I think I have recognized you ;) well, every plan is on hold.. just 'improving' myself :P ..Hope jaldi hi :)