All geek questions in one place

Simple session commit attack on localhost for testing purposes

I read a lot of q / a on SO about the risk of committing / capturing a session, and many people suggest changing php.ini directives like session.use_only_cookies - ON and other php.ini directives to make the server more secure ...

I wanted to see it with my own eyes if I could reproduce a simple attack scenario on my localhost server based on PHP5 + Apache.

My localhost session.use_only_cookies has OFF , so according to q / a above, my local host is basically insecure, and this is what I need to do.

I first read this simple article on how a session commit attack is performed:

To reproduce the scenario described in the article, I created two very simple PHP scripts (the code below), but the attack does not work, here is what I did:

  • (Pretending to be Mallory) I say to Alice: "Hi, visit http: //localhost/login.php? PHPSESSID = mysessionid "

  • Then (pretending to be Alice) I went to http: //localhost/login.php? PHPSESSID = mysessionid

  • As the administrator of my localhost server, I saw that the session is being created on the server disk (this is called a file called sess_ mysessionid ), so I thought: cool, it works !!!

  • Then (claiming to be Alice) I logged in to joe as credentials

  • Alice logs in and she is redirected to insession_ok.php , and at that moment (according to Wikipedia article above) Mallory should be able to see insession_ok.php too, because he registered the session before mysessionid , but this is not true, because when Alice registers in a new session, it is created on the server sess_vdshg238cnfb4vt7ahpnp1p522 , so I don’t understand at this stage how Mallory should record / capture the session, as explained in the article ???

login.php

 <?php session_start(); //if user credentials are ok, let put him in session if( @$_POST['usr'] === 'joe' ) $_SESSION['in_session'] = TRUE; //if user is already logged in, let redirect him to the account page "insession_ok.php" if( isset($_SESSION['in_session']) ) { $webpage = 'http://' . $_SERVER['HTTP_HOST'] . '/insession_ok.php'; header("Location: " . $webpage, TRUE, 302); } ?> <form method="POST" action="login.php"> <input name="usr" type="text"> <input type="submit" value="Submit"> </form> <script type="text/javascript"> alert(document.cookie); //to view cookies </script>

insession_ok.php

 <?php session_start(); if(@$_SESSION['in_session'] === TRUE) echo "in session ok"; else //user is not in session cause he did not login, let redirect him to login page { $webpage = 'http://' . $_SERVER['HTTP_HOST'] . '/login.php'; header("Location: " . $webpage, TRUE, 302); } ?>

Any hint / idea is always appreciated!

+6
source share
2 answers

This is how I always used to test session commit attacks. This requires knowledge of the HTTP protocol, but if you are good enough to look at a session commit, a little HTTP code should not scare you :)

The session commit version I'm looking at is the idea of ​​a public computer where you go to the library, go to a site like www.myawesomesite.com, and without logging in, you record the session ID that was assigned to you.

Then you go away and wait for someone to visit www.myawesomesite.com. Once they log in, manually change the session on your computer to the cookie that was used on the public computer. Then the server thinks that you are an authenticated user.

To test this on localhost, we can use two different browsers to view the effect, since browsers usually do not use cookies.

Here are the steps for doing this:

  • Open Chrome and go to localhost . This will be a public computer. Check the session ID and write it down. You can do this either using a program, for example, Fiddler to view the request, or using a plug-in such as Web Developer to view cookies. The cookie should look something like this: PHPSESSID=46l11p0vt81ouo2hkt0ck8ij76

  • Open Firefox and go to localhost . This will represent the attacking computer. Using the Web Developer plugin, change the PHPSESSID cookie to the value you wrote from Chrome.

  • In Chrome, log in as Alice. This will represent the record of the victim.

  • Return to Firefox, click Refresh, or go to the page for authentication only. If you are susceptible to fixing a session, you must log in as Alice in Firefox, bypassing the login.

Fixing this is simple (as I'm sure you saw). Just call session_regenerate_id() as soon as the user authenticates in your code. This invalidates any session ID that was used before logging in, and means that Oscar should now try to steal your session ID after logging in (but before logging out), which is much more difficult to do.

+6
source

Besides the fact that session.use_only_cookies is disabled, you also need to make sure that there is currently no valid session id cookie, since PHP will prefer $_COOKIE over $_GET . In fact, Alice's reason for having a different session identifier after logging in is probably because Alice already has a valid cookie with a session identifier, which is then used instead of the session identifier provided via the URL. You can also disable your cookies and enable session.use_trans_sid to avoid cookies at all.

Then your exploit should work as expected.

+1
source

Source: https://habr.com/ru/post/887741/

More articles:


All Articles