Implementing application level session hijacking

 

Exercise 1 - Viewing Cookie Information from Unencrypted Sites

You can view the cookie information from unencrypted sites using the concept of session hijacking. The concept of session hijacking is also known as cookie hijacking. Session hijacking occurs at the network and application level. At the application level session hijacking, you will intercept the session ID of a particular session with the help of cookies and use it to gain unauthorized access to sensitive or critical data.

In this exercise, you will perform the following tasks to perform application-level session hijacking:

• Enable HTTP web service on PLABSA01
• Configure Burp Suite on PLABWIN10
• Configure Firefox to use Burp Suite proxy listeners
• Capture cookies
• Hijack the session

Please refer to your course material or use your preferred search engine to research this topic in more detail.

Task 1 - Enable HTTP Web Service on PLABSA01

In this task, you will enable the HTTP web service on port 80 on PLABSA01 device.

Step 1

Ensure you have powered on the required devices and connect to PLABSA01.

Close the Server Manager window.

Click the XAMPP application icon on the taskbar.

The XAMP Control Panel v3.2.2 opens.

The Apache web service with Damn Vulnerable Web Application (DVWA) running on port 80 is enabled.

Task 2 - Configure Burp Suite on PLABWIN10

In this task, you will configure Burp Suite on PLABWIN10 to intercept traffic from Firefox.

Step 1

Connect to PLABWIN10.

From PLABWIN10 desktop, click Start > Burp Suite Free Edition.

Figure 1.2 Screenshot of the Start menu on PLABWIN10 device: Burp Suite Free Edition is selected in the Start menu.

Step 2

BURPSUITE FREE EDITION starts.

Figure 1.3 Screenshot of the desktop on PLABWIN10 device: Burp Suite Free Edition is started.

Step 3

On the License Agreement page, click I Accept.

Figure 1.4 Screenshot of the License Agreement page in Burp Suite Free Edition window: I Accept is selected.

Step 4

On the Welcome to Burp Suite Free Edition page, select the required options to create or open a project.

For this demonstration, keep the default selection of Temporary project.

Click Next.

Figure 1.5 Screenshot of Burp Suite Free Edition v1.7.27 window on PLABWIN10 device: Temporary project is selected on the Welcome page. Next is selected.

Step 5

On Select the configuration that you would like to load for this project page, keep the default selection of Use Burp defaults.

Click Start Burp.

Figure 1.6 Screenshot of Burp Suite Free Edition v1.7.27 window on PLABWIN10 device: The default selection on “Select the configuration that you would like to load for this project” page is retained and Start Burp is selected.

Step 6

Burp Suite is starting the project.

Please wait for the process to complete.

Figure 1.7 Screenshot of Burp Suite Free Edition v1.7.27 on PLABWIN10 device: Burp Suite is starting the project.

Step 7

Burp Suite Free Edition v1.7.27 - Temporary Project window displays.

Click the Proxy tab.

Under the Proxy tab, click the Options tab.

In the Proxy Listeners section, click to select the IP address 127.0.0.1:8080.

To edit the IP address, click Edit.

Figure 1.8 Screenshot of Burp Suite Free Edition v1.7.27 -Temporary Project window on PLABWIN10 device: The Proxy tab is selected. Under the Proxy tab, Options tab is selected. In the Proxy Listeners section, the IP address 127.0.0.1:8080 is selected. Edit is selected.

Step 8

Edit proxy listener dialog box appears.

In the Bind to port box, type the following port:

8888

Note: You can use any port number. However, it is recommended not to use well-known ports such as 80, 443, 8080, and 8443.

In the Bind to address section, click All interfaces.

Click OK.

Figure 1.9 Screenshot of Edit proxy listener dialog box: The port number is entered. All interfaces is selected. OK is selected.

Step 9

On the Confirm message box, click Yes.

Step 10

You are back to Proxy Listeners section on the Options tab.

Note: Burp Proxy uses listeners to receive incoming HTTP requests from your browser. You will need to configure a browser to use one of the listeners as its proxy server.

Figure 1.11 Screenshot of Burp Suite Free Edition v1.7.27 -Temporary Project window on PLABWIN10 device: The Proxy Listeners section with modified settings is displayed.

Step 11

Configure Burp Suite to intercept responses.

In the Options tab, scroll down to Intercept Server Responses section.

Click to select the check box Intercept responses based on the following rules.

Figure 1.12 Screenshot of Burp Suite Free Edition v1.7.27 - Temporary Project window on PLABWIN10 device: The “Intercept responses based on the following rules” check box is selected in the Intercept Server Responses section.

Step 12

Click the Intercept tab under the Proxy tab.

To intercept the traffic, click the Intercept is off button.

Minimize Burp Suite Free Edition v1.7.27 - Temporary Project window.

Alert: For the following steps to work, intercept must be switched on.

Figure 1.13 Screenshot of Burp Suite Free Edition v1.7.27 - Temporary Project window on device PLABWIN10: The Intercept tab under the Proxy tab is selected and displayed. The “Intercept is off” button is selected if the intercept is not turned on.

Task 3 - Configure Firefox to Use Burp Suite Proxy Listeners

In this task, you will configure Mozilla Firefox to use Burp Suite proxy listeners.

Step 1

From PLABWIN10 desktop, double-click Mozilla Firefox.

Mozilla Firefox window opens.

Figure 1.14 Screenshot of the desktop on device PLABWIN10: Mozilla Firefox shortcut icon is double-clicked on the desktop.

Step 2

Close the home page of Mozilla Firefox.

In Mozilla Firefox window, from the toolbar, click the Open menu icon, and click Options.

Figure 1.15 Screenshot of Mozilla Firefox window on device PLABWIN10: The Open menu icon is selected and Options is selected.

Step 3

Options page opens.

In the Options page, the General tab opens by default.

Scroll down to configure the network proxy.

From the right pane, click Settings.

Figure 1.16 Screenshot of the General tab in the Options page on Mozilla Firefox window: Settings is selected.

Step 4

Connection Settings dialog box opens.

To change the manual proxy address to the Burp listener address, click Manual proxy configuration.

In the Connection Settings dialog box, under Manual proxy configuration, in the HTTP Proxy box, type the following IP address:

127.0.0.1

In the Port box, type the following port number:

8888

Click to select the check box Use this proxy server for all protocols.

Click OK.

Close the Options page.

Figure 1.17 Screenshot of Connection Settings dialog box on Mozilla Firefox window on device PLABWIN10: In the HTTP Proxy box, the IP address is entered. In the Port box, the port number is entered. OK is selected.

Task 4 - Capture Cookies

In this task, you will view the cookie information in the response and request intercepted by Burp Suite. An important point that needs to be noted in this task is that for each action in Mozilla Firefox application, you must forward the associated request in Burp Suite. This will allow Burp Suite to intercept each and every request.

Step 1

Connect to PLABWIN10.

To access the DVWA application, in the Mozilla Firefox web browser window, inthenewtab, type the following URL in the address bar:

http://192.168.0.1/dvwa/login.php

Press Enter.

Important: Ensure to click Forward in Burp Suite for each and every request made in Mozilla Firefox as the intercept is ON in Burp Suite.

The login page of the DVWA application is displayed.

Figure 1.18 Screenshot of the DVWA application in Mozilla Firefox window: The login page of the DVWA application is displayed.

Step 2

In the Username box on the DVWA login page, type the following username:

admin

In the Password box, type the following password:

password

Click Login.

Figure 1.19 Screenshot of the DVWA application in Mozilla Firefox window: The username and password details are entered in the login page. Login is selected.

Step 3

Switch to Burp Suite Free Edition v1.7.27 - Temporary Project window.

Find that the login request to the DVWA application is captured in Burp Suite.

Notice the Intercept tab displays the details about the request to the following URL:

http://192.168.0.1:80

Analyze the displayed information.

Important: Ensure the Intercept tab in Burp Suite captures the request to http://192.168.0.1:80. Ensure the request does not go the home page of Firefox.

Figure 1.20 Screenshot of Burp Suite Free Edition v1.7.27 - Temporary Project window: The login request to the DVWA application is captured in Burp Suite. The Intercept tab displays the required details about the request.

Step 4

In the Burp Suite Free Edition v1.7.27 - Temporary Project window, click Forward.

Wait for Burp Suite to intercept the response.

Notice the response being captured.

In the response intercepted, observe that the browser sends a Set-Cookie parameter. This is the cookie assigned by the browser for the current user session to the DVWA application.

Figure 1.21 Screenshot of Screenshot of Burp Suite Free Edition v1.7.27 - Temporary Project window: Forward is selected. Burp Suite intercepted the response from the web server. The Set-Cookie parameter is displayed.

Step 5

If you are not able to view the Set-Cookie parameter in the intercepted response, switch to Mozilla Firefox.

Clear all history.

To perform this, press CTRL+SHIFT+DELETE.

In the Clear All History dialog box that appears, click Clear Now.

After clearing the history, repeat Step 4. Alternatively, go to the next step.

Note: Only perform this if you were unable to capture the PHPSESSID in Burp Suite.

Figure 1.22 Screenshot of Clear All History dialog box on Mozilla Firefox window: Clear Now is selected.

Step 6

In the Intercept tab of Burp Suite Free Edition v1.7.27 - Temporary Project window, click Forward.

Switch to Mozilla Firefox.

You will get logged into the DVWA application.

Figure 1.23 Screenshot of Burp Suite Free Edition v1.7.27 - Temporary Project window: In the Intercept tab, Forward is selected.

Step 7

Refresh Mozilla Firefox.

Note: Each time you refresh the application or on any request made to the DVWA web server, the browser will send the assigned cookie in the cookie parameter of the request to the web server. The cookie parameter notifies the web server that the user has successfully logged in and a session has been established.

Switch to Burp Suite Free Edition v1.7.27 - Temporary Project window.

Observe that the browser again sends the cookies that were set by the Set-Cookie parameter back to the web server, which in this case is Burp Suite.

Copy the cookie information and make a note of it. Make a note of the cookie information assigned to PHPSESSID argument of the Cookie parameter. You will be using this information in the next task to hijack the session.

Note: The cookie information is generated at random and it will be different each time. The cookie information during the time this demo was written was Cookie: security=low; PHPSESSID=def6kgbh4qq3nh2sr88j670j44. You can find this cookie information in the Cookie parameter of the capture request.

Figure 1.24 Screenshot of Burp Suite Free Edition v1.7.27 - Temporary Project window: The DVWA application in Mozilla Firefox is refreshed. The refresh request captured in Burp Suite shows the Cookie parameter value that is sent to the web server.

Task 5 - Hijack the Session

In this task, you will hijack the session of user “admin” on PLABSA01 device. You will use the value stored in the PHPSESSID (noted in the previous task) to hijack the session. Here is the stored value for the purpose of this demonstration:

Cookie: security=low; PHPSESSID=def6kgbh4qq3nh2sr88j670j44

Important: As a prerequisite to perform this task, you need to configure Burp Suite proxy on PLABSA01 device to capture the web traffic. To do this, follow the steps in task 2 and 3.

Step 1

Connect to PLABSA01.

Open Mozilla Firefox.

To access the DVWA application, type the following URL in the address bar:

http://192.168.0.1/dvwa/login.php

Press Enter.

Figure 1.25 Screenshot of the DVWA application in Mozilla Firefox window on PLABSA01 device: The login page of the DVWA application is displayed.

Step 2

Refresh Mozilla Firefox.

In the Intercept tab of Burp Suite Free Edition v1.7.27 - Temporary Project window, click Forward.

Intercept the response received from the web server in Burp Suite.

Figure 1.26 Screenshot of Burp Suite Free Edition v1.7.27 - Temporary Project window on PLABSA01 device: DVWA application web page is refreshed and the response is captured in Burp Suite.

Step 3

To inject the hijacked cookie from PLABWIN10 device in the web browser on PLABSA01 device, in the Burp Suite Free Edition v1.7.27 - Temporary Project window, click Forward.

Click the Proxy tab.

The Intercept tab under the Proxy tab opens by default.

To turn off the intercept, click Intercept is off.

To open the DVWA application in Mozilla Firefox window, in the address bar, type the following URL:

http://192.168.0.1/dvwa/index.php

Press Enter.

Figure 1.28 Screenshot of Mozilla Firefox window on PLABSA01 device: DVWA application is displayed.

Step 4

Next, you will tamper the Burp Suite request to inject the Set-Cookie parameter into the web browser on PLABSA01 device.

To inject the cookie value (captured in the earlier task) in the Set-Cookie parameter, in the request section of the Burp Suite Free Edition v1.7.27 - Temporary Project window, delete any existing Set-Cookie parameters that the web server has sent.

Type the following cookie header parameters:

Set-Cookie: PHPSESSID=def6kgbh4qq3nh2sr88j670j44;
Set-Cookie: security=low;

Alert: Ensure you use the PHPSESSID from your PLABWIN10 for this task. The ID above is an example.

Figure 1.27 Screenshot of Burp Suite Free Edition v1.7.27 - Temporary Project window on PLABSA01 device: The hijacked Set-Cookie parameters are injected in the response section.

Step 5

The application should successfully log in automatically without specifying any user credentials if it is vulnerable to session hijacking vulnerability.

Figure 1.29 Screenshot of Mozilla Firefox window on PLABSA01 device: DVWA application is logged in.

Step 6

Scroll down to view the username.

The session of the user “admin” is successfully hijacked.

Close all open windows.

Figure 1.30 Screenshot of Mozilla Firefox window on PLABSA01 device: The session of the user “admin” is successfully hijacked and the application is logged in.

Shutdown all virtual machines used in this lab, by using the power functions located in the Tools bar before proceeding to the next module. Alternatively, you can log out of the lab platform.