[OWASP-WEBSCARAB] Re: [OWASP-WEBGOAT]WebGoat 3.7: bug in StoredXss (on Windows at least), bug in build.xml, can't solve Predictable Session Identifier, missing lesson plans
lists at dawes.za.net
Sun Dec 4 03:03:39 EST 2005
Vincent Partington wrote:
> 2. I couldn't solve the Predictable Session Identifier lesson. I used
> WebScarab (nice tool too!) to plot the session identified and although a
> weakness seems to be there, I wasn't able to exploit it. Is this lesson
> a lot harder than the other ones?
Well, it may be a bit harder than some of the others, but it is a fairly
The idea is that you should look at the pattern that the generated
WEAKID's follows. The key thing to notice is that there is a sequential
component, and a time-based component.
The sequential component simply increments by one for each WEAKID
generated. Periodically, you will see that the WEAKID skips an increment
(i.e. increases by 2). The idea is that "someone else" has requested a
session at the same time, and so you can see exactly what the sequence
number for that WEAKID is (since you have the WEAKID's on either side!)
The objective of the lesson is to brute force the time-based component
of the WEAKID, and gain access to the actual session that the other
"user" received. You can identify a successful compromise by the fact
that you will not be prompted to logon.
To assist you in brute forcing the time-based component, there is a
pre-written script distributed with WebScarab in the scripts directory,
which does the necessary prompting.
Take a loot at the script, try it out, and see if you get any results.
Once you have identified the actual WEAKID, you can add it to the
"Shared Cookies" in WebScarab, and (under the Proxy -> Miscellaneous
tab) enable "Inject known cookies in requests", which will enable you to
view the session in your browser (if you reload the page). This is a
generic technique for hijacking sessions, if you would like to access
them using the browser, rather than hacking them manually ;-)
> Well, I hope these remarks are helpful. If you have any more questions,
> please let me know.
> Thanks for a great tool!
> Regards, Vincent Partington.
I hope my explanation was helpful. Glad you like the Web* tools
More information about the Owasp-webscarab