[OWASP-WEBSCARAB] Re: [OWASP-WEBGOAT]WebGoat 3.7: bug in StoredXss (on Windows at least), bug in build.xml, can't solve Predictable Session Identifier, missing lesson plans

Rogan Dawes lists at dawes.za.net
Sun Dec 4 03:03:39 EST 2005 

Vincent Partington wrote:

> Hi,
>
[snip]

> 2. I couldn't solve the Predictable Session Identifier lesson. I used
> WebScarab (nice tool too!) to plot the session identified and although a
> weakness seems to be there, I wasn't able to exploit it. Is this lesson
> a lot harder than the other ones?
>
Well, it may be a bit harder than some of the others, but it is a fairly 
advanced topic.

The idea is that you should look at the pattern that the generated 
WEAKID's follows. The key thing to notice is that there is a sequential 
component, and a time-based component.

The sequential component simply increments by one for each WEAKID 
generated. Periodically, you will see that the WEAKID skips an increment 
(i.e. increases by 2). The idea is that "someone else" has requested a 
session at the same time, and so you can see exactly what the sequence 
number for that WEAKID is (since you have the WEAKID's on either side!)

The objective of the lesson is to brute force the time-based component 
of the WEAKID, and gain access to the actual session that the other 
"user" received. You can identify a successful compromise by the fact 
that you will not be prompted to logon.

To assist you in brute forcing the time-based component, there is a 
pre-written script distributed with WebScarab in the scripts directory, 
which does the necessary prompting.

Take a loot at the script, try it out, and see if you get any results.

Once you have identified the actual WEAKID, you can add it to the 
"Shared Cookies" in WebScarab, and (under the Proxy -> Miscellaneous 
tab) enable "Inject known cookies in requests", which will enable you to 
view the session in your browser (if you reload the page). This is a 
generic technique for hijacking sessions, if you would like to access 
them using the browser, rather than hacking them manually ;-)

>
> Well, I hope these remarks are helpful. If you have any more questions,
> please let me know.
>
> Thanks for a great tool!
>
> Regards, Vincent Partington.

I hope my explanation was helpful. Glad you like the Web* tools

Rogan

More information about the Owasp-webscarab mailing list