[OWASP-Security101] SESSION HIJACKING ISSUE

Anand Deshmukh anandkumardeshmukh at gmail.com
Thu Mar 1 04:19:29 UTC 2018


Hi,

Basically, i am a consultant and work on project basis.

Application security is a new domain for me and i am trying by best to
deliver services to my clients in AppSec domain. Currently i am working on
one of the assignment for my client and I found that there is a confirm
vulnerability of session HiJacking. I found this with the help of Burp
Suite.

To brief about scenario, following are the details. Application is
developed by Java and its web based application. *FoxyProxy is configured
in both browsers and All the traffic is monitored using the "Burp Suite" or
passing through the "Burp Suite"*.

Scenario - 1

1) I have logged in to Firefox or any browser with User "A" as privileged
user and obviously "A" would be having more information/ options comparing
to any normal user .
2) Now i have logged in with user "B" in different browser. User "B" is
normal user and has less privileges comparing to User "A"

3) Now with the help of Burp Suite, i have identified the authentication
session which has User "A" credentials and the Session ID. By using the
"Show Response in Browser", which is available in Burp Suite. I tried to
copy the complete session details and tried to run in browser, where User
"B" is logged in.

4) Browser has allowed me to login and it shows the User "A" is logged in.
This means the same credentials and session ID has been used to login with
the User "A" in different browser and browser has allowed the same without
asking any credentials.

Here my suggestions are as follows to my client.

1) The same session ID can't be used to initiate the same session in
different browser.
2) In such cases browser should prompt for authentication of user.


Scenario - 2

1) Application is same, instead of using the two different browsers. Here i
have used two different systems.
2) Here user "A" is logged on to system "X" with any of the browser
3) User "B" is logged on to system "Y" with any of the browser
4) I can replace the session ID for of User "A" in system "Y" where User
"B" is already logged in and i can see the browser shows that User "A" is
successfully logged in on system "Y"

My observations for this scenario - 2

1) Here i am able to login as User "A" by replacing Session ID without any
authentication and browser should not allow this.


I request you to share, how do i fix this issue or suggest to fix this
issue. I would be great for the support.


-- 
Anand Deshmukh
*MCSA,MCTS,CISA,COBIT 5 (F),CPISI*


More information about the Security101 mailing list