Session Hijacking… · Overview of Session Hijacking Session hijacking refers to the exploitation of a valid com puter session where an attacker takes over a session between two

CEH Lab Manual

Session H ijackingM odule 11

Module 11 - Session Hijacking

Hijacking SessionsSession hijacking refers to the exploitation of a valid computer session, ))herein an attachr takes over a session between two computers.

Lab ScenarioS o u rc e : h t tp : / / k r e b s o n s e c u n t v .c o m / 2 0 1 2 / 1 1 / y a h o o -e m a il-s te a lin g -e x p lo i t- f e tc h e s -7 0 0

A c c o rd in g to K re b s o n S e c u r i ty n e w s a n d in v e s tig a tio n , z e ro -d a v v u ln e ra b il i ty 111

y a h o o .c o m th a t le ts a t ta c k e rs h ija c k Y a h o o ! e m a il a c c o u n ts a n d r e d ir e c t u s e rs to m a lic io u s w e b s i te s o t te r s a fa sc in a tin g g lim p se in to th e u n d e r g r o u n d m a rk e t fo r la rg e -sc a le e x p lo its .

T h e e x p lo it , b e in g so ld fo r S 700 b y a n E g y p tia n h a c k e r o n a n ex c lu s iv e c y b e rc r im e fo ru m , ta rg e ts a “ c ro s s - s i te s c r ip t in g ” (X SS) w e a k n e s s in v a h o o .c o m th a t le ts a t ta c k e rs s te a l c o o k ie s f ro m Y a h o o ! w e b m a il u se rs . S u c h a f law w o u ld le t a t ta c k e rs s e n d o r re a d e m a il f ro m th e v ic t im ’s a c c o u n t . 111 a tv p ic a l X S S a tta c k , a n a t ta c k e r se n d s a m a lic io u s lin k to a n u n s u s p e c t in g u se r; i f th e u s e r c licks th e lin k , th e s c r ip t is e x e c u te d , a n d c a n ac ce ss c o o k ie s , s e s s io n to k e n s , o r o th e r s e n s itiv e in f o r m a t io n r e ta in e d b y th e b ro w s e r a n d u s e d w ith th a t site . T h e s e sc r ip ts c a n e v e n r e w ri te th e c o n te n t o f th e H T M L p ag e .

K re b s O n S e c u r i ty .c o m a le r te d Y a h o o ! to th e v u ln e ra b ili ty , a n d th e c o m p a n y says i t is r e s p o n d in g to th e is su e . R a m se s M a r tin e z , d ir e c to r o f se c u r ity a t Y a h o o ! , sa id th e c h a lle n g e n o w is w o rk in g o u t th e e x a c t v a h o o .c o m U R L th a t tr ig g e rs th e e x p lo it , w h ic h is d if f ic u lt to d is c e rn f ro m w a tc h in g th e v id e o .

T h e s e ty p e s o t v u ln e ra b ilit ie s a re a g o o d r e m in d e r to b e e sp ec ia lly c a u tio u s a b o u t c lic k in g lin k s 111 e m a ils f ro m s tra n g e rs o r 111 m e ssa g e s th a t y o u w e re n o t e x p e c tin g .

B e in g a n d a d m in is t r a to r y o u s h o u ld im p le m e n t se c u r ity m e a s u re s a t A p p lic a tio n le v e l a n d N e tw o r k le v e l to p r o te c t y o u r n e tw o r k f ro m se s s io n h ija ck in g . N e tw o r k le v e l h ija c k s is p r e v e n te d b y p a c k e t e n c ry p t io n w h ic h c a n b e o b ta in e d b y u s in g p r o to c o ls s u c h as I P S E C , S SL , S S H , e tc . I P S E C a llo w s e n c ry p t io n o f p a c k e ts o n s h a re d k ey b e tw e e n th e tw o sy s te m s in v o lv e d 111 c o m m u n ic a t io n .

A p p lic a tio n - le v e l se c u r ity is o b ta in e d b y u s in g s t r o n g s e s s io n I D . S SL a n d S S H a lso p ro v id e s s t r o n g e n c r y p t io n u s in g S SL c e r tif ic a te s to p r e v e n t se s s io n h ija ck in g .

Lab O bjectivesT h e o b je c tiv e o f th is la b is to h e lp s u id e n ts le a rn s e s s io n h ija c k in g a n d ta k e n e c e s sa ry a c tio n s to d e f e n d a g a in s t s e s s io n h ija ck in g .

111 th is la b , y o u w ill:

■ I n te r c e p t a n d m o d ify w e b tra ff ic

I C O N KE Y

& Valuable information

Test your knowledge

H Web exercise

ca Workbook review

E th ic a l H a c k in g a n d C o u n te m ie a s u re s Copyright © by EC-CouncilAll Rights Reserved. R eproduction is Stricdy Prohibited.

C E H L a b M a n u a l P a g e 716


■ S im u la te a T ro ja n , w h ic h m o d if ie s a w o rk s ta t io n 's p ro x y se rv e r se ttin g s

Lab Environm entT o ca rry o u t tins , y o u need :

■ A c o m p u te r m im in g W indows Server 2 0 1 2 a s h ost m achine

■ T in s lab w ill m n o n W indows 8 v irtu a l m a c h in e

■ W e b b ro w s e r w ith In te rn e t access

■ A d m in is tra tiv e priv ileges to co n fig u re se ttings a n d m n to o ls

Lab DurationT im e : 20 M in u tes

O verview of Session H ijackingS ession h ijack ing refers to th e exp lo itation o f a valid c o m p u te r sessio n w h e re an a ttac k e r ta k e s over a se ssio n b e tw e e n tw o c o m p u te rs . T h e a ttac k e r s te a ls a valid se ssio n ID , w h ic h is u se d to g e t in to th e sy stem an d sn iff th e data.

111 TCP s e s s io n ln jack ing , a n a ttac k e r takes o v e r a T C P se ssio n b e tw e e n tw o m a ch in e s . S ince m o s t au th en tica tion s o c c u r o n ly a t th e s ta rt o f a T C P session , th is allow s th e a ttac k er to gain a c c e s s to a m ach in e .

Lab TasksP ick an o rg an iz a tio n d ia t y o u feel is w o r th y o f y o u r a tte n tio n . T in s c o u ld b e an e d u c a tio n a l in s titu tio n , a co m m e rc ia l co m p a n y , o r p e rh a p s a n o n p ro f i t ch an ty .

R e c o m m e n d e d labs to assist y o u 111 sessio n lnjacking:

י S essio n ln jack ing u s in g ZAP

Lab AnalysisA n aly ze a n d d o c u m e n t d ie resu lts re la ted to th e lab exercise. G iv e y o u r o p in io n o n y o u r ta rg e t’s secu rity p o s tu re a n d ex p o su re .

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F YOU H A V E Q U E S T I O N SR E L A T E D T O T H I S LAB.

S 7 T ools d em onstrated in th is lab are availab le in D:\CEH- Tools\CEHv8 M odule 11 S e ss io n Hijacking

m . T A S K 1

O verview

E th ic a l H a c k in g a n d C o u n te rm e a su re s Copyright © by EC-CouncilAll Rights Reserved. R eproduction is Stricdy Prohibited.



Lab

Session Hijacking Using Zed A ttack Proxy (ZAP)The OWASP Zed Attack Proxy (ZAP) is an easy-to-use integratedpenetration testing too1 for finding vulnerabilities in n׳eb applications.

Lab ScenarioA tta c k e rs a re c o n t in u o u s ly w a tc h in g f o r w e b s i te s to h a c k a n d d e y e lo p e rs m u s t b e p r e p a re d to c o u n te r - a t ta c k m a lic io u s h a c k e rs b y w r i t in g s tr o n g s e c u re c o d e s . A c o m m o n f o rm o f a t ta c k is s e s s io n h ija c k in g , i.e ., a c c e s s in g a w e b s i te u s in g s o m e o n e e lse ’s s e s s io n I D . A s e s s io n I D m ig h t c o n ta in c re d it c a rd d e ta ils , p a s s w o rd s , a n d o th e r se n s itiv e in f o rm a t io n th a t c a n b e m is u s e d b y a h a c k e r .

S e ss io n h ija c k in g a tta c k s a re p e r f o r m e d e i th e r b y se s s io n I D g u e s s in g b ־01 y s to le n s e s s io n I D c o o k ie s . S e ss io n I D g u e s s in g in v o lv e s g a th e r in g a sa m p le o f s e s s io n I D s a n d “ g u e s s in g ״ a v a lid se s s io n I D a s s ig n e d to s o m e o n e else. I t is a lw ays r e c o m m e n d e d n o t to re p la c e A S P .N E T se s s io n I D s w i th I D s o f y o u r o w n , as th is w ill p r e v e n t s e s s io n I D g u e s s in g . S to le n s e s s io n I D c o o k ie s se s s io n h ija c k in g a t ta c k c a n b e p r e v e n t b y u s in g S SL ; h o w e v e r , u s in g c ro s s - s i te s c r ip t in g a tta c k s a n d o th e r m e th o d s , a t ta c k e rs c a n s te a l th e se s s io n I D c o o k ie s . I f a n a t ta c k e r g e ts a h o ld o f a v a lid s e s s io n I D , th e n A S P .N E T c o n n e c ts to th e c o r r e s p o n d in g s e s s io n w ith 110 f u r th e r a u th e n tic a tio n .

T h e r e a re m a n y to o ls easily av a ila b le n o w th a t a t ta c k e rs u se to h a c k in to w e b s i te s u ־01 s e r d e ta ils . O n e o f th e to o ls is F ire s lie e p , w h ic h is a n a d d -011 fo r F ire fo x . W h ile y o u a re c o n n e c te d to a n u n s e c u re w ire le ss n e tw o rk , tin s F ire fo x a d d -011 c a n s n i f f th e n e tw o r k tra f f ic a n d c a p tu re all y o u r in f o r m a t io n a n d p r o v id e i t to th e h a c k e r 111 th e s a m e n e tw o rk . T h e a t ta c k e r c a n n o w u s e tin s in f o rm a t io n a n d lo g in as y o u .

A s a n e th ic a l h ack er, p e n e tr a t io n te s te r , 01 se c u r ity ad m in istrator, y o us h o u ld b e fa m ilia r w ith n e tw o r k a n d w e b a u th e n t ic a t io n m e c h a n is m s . 111 y o u r ro le o f w e b se c u r ity a d m in is t ra to r , y o u n e e d to te s t w e b se rv e r tra ff ic fo r w e a k s e s s io n IDs, in s e c u re h a n d lin g , id en tity th e ft, a n d in form ation lo s s . A lw ay s e n s u re th a t y o u h a v e a n e n c ry p te d c o n n e c t io n u s in g h t tp s w h ic h w ill m a k e th e sn if f in g o f n e tw o r k p a c k e ts d if f ic u lt fo r a n a tta c k e r . A lte rn a tiv e ly , Y P N

1 C <O N K E Y

/ Valuableinformation

y5Test yourknowledge

= Web exercise

m Workbook review




c o n n e c t io n s to o c a n b e u s e d to s ta y sa fe a n d a d v ise u s e rs to lo g o f f o n c e th e y a re d o n e w ith th e ir w o rk . 111 tin s la b y o u w ill le a rn to u se Z A P p ro x y to in te r c e p t p ro x ie s , s c a n n in g , e tc .

Lab O bjectivesT h e o b je c tiv e o f tin s la b is to h e lp s tu d e n ts le a rn s e s s io n h ija c k in g a n d h o w to ta k e n e c e s sa ry a c tio n s to d e f e n d a g a in s t s e s s io n h ija ck in g .

111 t in s la b , y o u w ill:

■ I n te r c e p t a n d m o d ify w e b tra f f ic

■ S im u la te a T ro ja n , w h ic h m o d if ie s a w o rk s ta t io n 's p ro x y se rv e r se ttin g s

Lab Environm entT o carry o u t th e lab , y o u need:

■ Paros Proxy lo c a te d a t D:\CEH-Tools\CEHv8 M odule 11 S e ss io n H ijacking\Session Hijacking Tools\Zaproxy

■ Y o u c a n a lso d o w n lo a d th e la te s t v e r s io n o f ZAP f ro m th e lin k h ttp : / / c o d e .g o o g le .c o m /p /z a p r o x v /d o w n lo a d s / l i s t

■ I f y o u d e c id e to d o w n lo a d th e la te s t v ers io n , th e n s c re e n s h o ts s h o w n 111 th e la b m ig h t d if fe r

■ A sy stem w ith ru n n in g W in d o w s S erv er 2012 H o s t M a ch in e

י R u n tins to o l n i W indows 8 V irtu a l M a ch in e

י A w e b b ro w s e r w ith In te rn e t access

י A d m in is tra tiv e priv ileges to co n fig u re se ttings a n d r u n to o ls

י E n su re th a t Java Run Tim e Environment (JRE) 7 (o r ab o v e ) is n istalled . I fn o t, g o to h t tp : / / i a v a .s u n .c o m / i2 s e to d o w n lo a d a n d install it.

Lab DurationT im e : 20 M in u tes

O verview of Zed A ttack Proxy (ZAP)Z e d A tta c k P ro x y (Z A P ) is d es ig n ed to b e u se d b y p e o p le w ith a w id e ran g e o f secu rity ex p e rien ce a n d as su c h is idea l fo r d ev e lo p e rs a n d fu n c tio n a l te s te rs w h o are n e w to p e n e tra tio n te s tin g as w ell as b e in g a u se fu l a d d itio n to a n e x p e rien c ed p e n te s te r’s to o lb o x . I ts fea tu re s in c lu d e in te rc e p tin g p ro x y , a u to m a te d scan n e r, passive sc an n e r, a n d sp ider.

Lab Tasks1. L o g 111 to y o u r W indow s 8 V ir tu a l M a c h in e .

Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 11 Session Hijacking

m . T A S K 1

Setting-up ZAP



http://iava.sun.com/i2se


Admini-PC £

! 2 2 A t its heart ZAPS in ail intercepting prosy. Y ou need to configure your b row ser to connect to d ie w eb application you wish to test th rough ZA P. I f required you can also configure ZA P to connect th rough another p ro sy - this is o ften necessary in a corporate environm ent.

3.

2 .

F IG U R E 2.1: Paros p ro sy m ain w indow

C lick ZAP 1.4 .1 111 th e Start m e n u a p p s .

111 W indow s 8 V ir tu a l M a c h in e , fo llo w th e w iz a rd -d r iv e n in s ta l la t io n s te p s to in s ta ll ZAP.

T o la u n c h ZAP a f te r in s ta lla tio n , m o v e y o u r m o u s e c u r s o r to th e lo w e r- le f t c o r n e r o f y o u r d e s k to p a n d c lick Start.

£ 7 Y ou can also dow nload Z A P h t tp :/ / code.google .com /p /zap ro sy /d o w n lo ad s /lis t

m 4 SSkyOiftt

ZAP 1.4.1 Safari

j r ©

* יt l i m w

MozillaFirefox

Microsoft Excel 2010

S

ן ־ | ׳ ־ ־

MicrosoftPowerPoint2010

(2

MicrosoftPublisher2010

F IG U R E 2.2: Paros p ro sy m ain w indow

5. T h e m a in in te r fa c e o f ZAP a p p e a rs , as s h o w n 111 th e fo llo w in g s c re e n s h o t .

6. I t w ill p r o m p t y o u w i th SSL R oot CA c e r t if ic a te . C lick G en era te to c o n t in u e .

I f you know how to set up p rosies in your web brow ser then go ahead and give it a go!

I f you are unsure then have a look a t the C onfiguring p rosies section.

E th ic a l H a c k in g a n d C o u n te n n e a s u re s Copyright © by EC-CouncilAll Rights Reserved. R eproduction is Stricdy Prohibited.



O nce you have configured ZA P as your brow ser's proxy then try to connect to d ie web application you will be testing. I f you can no t connect to it then check your p ro sy settings again. Y ou will need to check your brow ser's proxy settings, and also ZA P's proxy settings.

ט • . . FIG U R E 2.3: Paros proxy main windowActive scanning r ‘

attem pts to find potential y ^ O p tion s w in d o w , se le c t D ynam ic SSL c e r t if ic a te s th e n c lickvulnerabilities by using r י know n attacks against the G en era te to g e n e ra te a c e r tif ic a te . T h e n c lick S a v e .selected targets.

Active scanning is an attack o n those targets. Y ou should N O T use it o n w eb applications tha t you do n o t own.

I t should be no ted that active scanning can only find certain types o f vulnerabilities. Logical vulnerabilities, such as b roken access control, will n o t be found by any active o r autom ated vulnerability scanning. M anual penetra tion testing should always be perform ed in addition to active scanning to find all types o f vulnerabilities.

8. S a v e th e c e r tif ic a te 111 th e d e fa u lt lo c a t io n o f ZAP. I f th e c e r tif ic a te a lre a d y ex is ts , r e p la c e i t w ith th e n e w o n e .

K *Options

cem ncates

(_2!L 1

Root CA certificate

' OptionsActive ScanArti c s r f T0K3nsAPIApplicatorsAuthertc330nErnie ForcecertncateCheck Fee UpdatesConnectionDataoasePi5pa<____Diay

Ercodet)eccde Extensions Fuzier Language Local prarr Passive Scar Poll Scan Session Tokens

Spider

F IG U R E 2.4: Paros proxy m ain w indow

E th ic a l H a c k in g a n d C o u n te n n e a s u re s Copyright © by EC-CouncilAll Rights Reserved. R eproduction is Strictly Prohibited.



u a A11 alert is a potential vulnerability and is associated w ith a specific request. A request can have m ore than one alert.

9. C lick OK in th e O ptions w in d o w .

Q ־ J A nti CSRF tokens are (pseudo) random param eters used to p ro tect against Cross Site Request Forgery (CSRF) attacks.

H ow ever they also m ake a penetra tion testers job harder, especially if the tokens are regenerated every tim e a form is requested.

10. Y o u r P a ro s p ro x y se rv e r is n o w re a d y to in te r c e p t re q u e s ts .

ד י Optionsו

c enmr.aies

MI 103 : CCAsaaAwIBAal: JMz •♦ur JK02 . hv clyHlc9X0VN0TFplZC3BdHahV;«cUHJv»HVj-Jn9vdCBI|r ODZ3H:0<OCTu7t»MMa0CX t'KC<3(wNTl *a:!‘. ן

RoolCAcaitncate

■q ■ Generate j

r Options Active 3can

1 CSRF TOKMS*־« APIActficaions

__,Antrvcaagn

tit I I a 1 , a i n n ! a 1Look m: ! ! j A d m ri FC

IB Contacts IB Music |Q | owasp_23p_root_ca.ccr 1Desktop [a l Pictures

IB Downloads IB Videos

IB Favorites IB OV/ASP ZAP

j y u i c s IB Saved Games

1 ^ D o a n e its IB S earses

Pie Name־ |owasp_zap_roct_ca cer |

Fles DfTypo Al Pias______________

3d r e . 1 ןe w" . ־


E th ic a l H a c k in g a n d C o u n te rm e asu re s Copyright © by EC-CouncilAll Rights Reserved. R eproduction is Stricdy Prohibited.



£ile Cdit View Maiy5e Report Toaa Help

sji D U ־, 0 id נ V © « ־ » ► 0

] s»«§Q__ | KsquMI | R«spons«4» J Brea* . j

Untitled Session ־ OWASP 7AP

H©3c«r •xt ▼J Body: !•xt _▼) lT־l I

ActvoScan $ |~ SpidorS^; Brute Force ^ ) Port Scan : } Fuzzsri,^ ] PararrtSLj [ 3utputAJ9:t3Break Points v-i

Filter.CFF

ft 0 0_ 0current scansAieits ^0 k-0 . 0 a o


11. L a u n c h a n y w e b b ro w s e r , 111 th is la b w e a re u s in g th e C hrom e b ro w s e r .

12. Y o u r V M w o rk s ta t io n s h o u ld h a v e C hrom e v ers io n 2 2 .0 o r la ter in s ta lle d .

13. C h a n g e th e Proxy S erver s e t t in g s 111 C h r o m e , b y c lic k in g th e C u sto m ize and con tro l G o o g le C hrom e b u t to n , a n d th e n c lick S e tt in g s .

New tabNew vwodowNr*■ inccgniro windowBocfcmiria

Cut Cop, P»ae

Q - .להגו -EM

S«vt p»9«Find...

Tods

Sign in to Chiwn*..

Tab

M C י

Foi quick kcc; place ycur bcclrwfa Se־e an Sie tntroti bs׳

r «T |

0 זי0יי< • W«b S:c׳#

m ZA P detects anti CSRF tokens purely by attribute nam es - the list o f attribute nam es considered to be anti CSRF tokens is configured using the O ptions A nti CSRF screen. W hen Z A P detects these tokens it records d ie token value and w hich URL generated the token.

FIGU RE 2.8: IE Internet Options window

14. O il th e G o o g le C h r o m e S e td n g s p a g e , c lick th e S h o w a d v a n ced s e t t in g s . . . l in k b o t to m o f th e p a g e , a n d th e n c lick d ie C h an ge proxy s e t t in g s . . . b u t to n .LUsi ZA P provides an

Application Program m ing Interface (API) w hich allows you to interact w ith Z A P programmatically.

Tlie A P I is available in JS O N , H T M L and XM L form ats. The A PI docum entation is available via the U R L h t tp : / / z a p / w hen you are proxying via ZA P.

E tliic a l H a c k in g a n d C o u n te n n e a s u re s Copyright © by EC-CouncilAll Rights Reserved. R eproduction is Stricdy Prohibited.


http://zap/


־« ־ ■»* C Li <־*rorr*//chrome/settings/

Chrome Settings

Ocoy't ih c 'H o 1&ng jcuf tcnpvtar't 1, ji to cenntct to tht nctwoi ״!prwy 1«M !״111

I Ch»»91 p>**y m«1 |LtnguigK

C*v*«0t ,X*•* CN0(*« ►MTxjk•; Md topt*>5־ Unguises

l»9<׳u»9« «td ifxa-<t1«<k<( *dings...

«/ Cfltris t»*nti*te a»cr» tKx aren't in 1 Language I read

Dsvmlc*d k-n&ott C'.C1er1’.AdrTw1\Eownlc«<fe Change..

[ I *•4 n»^t 10 «K» fifc Mc׳i dc*״l<w<)1"9

HTTPVSSL

M «^e(0t1A ul6-

_ Chedtforseva certrfieaterrwecation

Google Ooud PnntGoogle Cloud Mrs las you seeett th« ee»np«jter 5 printers from anywhere. Click to enab

B30tg־w,־d apes• i Co'it'-v* v «9 t*v91-״c-j־׳ J tfi-. *f־«n0ocgl«Ch1cr

Hide * נ«<י׳*.ג $ ׳?**זז* ,


15. 111 In tern et P ro p erties w iz a rd , c lick C o n n ec tio n s a n d c lick LAN S e ttin g s .

Internet Properties

General Security Privacy Content | " Connections [ Prpgrame *\dvanced

To set up an In •erne: connection, dek SetupSetup.

Dial-up and Virtual Private Network settings

Settirgc

% Never d a a ccm eoon

C ) Oial whenever a network connection is not present

4 Always dal my d '־ e fa it ccnnection

C ure־* None Set default

Local Area Network (LAN) settings

LAS Settjngsdo not apoly to dialup connections. | LAN settings | Choose Settngs aoove for dal ■up settngs.

FIG U R E 2.10: IE Internet Options window with Connections tab

16. C h e c k U se a proxy serv er for your LAN, ty p e 1 2 7 .0 .0 1 111 th e A d d ress , e n te r 8 0 8 0 111 th e Port tie ld , a n d c lick OK.

Q=a! Click O K several times until all configuration dialog boxes are closed.




Local Area Network (LAN) Settings

Automatic configuration

Automatic configuration may override manual settings. To ensure the use o f manual settings, disable automatic configuration.

@ Autom aticaly de tec t settings

□ Use automatic configuration script

Address

Proxy server

r a L ls e a p roxy server fo r your LAN (These settings will n o t apply to L J d ia l-u p o r VPN connections).

Port: | 8080| | Advanced127.0.0 .1Address:

Bypass p roxy server fo r local addresses

Cancel

£ Q I t should be no ted that there is minimal security built in to the A PI, w hich is w hy it is disabled by default. I f enabled then the A P I is available to all m achines that are able to use ZA P as a proxy. By default ZA P listens only on 'localhost' and so can only be used from the host machine.

T he A P I provides access to the core ZA P features such as the active scanner and spider. Future versions o f Z A P will increase the functionality available via the APi.

FIG U R E 211: IE Internet Options W indow with Proxy Settings Window

17. C lick S e t break on all r e q u e s ts a n d S e t break on all r e s p o n s e s totra p all th e re q u e s ts a n d r e s p o n s e s f ro m th e b ro w s e r .

Untitled Session - OWASP 7AP5 --------------------------------------£ 11• EJit Vi *A Aiulyb• Repoil T0Jt* H*p

pybiifci g o / ► e ~J Sites(*׳ j____________________ Request-^ ] Response*- [ Break X ]

[Header Icxi * jtoay: Text ▼j PI_ Sites

| j Furrer W . PatamsLJActive Scan A Spdet דז Brute Force v-~

Cunent Scans £ 0 0 0 ״


18. N o w n a v ig a te to a c h r o m e b ro w s e r , a n d o p e n w w w .b in g .c o m .

19. S ta r t a s e a rc h fo r “C ars.”

20 . O p e n ZAP, w h ic h sh o w s f irs t t r a p p e d in c o m in g w e b tra ff ic .

21 . O b s e r v e th e f irs t fe w lin e s o f th e t r a p p e d tra ff ic 111 th e trap w in d o w s , a n d k e e p c lic k in g Subm it and s te p to n e x t r e q u e st or r e sp o n se u n ti l y o u se e ca rs 111 th e GET r e q u e s t 111 th e B reak ta b , as s h o w n 111 th e fo llo w in g s c re e n s h o t .

T A S K 2o

Hijacking Victim ’s S ess io n

m ZA P allows you to try to brute force directories and files.

A set o f files are provided w hich contain a large num ber o f file and directory names.

m A break po in t allows you to in tercept a request from your brow ser and to change it before is is subm itted to the web application you are testing. Y ou can also change the responses received from the application T he request o r response will be displayed in the Break tab w hich allows you to change disabled or h idden fields, and will allow you to bypass client side validation (often enforced using javascript). I t is an essential penetra tion testing technique.

E th ic a l H a c k in g a n d C o u n te rm e asu re s Copyright © by EC-CouncilAll Rights Reserved. R eproduction is Strictly Prohibited.


http://www.bing.com


£de Euu VtaA Analyse Report Tools H«p

to k i u ו־ו i י כ Q v CP 4-׳ £> |> ©

| S ites* ן Request-v | Response־*־ \ Break >41

UntiMrd Session ־ OWASP 7AP

Mer.03 Heoaer: re*1 * j uoav: ו ext ▼J

h c tp :/ /w M .b ln g .c c m /a » a rc ft? q = fa g a k q o = *q *-n fc fo m ^ 0 B IJ U r1 1 t-a a 1 fc p q ^ * r « t .» ?J0 -043p־ - : s a k - HTTP/1.1 Hose: w vw .M n g .co xP ro x y -C o n n e c tio n : k e e p -a liv eU3er A ;er.־ : M o z i l la /S .G IWindows NT 6 .2 ; KOW64) AcpleW ecK1t/׳S37.4 (KHTHL, . l i r e secJc:. c n ro n e /2 2 .0 .12 2 9 .9 4 s a r a n /5 3 7 .4A c c e p t: t e x t /h e r ! , a p p l i ca tion /xh tm l■*• xm l f a p p l ic a c io n / xm l; q - 0 . 9 , * / * ; q -0 . 8 R e re re r : h t t p : / / v w v .b 1n g . con /Accept-Encoding: 3tier.Irrrr.T-:j-.rsr.-.nev - r n - " ^ r n -n - H fl___________ ______________________________________________ I

F® Giles׳w»ngcor1*־/r«p א 3)

Spider^Al&its f tSearcn

Current Scans £ 0 # 1 u - 0 0*1»m »c 11 י 0 1 ׳

FIGU RE 2.6: Paros Proxy with Trap option content

22. N o w c h a n g e th e q u e ry te x t f ro m Cars to C a k es in th e G E T re q u e s t.

llntiWea Session - OWASP 7AP

£4e Eait VIe* Analyte Report Toole Help

R equest-v | R e sp o n se ^ [ Brea► I

Met!00 * j ^Header. Ted )■] | Body Tot

GETh c t p : / / w » . t i n g . com/ sea rch ?q=fcaice3^go= tq3=n* rorm=QBI.Htf 1 l c - a l l * p q ^Calcesfrs c -0 - :4 3 p — l& a k - HTTP !, 1 . 1 Hose: v w .D in g , cox P ro x y -C o o n e c tio n : lre e p -a liv eU aer-Asenz: M o z il la /S .O !Windows NT 6 .2 ; KCW64) A cp leW eC K 1 53 7 .4 ־ / . ,KHTHL) ׳l i t ־ Geclcoj C H zane/22.0 .12 29 .94 S a E a n /5 3 7 .4A c c c p t: t e x t /h tm l , a p p l i c a t io n /x h tm l־!־ xm l, a p p l ic a c io n /x m l; q - 0 .9 , * / * ; q—C. 6 R e fe re r : £ t tp : / / v w v .b 1r.g .c o n /A cc e p t-E n c o d in g : sdcfcI r r . - r . T rn-T.^ r ־ n n־ - a P. . 1

J Sites I * |_

, f t PSiesQ ^ nup/'AiMvangcorn

*JfcllS f tSearcn -v

504 cataway u rn o . 388mc504 Gateway Time... 389m s,

Aieits מ C 1 1■ י 0 ז ׳

23. C lick Subm it and s te p to n e x t req u est or re sp o n se .

24. S e a rc h fo r a title in th e R e sp o n se p a n e a n d re p la c e C ak es w ith C ars as s h o w n 111 fo llo w in g fig u re .

m Filters add extra features tha t can be applied to every request and response. By default no filters are initially enabled. Enabling all o f the filters m ay slow dow n die proxy. Future versions o f d ie ZA P U ser G uide will docum ent the default filters in detail.

Ly=i Fuzzing is configured using the O ptions Fuzzing screen. Additional fuzzing files can be added via this screen o r can be pu t manually in to the "fiizzers" directory w here Z A P was installed - they will then becom e available after restarting ZAP.

Lyj! T he request or response will be displayed in the Break tab which allows you to change disabled o r h idden fields, and will allow you to bypass client side validation (often enforced using javascript). I t is an essential penetration testing technique.

E th ic a l H a c k in g a n d C o u n te n n e a s u re s Copyright © by EC-CouncilAll Rights Reserved. R eproduction is Stricdy Prohibited.


http://vwv.b1ng


Untitled Session ־ OWASP 7AP

£ile EOil Vie* Analyte Report Tools H *p

Request■* | Response^- [ Break

u ־.I la פ0 b ־ . I I 3«m 1» I

l te a : c • •lei ־ U3c- lei! * j 1 1 [ I

H T T P /1.1 200 OKC ic h e -C o n c r o l : p r i v a t e , n a x - a g e -0 C c a te a ־ ־ Type : t e x c / h s n l ; c h a r a e t - u t f ־8E x p ir e a : Moa, IS O ct 2012 1 2 : 3 0 :1 9 GMTP2P: CF--NOS UST COM WAV 3TA LOC CURa DFVa PSAa P3Da OUR TND"

t 1st> 1e .;e v e a t .s r c E le x e a t : a . t a r g e t ) > ,0 ! .s 3_ c e d , r׳ c c u s e do v a ״ , r u n 0 t 10n ( a ! {s

) < ) __ *״//) j x / s c r 1 p t x c 1 c l e |c a k e a | - B1 a g < / t 1 t l e X l m k r . r e f = " / s / v l f l a g . i c c • ze~- Bl e a a " / x l l a k r .r e r —*/3caxch?(j-Calre3601nc;oc-6turp;q3-nfiar»p; forrc-OBL!Uan,p; f i l e —a llfia n r^ ij-C a k e s fia n p ;3 c = 0 -0 4 3 E x ? 3 p = - l« a x p ;3 J c = ia a p ;fo r m a c = r 3 3 " r e l = " a l t e r n a c e " t1 tle = " X M L • ry p e =

f ׳ t F® Giles(3 ׳wo1hgcor1*־/r*tp א

Pa rams Oufcutj_____ Alerts f t _______

Port Scan ־ j Furzer Break Points &

[ B1־׳*e ForceSearch

504 Gateway Tine . 389ms -504 Gateway׳ Tim©... 389ms

1 GET http SfflMN.Cing corV3 GET co״v

Current Scans £ 0 ^ 0 ^ 0 0 * 0Ale Its F*0 1* 1 י 0

Untitled Session OWASP 7AP£110 Edit View Aruly*e Repoil Tools Help

Li c. ת a , . 0J H W ] R«qb»»tw~] R*spons*~ [ X 1

|Hm»l.T«11 »| B0O).T«l » | □ I J

HTTP/1.1 200 OKC a ch e -C o n sr e l: p r i v a t e , n a x -a a e -0 c c n t« a t -T y p « : c * x c /n c n l; c n a r * t t* u t1 -8 E x p ire s : Mon, 15 Get 2012 1 2 :3 0 :1 9 GMTP2P: C?־ ״ SOS UNI COK WAV STA LOC CURa DEVa PSAa PSDa OUR IHD"

־ - . ■- ■. W . i . I L ■i i .m w f c . ' i i . . a rm * ; ,■u a L u n 1. i l ׳. ■i wi u i n 1 , ׳.».׳ u u i n u u ׳ s j _ b e _ d , "wzusedown", f u n c t i o n (n I < 3 i_ c t (3 b _ ie ? e v e n t • sr cE ler te n t :n . t a r g e t ) > ,0 ) ) ) ();/ / } j x ' 3 c r 1 . p r x r - 1 - e ' |c a r s | - S i a g < / t 1 t l e x 1 1 a i c h re r= " / 3 / v l l l a g . 1 co" r e I s ־ i c a n V x l i n k h r e f -•/3sarch ?3=C aJre3£arx;gc=£a1n p;q 3=a£an p׳• f orrt=Q3LH£artp; f1 1 t= a ll£ a n p ;cq = £ a k e 3 £ a r : p ;sr = o -0 £ a r 2 :;sp — liaa5> ;3Jc= iaap;rorm ac= r3s״ r e l= " a l t e r a a e" t1tle="X:־ M L • rvpe=

▼ l £ l1׳־ SiftsQj ־מ http bir»g corn

Active Scan A [ Spds f ^ | Brute Forced [ Port Scan: ] FuzzerW ן ParamsO O-tcu:Historj“ |_________ Search ^ _________J_____________Breakpoints ^ ____________ 1________ Alerts f t _______

504 Gateway Time 389ms -504 catowa\׳ T ine... 389ms

http ii'fttvw ting conVntp /׳AVkV,.crq co״v

0 * 0Current Scans fc 0 0^ ■ Ale Its F* 0 . 0 1־ * 1

F IG U R E 2.7: Paros Proxy search string content

25 . 111 th e sa m e R e sp o n se p a n e , re p la c e C a k es w ith C ars as s h o w n in th e fo llo w in g f ig u re a t th e v a lu e s h o w n .

U ntitled Session * OWASP ZAP ■ - I - U 2 J

File Eon vie a Analyse Repot Tools H«p

la» id l־l & G O 4 H ■ ! ^ 0

J Sites 1* | Retjues♦“ * ] Response>r־■ ! Break

n ea :e lec ־ * Bogy: Text ״

H lT t/l.l ZOU OilC a cr .e -C o a rr c l: p r iv a t e , n a x -a g s= o C c n te n t-T y p e : t e x c /h t m l; c h a r s e t —u t f - 8 E x p ir e a : Mon, IS C ct 2012 1 2 : 3 0 :1 9 GMTP3P: Cr=־ SON OKI COK BRV STA. LOC CURa DEVa PSAa PSDa CtJR IND"

׳ !j ׳_ Asua.: י. 3u ז— _s ״ !!■ ־x d 1 v c la s 3 = ' , 3v _ b n 1a="3w _C ">o.npuc״aw_fcd= d״ i v x d i v c l a s 3< ׳׳3 e t a<,3="12׳v_fcta

c la93= " 3w qfcox" I3 = " 9b rorm q* name="qn t l t l e = " E n t e r y o u r s e a r c h c e r a • t y p eo n fo c n a-'—ו ״יי *t e x t * •m

c n r iu r= ; ש״ ם = #3366י 3׳ t y i e . t o r d e r c o l o r.3י ןw b'ן■a o c m e a t .g e t E l e n e a t s y l d —3-l a ס •d o c u n c n t .g e t E le n e n t B y ld I ’ 3w _bt I . s t y l e •b o rd er C o lo r - ' 4 9 9 9 ' ; " / X d i v

"x / d 1 v x 1 a p u t 1 d="sb_forrt_go" c la33=" 3w _qbtn " t i t l e = ■ S earch3״v _ d v a r״

' f t PSllesQ r: mip/'A .angcorn

Br jte Force j* • \ Pott Scan ־_____ | Furrer * | P a ta m sn | Output

Alfeits f tSearcn

504 Gateway T ine . 389ms "■504 Gat»w3y l i n o . 389m sr

Current Scans v 0 :4 t 0 1/> 0 0 % > 0

m Tliis functionality is based o n code from the OW ASP JB roFuzz project and includes files from the fuzzdb project. N o te that som e fuzzdb files have been left o u t as they cause com m on anti virus scanners to flag them as containing viruses. Y ou can replace them (and upgrade fuzzdb) by dow nloading the latest version o f fuzzdb and expanding it in the ,fuzzers' library.

E th ic a l H a c k in g a n d C o u n te rm e asu re s Copyright © by EC-CouncilAll Rights Reserved. R eproduction is Stricdy Prohibited.



UntiMrd Session ־ OWASP 7AP

| £«e Edit v i** Analyfc• Ropoil Tools H#p

► t i r l w 0 סRequest | Response^ Break v׳

iUo«y: red ״ leaser leu!

HTTP/1 .1 200 OKC *ch*־ C o n c ro l: p r iv a c a , r*ax-aga-0 Ccnccn ־ ״ Type : c e x c /h s n l; c h a r a e t - u t f8־E x p ire a : Xor., IS O ct 2012 12 : 30:19 GMTP2P: CF--NOS UST COM WAV STR LOC CURa DEVa PSAa P3Da OUR IND"

pu:.3.־ u fx .5wct a*>B*c»</davx<11v Clas3="3'׳=3w bd"><cl1v :ias3״=sw 6" :2׳= 1:la 3 3 -" 3 v _ q fc o x " id -" 3 b _ E o n n _ q " nam e-"q" t i t l e —" E nter you r s e a r c h t e r n 1 ty p e-

,tex t■ value= ' 3 3n f ocua=E le n e n c 3 y I d | , aw b 1) .9 t y le .b o r d e r C o lo r = '# 3 3 6 6 f c b , ; w o n b lu r—־!'t o c u n e n t .g e

—X d i▼ c l a s s; " #י / 9 9 d' ־־ י9 o c u n e n t .g e t E le n e n t B y ld I , a i^ b 1 1 .s t y le • b o r d e r C o lo r "3v_dv:1r " > < /cL .v><input r d = " sb _ forrt_go" c la ss= " sw _ q b tn " t ! t l e = " S earchי

J S«Ufr 1_

Pa rams G j Oufcut j_________Alerts f C____

Port Scan ' ] Furzer j j fBreak Points &

[ B1־׳*e Force ySearch

Sp d-f £

T504 Gateway Time . 389ms504 Gateway Time. 389ms

1 GET rrltp SfflMN.Cing corV3 GET n tp t fA w a ־׳ co״v

Current Scans £ 0 ^ 0 ^ 0 _ 0 y o

Tliis too l keeps track o f the existing H ttp Sessions o n a particular Site and allows the Zaproxy user to force all requests to be o n a particular session.

Basically, it allows d ie user to easily switch betw een user sessions o n a Site and to create a new Session w ithou t "destroying" the existing ones.

FIG U R E Z 8: Paros with modified trap option content

N ote: H e re w e a re c h a n g in g th e te x t C a k e s to C a rs ; th e b in g s e a rc h sh o w s C a rs , w h e re a s th e re su lts d isp la y e d a re f o r C ak es .

26 . O b s e r v e th e Bing se a r c h w e b p a g e d isp la y e d 111 th e b r o w s e r w ith s e a rc h q u e ry as “C a k e s .”

Hד בX 2) www.bing.corn/search?q=cars&go=&qs־־n&form=QBLH&filt=all&pq=cars&sc=0

WEB IMAGES VDEOS HEWS MORE

t>1nqBeta

נ00 357.00 RESULTS

Inaaes cflcakesltnrq com/maces

Cake W ik ip o d ia thofroooncvdopedia en w k p*da o־g Wkt/CakeVaieties Special-purpose cakes Shapes Cake flout Cake decorating Cake ts a forrr cf bread or bread-like food In its modern forms, it is typically a sweet ba«od dessert In As oldest forms, cakoc •voro normally fnod broadc or

FIGURE 2.6: Search results w indow after modifying die content

27 . T h a t 's it. Y o u ju s t fo rc e d a n u n s u s p e c t in g w e b b r o w s e r to g o to an y p a g e o f }7o u r c h o o s in g .

Lab AnalysisA n aly ze a n d d o c u m e n t d ie resu lts re la ted to d ie lab exercise . G iv e y o u r o p in io n o n y o u r ta rg e t’s se c u n ty p o s tu re a n d ex p o su re .

LydJ I t is based o n d ie concep t o f Session Tokens, w hich are H T T P message param eters (for now only Cookies) w hich allow an H T T P server to connect a request m essage w ith any previous requests o r data stored. In the case o f Zaproxy, conceptually, session tokens have been classified in to 2 categories: default session tokens and site session tokens. T he default session tokens are the ones that the user can set in die O ptions Screen and are tokens tha t are, by default, automatically considered session tokens fo r any site (eg. phpsessid, jsessionid, etc). T he site session tokens are a set o f tokens fo r a particular site and are usually set u p using the pop u p m enus available in the Param s Tab.

T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c h ie v e d

Z e d A tta c k P roxy■ S SL c e r tif ic a te to h a c k in to a w e b s i te

■ R e d ire c tin g th e r e q u e s t m a d e in B in g



http://www.bing.corn/search?q=cars&go=&qs%d6%be%d6%ben&form=QBLH&filt=all&pq=cars&sc=0

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F YOU H A V E Q U E S T I O N SR E L A T E D T O T H I S LAB.

Questions1. E v a lu a te ea ch o f th e fo llo w in g P a ro s p ro x y o p tio n s :

a. T ra p R e q u e s t

b. T ra p R e sp o n se

c. C o n tin u e B u tto n

d. D r o p B u tto n

Internet C o n n e ctio n R eq u ired

0 Y e s

P l a t f o r m S u p p o r t e d

0 C l a s s r o o m

□ N o

□ !L ab s



Documents

Session Hijacking… · Overview of Session Hijacking Session hijacking refers to the exploitation of a valid com puter session where an attacker takes over a session between two