Burp Suite Session Hijacking

  1. Burp Suite For Windows 10
  2. Burp Suite Free Download
  3. Burp Suite 2020.5
  4. Burp Suite Session Hijacking
  • OWASP DVWA BURP SUITE Session Hijacking Tutorial. This test is to check whether the cookie can be reused in another computer during the login phase.
  • Burp Suite Demo (7:40). Protection Against Session Hijacking (2:45) IP Security Architecture (1:53) Penetration Testing in Session Hijacking (4:10).
  • Once cookie is stolen attackers retrieve the session ID and write it on a cookie can recreate the session. Many websites are vulnerable for cookie hijacking. Attackers can steal cookies using proxy application like burp suite and then pass the cookie to be replayed in attackers browser.

Thurs 25th Jan 18

Using Burp to Attack Session Management The session management mechanism is a fundamental security component in the majority of web applications. HTTP itself is a stateless protocol, and session management enables the application to uniquely identify a given user across a number of different requests and to handle the data that it accumulates about the state of that user's interaction with the. In my last post I covered setup for Burp Suite, as well as the Proxy and Target tabs. This blog post will cover the Spider, Intruder and Repeater tools, which start to show the usefulness and power of Burp Suite. Since everything is more fun with examples, I’ll be using practice hacking sites to demo some of these features.: ) If you don’t have Burp Suite set up yet, check out this blog.

I've been using Burp Suite for years but somehow avoided macros up till a couple of weeks ago when I got stuck with a form I needed to brute force using Intruder. The page had a per-request CSRF token which was written into the form by a JavaScript function, for the brute force to work, I needed to pull the token from the JavaScript and ensure it was POSTed with each of my requests. I read the documentation and thought I understood how to do it but wanted to make sure before I targeted a live site so I created a small test app to simulate the client page and hit it till I got it all set up right. As I'd put the effort in to work it all out I figured I'd document the process and publish the app for others to practice on.

The Setup


This is the app we will be targeting, you can download a copy from GitHubGist or use my online version:

On a GET, a session is started and token is generated and stored. A form is then written with an empty token input field and finally JavaScript is used to write the token into the input. This means that if the form is submitted without the JavaScript running, a blank token is submitted.

On a POST, the token submitted is compared to the one in the session, if they match then you get a 'Success' message, otherwise you get a message telling you what you did wrong. A new token is then generated and a the process can be repeated.

As Burp does not run JavaScript, hitting the page through Repeater or Intruder should result in a 'Tokens don't match' message as the token submitted will either be blank or a previously used one, this is where macros and session handling come in.

The Attack

First thing, set up Burp so that you can browse to the app and make sure that all requests are going through the Proxy. I'm going to assume that you can do this, if not, go learn some more about Burp basics then come back. Once you've done this, browse to the page and submit the form a few times so there are some hits in the proxy history.

Now we have the basics setup, we need to create a macro, to do this, go to the 'Project options' tab and then the 'Sessions' sub tab and hit the 'Add' button in the Macros section.

Doing this will bring up the 'Macro Editor' dialog and, on top of that, the 'Macro Recorder' dialog.

As you can see, I've got 3 POSTs and a GET. Select one of the POSTs and hit OK, this will close the dialog and return you to the 'Macro Editor'.

Give the macro a name, I've called mine 'Macro Demo', and then click 'Configure Item'.

In here, it would be tempting to think that Burp has worked out what is going on as it has recognised th token parameter and is showing an example, but this wrong. The parameter being shown is the value it took from the POST request which has already been used and so is a 'dead' token. To pull the ever changing value from the JavaScript, click the Add button in the 'Custom parameter locations in response' section. دانلود adobe flash professional cc 2020. This brings up the 'Define Custom Parameter' dialog.

In this dialog, give the parameter a name, in our example the parameter is called 'token' and then in the request, highlight the token. This tells Burp where to find the parameter.

You have now created a macro that will pull the token value out of each request and make it available to the session handler. Click OK to close all the dialogs back to the main Burp window.

A slight aside, the 'Macro Editor' dialog has a 'Test macro' button which I would have expected to make a request and show the token that it has captured but it doesn't so unfortunately this isn't much use for debugging in this scenario.

In the 'Session Handling Rules' section of the Sessions tab, click the Add button to get the 'Session handling rule editor' dialog. Give the rule and name and then click the Add button to add a Rule Action. This will give a drop down showing the different types of rules that can be performed. Select 'Run a macro'.

This shows the 'Session Handling Action Editor' dialog, in here you can select the macro to run and then specify which parameters and which cookies get updated by the rule. I selected the 'Macro Demo' macro we created earlier and left the other parameters as the defaults.

OK that dialog to go back to the 'Session handling rule editor' dialog for one final setting. Change to the Scope tab:

In here I've selected to use a custom scope and entered the URL of the test page. In my real application, all pages had the token regardless of whether they had a form on them so I'd have gone with the suite scope option.

One final OK and it should all be set up. To test everything is working, send one of your previous POST requests to the Repeater and hit Go. If everything went well, the response will contain the 'Success' message and you should see the token parameter magically update with every request you send.

And that is all there is to it. I followed the same steps in my test and all went well, both Repeater and Intruder worked seamlessly and I was able to forget about the CSRF protection.

Useful Links

Here are a couple of links to the official Burp Suite documentation which may help with better understanding and in more complex environments.

Recent Archive

Support The Site

I don't get paid for any of the projects on this site so if you'd like to support my work you can do so by using the affiliate links below where I either get account credits or cash back. Usually only pennies, but they all add up.

Let’s start with the explanation of the session management role. This mechanism is a fundamental security component in the majority of web apps. It enables the application to uniquely identify a given user across a number of different requests. It also enables handling the data that it accumulates about the state of the user’s interaction with the application. The session management mechanism persists the insurance of any given user’s identity beyond the request in which he supplies his credentials. They are the crucial target of the malicious attacks because they have such an important role in securing the user and the system. Before we go further, I would recommend you to take a look at the cyber security tips for better understanding the text that will follow.

Burp Suite For Windows 10

The Need for State

We know that the HTTP protocol is stateless. Based on a simple request-response model. Nowadays, the things changed. Most of the web sites are actually the web applications, allowing you to register and log in. They let you do almost everything over the internet-sell and buy things, promotion, and anything you use for your purposes. But do you really know how to use the internet in a proper and safe way? Before I go further, read about the internet security tips.

Some web applications use other techniques to stay safe, not only sessions employ. We will talk about the alternatives now. Let’s start from the HTTP authentication. With this authentication, the client component interacts with the authentication mechanism directly over the browser. It uses HTTP headers. There is another alternative method called sessionless state mechanisms. Some apps transmit the data which is required to manage that state via the client. It happens usually in a cookie or a hidden form field.

Weakness in Token Generation

Tokens are mostly generated in an unsafe way and that is why session management mechanisms are often vulnerable to attacks. The hacker can easily identify the value of the token that has been issued to the other users. Most of the times those tokens contain meaningful data which often exhibit a structure. In that extracted case, the attacker can easily identify the parts of the tokens and get into the account username, email address or the client IP address and much more.

Burp Suite Free Download

But, there are some session tokens which don’t contain any meaningful data which can be associated with a particular user. Those tokens are called predictable tokens. And why is that so? Because they can be guessed easily. They also contain the sequences and patterns that allow an attacker to extrapolate from a sample of tokens in the order to find the other valid token which is recently issued by the app.

Weakness in Session Token Handling

It really doesn’t matter how effective the application is at ensuring that the session tokens it generates don’t have any information which is meaningful and are not suspectable to any analysis or prediction. Still, its session mechanisms will be wide opened for the attacks. It happens in the case the tokens are not handled carefully after generation.

So, what is the best thing to do? We will now talk about the disclosure of tokens on the network. This threat arises when the session token transmits across the network in the unencrypted form. In that way, it enables a suitably positioned eavesdropper to obtain that token and the attacker can mask himself as the legitimate user.

What is the simplest weakness? It happens when the multiple valid tokens allow being concurrently assigned to the same user account. There is another related and similar weakness, and it happens within the applications which use the static tokens. They mainly and initially appears to look like session tokens, but in the reality, they’re nothing like them. Here, each user is assigned token and in that case, that same token is reissued to the user every time he logs in.

Client Exposure to Token Hijacking

In the attempt to capture or misuse the victim’s session token in various ways, the attacker can target the other users of the application. It can happen through a payload for cross-site scripting attacks. The hijacker sometimes waits for the user to log in, and once that happens, he hijacks the user’s session.

Securing Session Management

What are the defensive measures that web application must take to prevent the attacks on their session management mechanisms? Well, the application must generate its tokens in a robust way and must protect these tokens throughout their life cycle from creating to disposal.

Let’s talk about generating the strong tokens. The tokens which are used to reidentify a user between successive requests should be generated in such a manner that does not provide any scope for the attacker who may obtain a large sample of tokens from the app in the usual way to predict or extrapolate the tokens issued to the other users. So, what are the most effective token generation mechanisms? First of all, to use an extremely large set of possible values. And the second thing would be containing a strong source of pseudorandomness, which ensures an even and unpredictable spread of the tokens across the range of possible values. The strong tokens should be extremely unlikely that a determined attacker with large amounts of bandwidth and processing resources should be successful in guessing a single valid token within the life span of the token’s validity. They also shouldn’t consist anything more than an identifier used by the server for locating the relevant session object which is going to be used for processing the user’s request. It should contain also no meaning of structure (overtly or wrapped in layers of encoding or obfuscating).

Log, Monitor, and Alert

It is highly recommended that the app’s session management functionality should be closely integrated with its mechanisms for logging, and alerting. That provides suitable records of anomalous activity and enables the administrators to take the proper defensive actions when and where it is necessary.

Burp Suite 2020.5

The app needs to monitor the requests which contain invalid tokens. Sometimes, it is the truth that brute-force attacks cannot be prevented. Although, not all is lost. Keeping detailed logs and alerting administrators enables the investigation of the attack and taking the appropriate actions where needed and possible.

The user should be always alerted, whenever it is possible, to anomalous events relating to their sessions. For an example, concurrent logins or apparent hijacking. It can be detected by using per-page tokens.


Burp Suite Session Hijacking

So, let’s make a summary and take a look what have we learned today! I hope you’ve gained so many important information about session management mechanisms. They provide a rich source of potential vulnerabilities. They are literally the key to the kingdom. That is why we talked so much about the tokens in this article, and what are the best and proper ways to use them. It is normal to expect the wide range of defects in real-world session management functionality. The possible weaknesses and avenues of attack may appear to be endless when bespoke mechanisms are employed.