Attack 1: Enumerating Identifiers

Suppose that you are targeting an application that supports self-registration

for anonymous users. You create an account and log in, and gain access to a

minimum of functionality. At this stage, one area of obvious interest is the

application’s session tokens. Logging in several times in close succession gen-

erates the following sequence:

000000-fb2200-16cb12-172ba72551 

000000-bc7192-16cb12-172ba7279e 

000000-73091f-16cb12-172ba729e8 

000000-918cb1-16cb12-172ba72a2a 

000000-aa820f-16cb12-172ba72b58 

000000-bc8710-16cb12-172ba72e2b 

You follow the steps described in Chapter 7 to analyze these tokens. It is evi-

dent that approximately half of the token is not changing, but you also dis-

cover that the second portion of the token is not actually processed by the

application either. Modifying this portion entirely does not invalidate your

tokens. Furthermore, although it is not trivially sequential, the final portion

clearly appears to be incrementing in some fashion. This looks like a very

promising opportunity for a session hijacking attack.

To leverage automation to deliver this attack, you need to find a single

request/response pair that can be used to detect valid tokens. Typically, any

request for an authenticated page of the application will serve this purpose.

You decide to target the main home page presented to each user following

login:

Host: wahh-app.com

Cookie: SessionID=000000-fb2200-16cb12-172ba72551