The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

In attacks to enumerate valid session tokens, identifying hits is typically

straightforward, and in the present case you have determined that the appli-

cation returns an HTTP 200 response when a valid token is supplied, and an

HTTP 302 redirect back to the login page when an invalid token is supplied.

Hence, you don’t need to configure any custom response analysis for this

attack. 

Launching the attack causes Intruder to quickly iterate through the requests.

The attack results are displayed in the form of a table. You can click on each

column heading to sort the results according to the contents of that column.

Sorting by status code enables you to easily identify the valid tokens that you

have discovered, as shown in Figure 13-4.

Figure 13-4:  Sorting attack results to quickly identify hits

The attack is successful. You can take any of the payloads that caused HTTP

200 responses, replace the last three digits of your session token with this, and

thereby hijack the sessions of other application users. However, take a closer

look at the table of results. Most of the HTTP 200 responses have roughly the

same response length, because the home page presented to different users is

more or less the same. However, two of the responses are much longer, indi-

cating that a different home page was returned.

You can double-click on a result item in Intruder to display the server’s

response in full, either as raw HTTP or rendered as HTML. Doing this reveals

that the longer home pages contain a much larger set of menu options than

your home page does. It appears that these two hijacked sessions belong to

more-privileged users.

Download 5,76 Mb.

Do'stlaringiz bilan baham: