LIFARS frequently conducts penetration tests to ensure the effectiveness of our client’s security implementations and to evaluate whether their systems can hold up to real world incident scenarios and stay resilient. Our cyber resiliency experts deliver calculated attacks against systems the same way black hat hackers.
In April, our client requested LIFARS Pen Testing Team to perform an external black box penetration test as a part of a due diligence exercise. The client understands the risks they are daily facing as well as the importance of meeting compliance standards. Therefore, this client asked for an external black box penetration test on their website.
The intent of this engagement was to identify weaknesses in the company’s website and to detail how these vulnerabilities could impact the organization.
Therefore, the team used Session Hijacking as a main target for mounting other attacks. This security testing effort was conducted with emphasis on the actual state of the systems examined and no documentation to the client was provided.
Session hijacking.
Session hijacking is a technique used to take control of another user’s session and gain unauthorized access to data or resources.
Because http communication uses many different TCP connections, the web server needs a method to recognize every user’s connections. The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication. A session token is normally composed of a string of variable width and it could be used in different ways, like in the URL, in the header of the http requisition as a cookie, in other parts of the header of the http request, or yet in the body of the http requisition.
Discover.
Our first step was doing detailed enumeration and analysis on client’s website. We were spidering directories and files using Burp Suite, dirbuster and dirb. After we had done this phase, we were scraping files (mostly JavaScript) to uncover additional URLs. Focused mainly on possible post-authentication URLs, we have found some of them.
Note: All information in this case study has been modified to maintain confidentiality of our client.
Download Session Hijacking – case study to learn more
