I am pen-testing an ASP.NET application that is exhibiting Session Fixation behavior. The application is using cookie based sessions. Basically:
- When you land on the page no Session cookie is created
- After login
ASP.NET_SessionIdcookie is created - On logout and repeated login the cookie value remains the same (there is no cookie value regeneration)
I have been able to perform Session Fixation attack manually:
- I have landed on the page
- I manually created a
ASP.NET_SessionIdcookie with some value (for the attacker) - I opened a new browser session and set the exact same cookie (for the victim)
- I logged in as victim in this new browser session
- In the attacker’s browser session I was now able to browse the web site as the victim
I am now having problems exploiting this Session Fixation vulnerability in real conditions. I need to create or modify ASP.NET_SessionId cookie in some manner. From what I am able to tell, there is no XSS vulnerability on the web site which I could use.
I have been playing with two most notable attack variations but with no luck (a case where a victim would click on a link which would set a cookie on the web page):
- JavaScript
http://ift.tt/1LHnxdY'ASP.NET_SessionId=THISISAFIXATEDCOOKIE; expires=Thu, 18 Dec 2015 12:00:00 UTC; path=/; domain=example.com; path=/'</script>
- HTML Injection
http://ift.tt/1AuxY2S http-equiv=Set-Cookie content="ASP.NET_SessionId=THISISAFIXATEDCOOKIE; expires=Thu, 18 Dec 2015 12:00:00 UTC; path=/; domain=example.com; path=/">
Whatever I tried I’ve either hit a default error page or the landing page with no created/modified cookie.
Am I missing something with these two attack vectors?
Is there any other method I could try in creating or modifying the victim’s ASP.NET_SessionId cookie besides using man-in-the-middle or man-in-the-browser (malware based) attacks?
Aucun commentaire:
Enregistrer un commentaire