Objective
Learn how to exploit Broken Authentication and Session Management vulnerabilities, such as weak session handling and improper logout functionality, and understand secure session management practices.
Scenario
You are testing a web application that fails to invalidate sessions after logout and uses predictable session IDs. This misconfiguration allows attackers to hijack user sessions by reusing or guessing session IDs.
Lab Setup
Prerequisites:
- Basic knowledge of PHP and web session handling.
- XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
- A code editor (e.g., VSCode, Sublime Text).
Step 1: Create the Vulnerable Web Application
PHP Script for Login Functionality
Create a file login.php:
<?php
session_start();
$users = ["alice" => "alice123", "bob" => "bob123"];
if (isset($_POST['login'])) {
$username = $_POST['username'];
$password = $_POST['password'];
if (isset($users[$username]) && $users[$username] === $password) {
$_SESSION['user'] = $username;
$_SESSION['session_id'] = rand(1000, 9999); // Predictable session ID
echo "<h2>Welcome, $username!</h2>";
echo "<p>Session ID: " . $_SESSION['session_id'] . "</p>";
} else {
echo "<h2>Invalid Credentials!</h2>";
}
}
?>
<form method="POST" action="">
Username: <input type="text" name="username" required><br>
Password: <input type="password" name="password" required><br>
<button type="submit" name="login">Login</button>
</form>PHP Script for Logout
Create a file logout.php:
<?php
session_start();
session_destroy();
echo "<h2>You have been logged out.</h2>";
?>PHP Script for Dashboard
Create a file dashboard.php:
<?php
session_start();
if (isset($_SESSION['user'])) {
echo "<h2>Welcome to your dashboard, " . $_SESSION['user'] . "</h2>";
echo "<p>Session ID: " . $_SESSION['session_id'] . "</p>";
} else {
echo "<h2>Access Denied!</h2>";
}
?>Running the Application
- Start the Apache server.
- Place the files in the web server’s root directory (
htdocsfor XAMPP). - Open
http://localhost/login.phpin your browser.
Exploitation Steps
Step 1: Session Fixation
- Log in with
aliceand note the session ID. - Visit
http://localhost/dashboard.php?PHPSESSID=1234(a guessed session ID).
Expected Result:
- The attacker can access Alice’s dashboard by guessing the session ID.
Step 2: Session Reuse After Logout
- Log in as Alice and note the session ID.
- Log out using
logout.php. - Reuse the old session ID in
dashboard.php.
Expected Result:
- The attacker can access the dashboard even after logout.
Solution and Prevention
Problem Analysis
- Session IDs are predictable and not regenerated upon login.
- Sessions are not properly invalidated after logout.
Fixing the Vulnerability
Use Secure Session IDs
Replace predictable session IDs with secure ones:
session_regenerate_id(true);
$_SESSION['user'] = $username;Invalidate Sessions on Logout
Improve the logout script:
session_start();
session_unset();
session_destroy();
setcookie(session_name(), '', time() - 3600, '/');Set Secure Session Cookie Attributes
Configure session cookies securely:
ini_set('session.cookie_httponly', 1);
ini_set('session.cookie_secure', 1);
ini_set('session.use_only_cookies', 1);Implement Session Timeout
Add session expiration logic:
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
session_unset();
session_destroy();
}
$_SESSION['LAST_ACTIVITY'] = time();Testing After Fix
- Log in and check if the session ID changes upon login.
- Attempt to access the dashboard after logout.
- Expected Result:
- Session fixation is prevented, and old sessions cannot be reused.
Conclusion
In this lab, you exploited Broken Authentication and Session Management by predicting session IDs and reusing sessions after logout. You also learned how to secure session management by regenerating session IDs, properly invalidating sessions, and enforcing secure session handling practices.
0 Comments