Objective
Learn how to exploit Weak Session Cookies to hijack user sessions and gain unauthorized access. Understand how to secure cookies using best practices like setting HttpOnly, Secure, and SameSite attributes and enforcing proper session expiration.
Scenario
You are evaluating a web application that uses session cookies without the HttpOnly, Secure, or SameSite attributes. Due to this misconfiguration, an attacker can hijack a user’s session by stealing their session cookie and impersonating the victim.
Lab Setup
Prerequisites:
- Basic knowledge of PHP, cookies, and session management.
- XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
- A code editor (e.g., VSCode, Sublime Text).
- Browser developer tools or an intercepting proxy (e.g., Burp Suite).
Step 1: Create the Vulnerable Web Application
PHP Script for Login and Session Handling
Create a file login.php:
<?php
session_start();
$users = ["alice" => "alice123", "bob" => "bob123"];
if (isset($_POST['login'])) {
$username = $_POST['username'];
$password = $_POST['password'];
if (isset($users[$username]) && $users[$username] === $password) {
$_SESSION['user'] = $username;
echo "<h2>Welcome, $username!</h2>";
echo "<a href='dashboard.php'>Go to Dashboard</a>";
} else {
echo "<h2>Invalid Credentials!</h2>";
}
}
?>
<form method="POST" action="">
Username: <input type="text" name="username" required><br>
Password: <input type="password" name="password" required><br>
<button type="submit" name="login">Login</button>
</form>PHP Script for Dashboard Access
Create a file dashboard.php:
<?php
session_start();
if (isset($_SESSION['user'])) {
echo "<h2>Welcome to your dashboard, " . $_SESSION['user'] . "</h2>";
} else {
echo "<h2>Access Denied. Please log in.</h2>";
}
?>Running the Application
- Start the Apache server.
- Place
login.phpanddashboard.phpin the web server’s root directory (htdocsfor XAMPP). - Open
http://localhost/login.phpin your browser.
Exploitation Steps
Step 1: Stealing the Session Cookie
- Log in as Alice using:
- Username:
alice - Password:
alice123
- Username:
- Open the browser’s developer tools (F12) → Application → Cookies.
- Locate the session cookie (
PHPSESSID) and copy its value.
Expected Result:
- The session cookie is visible and can be copied.
Step 2: Hijacking the Session
- Open another browser or incognito window.
- Manually set the stolen
PHPSESSIDcookie using developer tools. - Visit
http://localhost/dashboard.php.
Expected Result:
- The attacker gains access to Alice’s dashboard without logging in.
Solution and Prevention
Problem Analysis
- Session cookies are exposed to client-side scripts and can be intercepted over insecure connections.
Fixing the Vulnerability
Set HttpOnly and Secure Cookie Attributes
Update session configuration to prevent client-side access:
ini_set('session.cookie_httponly', 1);
ini_set('session.cookie_secure', 1);
session_start();Implement SameSite Attribute
Prevent cross-site cookie sharing:
ini_set('session.cookie_samesite', 'Strict');Regenerate Session IDs on Login
Prevent session fixation:
session_regenerate_id(true);
$_SESSION['user'] = $username;Enforce HTTPS
Ensure secure transmission of session cookies.
Implement Session Timeout
Destroy inactive sessions:
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
session_unset();
session_destroy();
}
$_SESSION['LAST_ACTIVITY'] = time();Testing After Fix
- Log in and check the cookie attributes in the browser.
- Expected Result:
- The cookie now has
HttpOnly,Secure, andSameSite=Strictattributes.
- The cookie now has
- Attempt to reuse a stolen session ID.
- Expected Result:
- The session cannot be hijacked.
Conclusion
In this lab, you exploited Weak Session Cookies to hijack a user session and gain unauthorized access. You also learned how to secure session cookies by enabling the HttpOnly, Secure, and SameSite attributes and implementing proper session expiration.
0 Comments