Penetration Testing mailing list archives
RE: Exploiting Session Fixation on ASP
From: "Rui Pereira (WCG)" <wavefront1 () shaw ca>
Date: Tue, 10 Feb 2009 14:38:34 -0800
What about d) using XSS to get a user's session id? Rui Pereira Principal Consultant WaveFront Consulting Group -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of arvind doraiswamy Sent: February 6, 2009 7:03 AM To: pen-test () securityfocus com Subject: Re: Exploiting Session Fixation on ASP It isnt exactly as straightforward as that. Session Fixation involves 2 steps: a) Capture the session ID of a user b) Send a request of your own to the app server with that session ID Capturing can be done in 2 or 3 ways: a) Sniffing HTTP traffic on a LAN if its an internal app b) DNS Cache poisoning and redirecting people to your site (Much more difficult) c) Good old physical access to another user's machine I'm assuming the scope is for a test you are conducting. You should have 2 or 3 valid user ID's if you're doing a grey box/white box test. So you login with the first user , grab his session iD(write that down or store it somewhere). Keep that session active. Login with a diff browser / diff machine and intercept traffic. Replace the session iD the app gives you with the stored session ID all the time. You should then gain control over the first user's session. With regards to the ?ASP = blahblah . That will also work if 2 things are true: a) If the application is accepting just that single parameter and nothing else as an input. Else you will have to send all the parameters the app wants. For eg. http://abc.com/a.asp?aspsessionid=dgdgdghg&user=blah&xx=2 .... b) If the application is accepting GET requests , which it shouldnt for all forms. Hope that helps. Cheers Arvind On Thu, Feb 5, 2009 at 4:28 PM, pentest pentest <pentest108 () gmail com> wrote:
Hi guys, Just a quick question. I've found a few places (e.g. http://www.owasp.org/index.php/Session_Fixation_Protection) where it's mentioned that ASP applications are vulnerable by default to Session Fixation. However, how do you exploit this vulnerability in real life? On PHP you just use something like http://site.com/?PHPSESSID=something But on ASP, you cannot do something like http://site.com/?ASPSESSIONID=something because it will not work. So, how do you exploit Session Fixation in real life? Thanks in advance and have a nice day,
No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.233 / Virus Database: 270.10.20/1943 - Release Date: 02/09/09 17:40:00
Current thread:
- Exploiting Session Fixation on ASP pentest pentest (Feb 05)
- Re: Exploiting Session Fixation on ASP Rogan Dawes (Feb 10)
- Re: Exploiting Session Fixation on ASP pentest pentest (Feb 10)
- Re: Exploiting Session Fixation on ASP Rogan Dawes (Feb 10)
- Re: Exploiting Session Fixation on ASP pentest pentest (Feb 10)
- Re: Exploiting Session Fixation on ASP arvind doraiswamy (Feb 10)
- RE: Exploiting Session Fixation on ASP Rui Pereira (WCG) (Feb 11)
- Re: Exploiting Session Fixation on ASP Rogan Dawes (Feb 10)