Penetration Testing mailing list archives

RE: Exploiting Session Fixation on ASP

From: "Rui Pereira (WCG)" <wavefront1 () shaw ca>
Date: Tue, 10 Feb 2009 14:38:34 -0800



What about d) using XSS to get a user's session id?



Rui Pereira
Principal Consultant
WaveFront Consulting Group
 


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of arvind doraiswamy
Sent: February 6, 2009 7:03 AM
To: pen-test () securityfocus com
Subject: Re: Exploiting Session Fixation on ASP

It isnt exactly as straightforward as that. Session Fixation involves 2
steps:

a) Capture the session ID of a user
b) Send a request of your own to the app server with that session ID

Capturing can be done in 2 or 3 ways:
a) Sniffing HTTP traffic on a LAN if its an internal app
b) DNS Cache poisoning and redirecting people to your site (Much more
difficult)
c) Good old physical access to another user's machine

I'm assuming the scope is for a test you are conducting. You should
have 2 or 3 valid user ID's if you're doing a grey box/white box test.
So you login with the first user , grab his session iD(write that down
or store it somewhere). Keep that session active.

Login with a diff browser / diff machine and intercept traffic.
Replace the session iD the app gives you with the stored session ID
all the time. You should then gain control over the first user's
session.

With regards to the ?ASP = blahblah . That will also work if 2 things are
true:
a) If the application is accepting just that single parameter and
nothing else as an input. Else you will have to send all the
parameters the app wants. For eg.
http://abc.com/a.asp?aspsessionid=dgdgdghg&user=blah&xx=2 ....
b) If the application is accepting GET requests , which it shouldnt
for all forms.

Hope that helps.

Cheers
Arvind

On Thu, Feb 5, 2009 at 4:28 PM, pentest pentest <pentest108 () gmail com>
wrote:

Hi guys,

Just a quick question. I've found a few places (e.g.
http://www.owasp.org/index.php/Session_Fixation_Protection) where it's
mentioned that ASP applications are vulnerable by default to Session
Fixation. However, how do you exploit this vulnerability in real life?

On PHP you just use something like http://site.com/?PHPSESSID=something

But on ASP, you cannot do something like
http://site.com/?ASPSESSIONID=something because it will not work.
So, how do you exploit Session Fixation in real life?

Thanks in advance and have a nice day,



No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.0.233 / Virus Database: 270.10.20/1943 - Release Date: 02/09/09
17:40:00

Current thread:

Exploiting Session Fixation on ASP pentest pentest (Feb 05)
- Re: Exploiting Session Fixation on ASP Rogan Dawes (Feb 10)
  - Re: Exploiting Session Fixation on ASP pentest pentest (Feb 10)
    - Re: Exploiting Session Fixation on ASP Rogan Dawes (Feb 10)
- Re: Exploiting Session Fixation on ASP arvind doraiswamy (Feb 10)
  - RE: Exploiting Session Fixation on ASP Rui Pereira (WCG) (Feb 11)