~ Aditya Kamat

BMS College of Engineering

WEB HACKING SERIES PART-2

TOPICS LEARNT TILL NOW :--

• Basics of web and a little about networks.

• HTML injection.

• SQL injection to bypass authentication.

• Buffer overflow attack.

TO BE COVERED TODAY :

• Bypass Authentication Via Authentication Token Manipulation.

• Session hijacking.

• Brute forcing login pages using burp.

• HTTP parameter pollution.

BYPASS AUTHENTICATION VIA AUTHENTICATION TOKEN MANIPULATION

• Basic idea is to login as another user (preferably as admin) by changing a few values in the cookies stored for the particular site.

• Use Cookiemanager+ plugin to manipulate cookies.

• Usually admin will be in the first row of the users table.

SOLUTION:• Use Session variables to authenticate users instead of

cookies.

• Use a hashing methods to hash the id’s used to authenticate instead of keeping them in plaintext.

• Keep large numbers as id’s to prevent such attacks.

• Choose a random large number instead of incrementing id by one every time.

SESSION HIJACKING• This occurs when the client’s session cookie is used to identify

the session on the server.

• We just need to obtain the session of the user to login into his/her account.

• We can have access to the account as long as the user does not log out.

• Cookies can be obtained by MITM or by getting access to the victim’s machine.

PREVENTION :• USE SSL FOR THE ENTIRE SITE. This is the only way to

prevent MITM easily.

• Logout the user after a certain duration of inactivity. (More load on the server because it will have to maintain a timer for each user)

• Ask the users to logout every time before closing their browsers.

BRUTE FORCING LOGIN PAGES USING BURP

• Brute forcing is a method to try out all possible usernames and passwords from a given space.

• This attack is used to get the credentials of a legitimate user of a website.

• It is really fast when we have the username of the user.

• We use the intruder tool in burp to brute force login forms.

PREVENTION :

• Rate limiting has been proven to be the best solution and has been implemented in many well known websites.

• It check this based on username and the IP of the user trying to brute force.

• Force users to use secure passwords and inform them not to use the same password across multiple platforms.

• Use Captchas.

HTTP PARAMETER POLLUTION

• HTTP Parameter Pollution can occur when multiple parameters with the same name but different values are submitted to the application.

• Depending on the application server type, the parameter used may be the first, second, or a combination of the two.

• Demo: A1 injection(other)->HTTP parameter pollution->Poll question.

PREVENTION :• Take each variable as an array and accept only the first

element of the array as a valid input. Others have to be discarded.

• Validate user input to check if it is one of the expected results.

THANK YOU!!!