In our last series where I have discussed about session id and its analysis. I would take the tutorial one step ahead by including a demanding exercise this time.
As I showed the basics of using a HTTP proxy(burp) to assess a web application. I encourage you all to play around with it during the usage of web application.you would be surprised to see the information flow that is being passed between the client and server. This flow of communication can sometimes include private information so it’s good to understand how that particular web application is handling your information.
Let us one more time focus on session ID analysis. If you are not familiar with session ID’s ,please refer the last tutorial (Here).
However I’ll do a quick explanation. HTTP is a stateless protocol, so it’s equivalent to VHF set which works in simplex mode,like You’ll send a request and wait for a reply, thereby line is closed when not in use.
So in order to keep the track of state of communication between client and server the HTTP protocol uses session ID’s.
Roughly process while making a login to a web application is mentioned below
- You login to your application
- Your application set a session cookie tied to your login state.
- Each time you browse on different section on application ,the application checks session cookie flows between your browser and server .if the session deemed found OK and valid ,it opens up different section
so it like binding your login credentials to a randomly generated value or session ID / cookie.
Now I hope you are getting the picture that if our privacy is bind to random number then that random number should have enough entropy that a attacker couldn't guess that easily
Now as a pentestor the authentication mechasim of application is something that should be checked throughly,so that we can protect our potential users from being hacked.
Now during my work the thing i have noticed,apart from other thing like knowledge of coding, right tools.The thing that comes handy in such work is Your "OBSERVATION SKILLS"
I insist that if you have good observation skills ,most of the time you can easily figure out the area that you need to check while making testing.
The excercise below which i am going to put here is same that it ask for your "OBSERVATION SKILLS"
Excercise link:-http://pentesteracademylab.appspot.com/lab/webapp/sid/3
(i urge you all to give your try on it before seeing the video and hint is " YOUR OBSERVATION SKILL"
solution VIDEO:
0 comments:
Post a Comment