Shulou(Shulou.com)06/01 Report--

Who moved my strings-session hijacking shows us the most common example-session hijacking, as shown in figure 10-2. Figure 10-2 session hijacking is shown in figure 10-2. The normal login website of the victim Alice is www.buybook.com. At this time, her Session ID is 1234567. Bob, whose Session ID is 1234567, obtained the user login information in Alice's Session ID and Cookie through network sniffing, so he can log in and operate like Alice. At this moment, Alice may not know anything about it. The most common way to get Session ID is the XSS we explained earlier. The following simulates session hijacking in detail through specific steps. ➊ We normally log in to a website (using Google Chrome here), log in with the user name admin, and record the JSESSIONID after login, as shown in figure 10-3. Figure 10-3 normal login Session ID ➋ We open another browser, Firefox, and we try to access a private link: http://localhost/ puzzlemall/private/viewprofile.jsp, and the browser will prompt us to log in. This means that the link needs to be logged in before it can be viewed, as shown in figure 10-4. Figure 10-4 We are trying to access a private link, ➌, open WebScrab and turn on the "Intercept requests" function in Proxy, set the Firefox proxy to WebScrab's IP and port (8008), and then visit the private link again. WebScrab will intercept the request and modify the JSESSIONID to the JSESSIONID of the above admin user, as shown in figure 10-5. Figure 10-5 when we grab and modify the request ➍ using WebScrab, we will find that we have entered the admin user's personal Information (profile) page. This indicates that we have successfully logged in as the admin user, as shown in figure 10-6. Of course, this example is just a simulation of session hijacking, and in real networks, JSESSIONID is often leaked through XSS (or sniffed without a secure protocol). Figure 10-6 successfully visits private pages using other people's conversations. This article is excerpted from "Web Application Security threats and Prevention-- based on OWASP Top 10 and ESAPI"

Published by Wang Wenjun Li Jianmeng Electronic Industry Publishing House

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.