U Hack It!
Register

Session Hijacking

Occurs when a hacker intercepts or otherwise obtains a session cookie from another user.

Hijack a session on this site yourself...

Cookies and Sessions

A cookie is a small piece of data sent by a website and stored on your computer by your browser - yes, any website is allowed to store data on your computer if you have cookies enabled!
Whenever you make a request to the website, your browser sends the cookies back so the website can "remember" who you are.

  • You can see the cookies stored by various websites. For example, in Firefox: Tools... Web Developer.. Storage Inspector
  • For more info, see: HTTP Cookies on Wikipedia.

A session is a technique used by a website to maintain state information about a specific user.
Sites need sessions because HTTP is stateless. Session information is usually stored on the server and identified by a unique "key" sent in a cookie. So, when you log in to this site, for example, it starts a "session" with a unique key stored in a "session cookie" that identifies you every time you subsequently request a page.
For more info, see About Sessions on Wikipedia

You can manipulate the cookies on your computer using a variety of simple tools.
A very easy approach is to use the Firefox Addon Cookies Manager
This addon allows you to view an edit your cookies. Why? Well, to take over someone else's account, of course!

Be an Imposter!

To create a simple demonstration of session hijacking, this site exposes a vulnerability that allows a hacker to "masquerade" as any user!

Here's how it works:

  1. This site has an option (for demonstration purposes) to use a conceptually tempting, simple approach to maintaining a session:
    • the DB id of the logged in user is stored in their cookie.
    • when the user makes a request, their "userid" cookie is used to maintain their login session.
  2. Click here to activate this simple session handling approach, using the "userid" cookie.
  3. Log in to U-Hack-It and then look for a cookie from this site called "userid" - this cookie contains the DB key for your user record in the site's DB!
    This uniquely identifies YOU when this cookie is sent back to the site on subsequent requests.
  4. But once a hacker "guesses" this is how the site works, they can "hijack" any user's account by simply changing the contents of this cookie to be the id of any other user!
  5. To learn more, look at the Session handling code in class-user.php

Exercise

You can masquerade as any user on the site by enabling its "userid" session handling logic.
Try it - can you guess some of the other user ID's, edit your userid cookie, and become an imposter?

Hijack a Session... for real!

Better session handling uses a complex, random "key" to identify your session - one that would be very hard to guess. Nonetheless, if a hacker gets ahold of your session "key", they can masquerade as you just as you did above!

Here's how it works:

  1. First, you need to get ahold of some other user's session key.
    Hackers have devised a number of methods for acquiring session keys.
  2. A simple way to obtain someone's session key is to simply access their computer - if you can sneak a peak at their session cookie, that's all you need.
    We examine a more sophisticated method for obtaining session keys in the XSS exploit.
  3. Have a friend log into the same instance of U-Hack-It, or just use a differnt browser on your comptuer to create a different user account.
  4. Look for the U-Hack-It PHPSESSID cookie - it contains the secret session key you need to take over that other user's session.
  5. Make note of the PHPSESSID cookie contents, edit your own PHPSESSID cookie to match, reload the page and voila - you have hijacked the session!
    Ensure userid session handling is off

Try it Yourself!

Can you can hijack a session using the method above?
First - you will need disable the simplistic userid session handling so the site goes back to using standard, "secure" session handling.
Try it - acquire a session key, edit your PHPSESSID cookie, and hijack a session!