In order to hunt session-based flaws in a website, One must know the head and tail about session and cookies in general. So Let's just take a deep dive and understand how a web application manages sessions.
What is a Session?
Web application use cookies in order to make the stateless nature of HTTP protocol stateful. A cookie is a simple small piece of data that is sent by the server to the browser and the browser may store and send back the cookie to the server in next request, Cookies may be used for any of the following purposesSession Management
Session Management involves handling a series of HTTP requests and responses which are associated with a user to a server.
Whenever a user visits a particular website he may get a session and everything he does onwards would be in the context of the session the user was provided with. Some common examples where session management comes in handy include logins or adding products to shopping carts.
Personalisation
Personalisation simply involves that the server is able to remember user preferences, themes or settings applied by the user.
Tracking
Now I am not even going to jump on the topic of tracking as we live in a post Snowden world where we have had scandals like Cambridge Analytica, where a psychological warfare weapon was developed based on user data that was collected, So you just need to know that web application are capable of collecting user data which could be linked and made sense of to derive business decision and what not and it is quite often done with the help of cookies.
So if you want to know more about tracking, there is an amazing documentary that you could watch on Netflix.
Fun Fact: Modern day web applications can track your cursor and can also determine whether the user is left-handed or right-handed based on this fact they may serve you ads on the left side or on the right side of the screen.
What is a session id? Where is it stored? and How is it sent?
Session is a global variable stored on the server, whenever a session is created it gets assigned a unique id or value which is used to retrieve stored data. Each time a session gets created a cookie having session id is sent to the user. So where does the session id gets stored, It actually depends on implementation but generally it is stored in the cookie jar, local storage or memory. These are usually added in request headers or a cookie and are sent to the server.
What is Session Puzzling or session Overloading?
Session Overloading or Session Puzzling is a vulnerability that occurs when a web application uses session variables for the more than on purpose. Session Overloading can allow attackers to bypass authentication and impersonate a user or escalate privileges of an account.
Let's take the example of Password Reset Functionality If on visiting a website, a session is given and post-login session gets validated in a similar way as it would have been validated while requesting for a new password or If same session and session ids are being used for both requesting a new password or while logging in, So clearly if web application uses session variable for more than one purpose than it could result in a catastrophe. In order to understand session puzzling you need to watch the below given video that has two examples Test Case 1 which showcases session puzzling being tested on an application called as Puzzlemall and Test Case 2 which involves testing on OWASP SKF, both the application are vulnerable by design.
</div><br /><br />In Test Case 1, the attacker is able access post login module which has a uri /puzzlemall/private/viewprofile.jsp without using credentials as existing session is being validated in similar way as it would have validated if the attacker used correct credentials just by request a new password or generating forget password request.<br /><br /><br />In test Case 2, you would have noticed that when the user visits the website there is no session id or any cookie, It depends upon the implementation that whether the user will get session post login or just by visiting the website and may be validating the session later. A session is a semi-permanent information interchange which simply means it is stateful but not always and depends on the use case. Attacker in Test Case 2 was able to get a session id while requesting a new password and because of that the attacker was able to get into post login module "/dashboard".<br /><br /><br /> </div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div></div>
Article Link: https://blog.lucideus.com/2020/04/hunting-session-overloading.html