1
00:00:00,270 --> 00:00:07,140
‫So Session ID has to be renewed by the application when the user logged in, if the Session ID is not

2
00:00:07,140 --> 00:00:10,980
‫renewed, we can perform the session fixation attack.

3
00:00:11,660 --> 00:00:13,490
‫The attack scenario is as follows.

4
00:00:14,550 --> 00:00:21,840
‫Attacker visits the application, which has inadequate session management and gets a valid session token,

5
00:00:22,140 --> 00:00:29,430
‫then he prepares a link to the application, which contains the session token and sends a link to the

6
00:00:29,430 --> 00:00:29,880
‫victim.

7
00:00:30,060 --> 00:00:36,660
‫For instance, in a phishing email since the link is to a trusted website, Victim does not suspect

8
00:00:36,660 --> 00:00:41,310
‫the link and clicks it and logs into the application using his own credential.

9
00:00:42,500 --> 00:00:47,150
‫The application identifies a victim, but doesn't give him a new session ID.

10
00:00:47,750 --> 00:00:55,660
‫So after this time, when the attacker visits the application with the same session ID, he is now the

11
00:00:55,750 --> 00:00:57,950
‫victim on the application.

12
00:01:00,400 --> 00:01:03,700
‫Let's see the session fixation attack in action.

13
00:01:04,450 --> 00:01:07,990
‫We're going to use OWASP Broken Web Applications and Carly for this demo.

14
00:01:08,290 --> 00:01:13,360
‫First go to OH&S Broken Web Applications page using its IP address or the domain name.

15
00:01:13,360 --> 00:01:20,620
‫If you do find it in the host file, I use OWASP BW Wacom domain name, which is mapped with the IP

16
00:01:20,620 --> 00:01:21,880
‫address of the host machine.

17
00:01:22,940 --> 00:01:31,730
‫On the main page of the OWASP BWR app, click OWASP Web Goat Link Authenticate using Google Lost Credential.

18
00:01:33,140 --> 00:01:35,660
‫Click the Start Web goat button at the bottom of the page.

19
00:01:39,200 --> 00:01:45,020
‫Now in the tree of the left hand side of the page, expand session management flaws node and select

20
00:01:45,170 --> 00:01:46,580
‫the session fixation length.

21
00:01:48,590 --> 00:01:55,910
‫In this scenario, victim Jane has an account in Goat Hill's financial and the web application of the

22
00:01:55,910 --> 00:02:01,700
‫finance service is vulnerable to session fixation and the first day Joe Hacker Joe.

23
00:02:02,300 --> 00:02:07,820
‫You'll prepare a phishing email as if it's sent by Goat Hill's financial, and it will contain a link

24
00:02:08,090 --> 00:02:12,080
‫where the session is fixed in the explanation stage of stage one.

25
00:02:12,080 --> 00:02:16,430
‫On the web page, we know that the name of the Session ID variable is inside.

26
00:02:17,890 --> 00:02:22,660
‫Find the link inside the prepared email and change it with a valid link first.

27
00:02:30,740 --> 00:02:39,170
‫Then put an ampersand at the end of the URL to add a new parameter and type as ID equals session for

28
00:02:39,170 --> 00:02:39,560
‫Jane.

29
00:02:40,930 --> 00:02:44,410
‫Now, session for Jane is an arbitrary session ID given by me.

30
00:02:44,800 --> 00:02:46,150
‫You can give it anything you want.

31
00:02:46,300 --> 00:02:50,920
‫Just don't forget it to send the email to the victim, Jane, click the Send Mail button.

32
00:02:51,960 --> 00:02:53,640
‫Now we're in stage two.

33
00:02:54,450 --> 00:02:58,680
‫We are the victim, Jane, in this stage, who has got an email from Google's Financial.

34
00:02:59,570 --> 00:03:00,770
‫The email contains a link.

35
00:03:01,380 --> 00:03:05,750
‫We bring the mouse pointer on the link, we see the URL address that the link points to.

36
00:03:06,530 --> 00:03:12,940
‫It is a legitimate Goat Hill's financial link, so the victim clicks the link with no doubt, but the

37
00:03:12,950 --> 00:03:15,140
‫side is set by the hacker at this point.

38
00:03:16,600 --> 00:03:18,490
‫In stage three, you are still the victim, Jane.

39
00:03:18,880 --> 00:03:25,180
‫When Jane clicks the link, the log in page of Goat Hill's financial opens as it's seen in the explanation

40
00:03:25,180 --> 00:03:26,020
‫of stage three.

41
00:03:26,230 --> 00:03:29,950
‫You can log in to the app using Jane Slash Tarzan credential.

42
00:03:31,170 --> 00:03:37,380
‫Did you see the session ID parameter inside the URL, enter the username and the password and click

43
00:03:37,380 --> 00:03:37,890
‫log in.

44
00:03:41,940 --> 00:03:43,770
‫Now we were in the final stage.

45
00:03:44,460 --> 00:03:45,780
‫We are now hacker Joe.

46
00:03:46,410 --> 00:03:49,050
‫It's time to steal the session of Jane.

47
00:03:50,060 --> 00:03:55,850
‫Try to go to the Web page of Goat Hill's Financial, its hacker, Joe, does not have a valid session.

48
00:03:56,150 --> 00:03:58,550
‫The app redirects him to the login page.

49
00:03:59,330 --> 00:04:00,800
‫Look at the URL.

50
00:04:01,190 --> 00:04:03,980
‫The session ID of Jack is no valid session.

51
00:04:05,070 --> 00:04:11,460
‫Change it with the session ID, with the one you sent to victim Jane in my demo, it was session for

52
00:04:11,460 --> 00:04:12,690
‫Jane and hit.

53
00:04:12,690 --> 00:04:21,450
‫Enter now as hacker Jo, you're inside the Goat Hill financials website as Jane.