Jump to content

Check out our Community Blogs

Register and join over 40,000 other developers!

Recent Topics

Recent Status Updates

View All Updates

- - - - -

Brute forcing a session - why does it work?


  • Please log in to reply
3 replies to this topic

#1 zeroradius


    Speaks fluent binary

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1085 posts

Posted 10 June 2008 - 12:39 PM

I have a frined whos login script for his site is verry unsecure. I was always telling him a few extra steps that would not take long to implement that would help protect his site, such as using a complex session name rather then just somthing like "User" and to use a few if statements to check an make sure that the username is set to only the people who should be able to get in there or set an extra filed in the user table for "rank/catagory" so that only someone with the corect tittle and user name can view pages such as his admin pannel.

Needless to say he did not listin to me. I did not brute force the session name as I am to lazy for that, but when i found it out I decided to show him why he should listing to me. I set $session['user']=Admin; on a page i made up on my site just for getting into his. I then went in to his admin pannel and gave myself Admin privliges.

After I did this I was reading PHP for dumbies (I know all the code in there but not why all the code works wich i fined verry important ) and i was reading about sessions, It says that a session is wrote to a small file on your sites server.

Heres the question:

I don't know much about servers but with me and my frined using diffrent servers I don't think this should have worked. Can any one explain to me why it did?
  • 0
Posted Image

#2 John


    CC Mentor

  • Moderator
  • 4450 posts
  • Location:New York, NY

Posted 10 June 2008 - 01:09 PM

So your saying you registered a session and session variable on server `A` and you were able to use that session and session variable on a different server?
  • 0

#3 zeroradius


    Speaks fluent binary

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1085 posts

Posted 10 June 2008 - 01:12 PM

yes, and if I understand what i read corectly that should not have worked, then agin i may be complytly wrong and it working is normal
  • 0
Posted Image

#4 Guest_Jordan_*

  • Guest

Posted 10 June 2008 - 01:22 PM

It is true what you read as far as I know. Session files are stored in a directory (usually /tmp) and anyone has access to them on a shared host. If he was putting his session ID in the URL and you obtained that ID you can hijack his session just by going to his server and appending that ID to your URL.

This can be avoided by storing session IDs as a session cookie or storing session files in a database.
  • 0

Also tagged with one or more of these keywords: session

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download