Scribd Logo
Upload

Welcome to Scribd!

  • Vulnerability (Broken Authentication and Session Management)

    Uploaded by

    Shitesh Sachan
    60 views4 pages
    Vulnerability: Broken Authentication and Session Management This vulnerability allows attackers to compromise passwords, keys, session tokens, or other implementation flaws to assume other users' identities. It can allow all accounts to be attacked, enabling the attacker to access any system resources available to the victim. Privileged accounts are often targeted. The risk rating is severe and complexity of attack is average.

    Original Description:

    Original Title

    Vulnerability(Broken_Authentication_and_Session_Management)

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Vulnerability: Broken Authentication and Session Management This vulnerability allows attackers to compromise passwords, keys, session tokens, or other implementation flaws to assume other users' identities. It can allow all accounts to be attacked, enabling the attacker to access any system resources available to the victim. Privileged accounts are often targeted. The risk rating is severe and complexity of attack is average.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    60 views4 pages

    Vulnerability (Broken Authentication and Session Management)

    Uploaded by

    Shitesh Sachan
    Vulnerability: Broken Authentication and Session Management This vulnerability allows attackers to compromise passwords, keys, session tokens, or other implementation flaws to assume other users' identities. It can allow all accounts to be attacked, enabling the attacker to access any system resources available to the victim. Privileged accounts are often targeted. The risk rating is severe and complexity of attack is average.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 4

    1 Vulnerability: Broken Authentication and Session Management

    Description

    Application functions related to authentication and session management are


    often not implemented correctly, allowing attackers to compromise passwords,
    keys, session tokens, or exploit other implementation flaws to assume other
    users’ identities.

    Risk Rating

    Severe

    Complexity of Attack

    Average

    Impact

    Such flaws may allow some or even all accounts to be attacked. Once successful,
    the attacker can do anything the victim could do. Privileged accounts are
    frequently targeted.
    1.1 How test was performed

    Case I: Session Fixation

    1. Open the following URL in machine-1 “https://www.boozt.com/login”, and


    enter the valid credentials. The customer page will get open as shown below:

    2. Now go to Inspect Element(press F12) of CUSTOMER page and in cookies copy


    down the value of session id as shown below:
    3. Now go to machine-2, open the following URL
    “http://www.boozt.com/eu/en”. A session id must be generated in the
    cookies as shown below:

    4. Now select that session id and click on edit. In the content section, replace the
    session id with the one we have copied in machine-1 and click on save as shown
    below:
    5. The session id has been fixed in machine-2. Now without any login, just hit the
    internal URL “https://www.boozt.com/eu/en/customer” and we will get the
    access to the authenticated page as shown below:

    Result: Hence without providing any login credentials or authentication, we are


    able to see the authenticated page just by hitting the URL and therefore leading
    to Session Fixation Vulnerability.

    You might also like