Recipe 8-1: Detecting Invalid Cookies
This recipe shows you how to determine when attackers attempt to submit invalid cookie data.
Ingredients
- OWASP ModSecurity Core Rule Set (CRS)
- modsecurity_crs_40_appsensor_detection_point_2.3_session_exception.conf
- ModSecurity
- RESPONSE_HEADERS:Set-Cookie variable
- REQUEST_HEADERS:Cookie variable
- setsid action
- setvar action
Session-Guessing Attacks
Although web application authentication serves as the front line defense against unauthorized access, developers tend to overlook an underlying weakness. An attacker does not have to successfully authenticate to the application to gain access. He must simply submit a valid SessionID when making his requests! This means that attackers often focus on analyzing the strength (length, character set, and entropy) of SessionIDs. If the SessionID data is weak and predictable, an attacker may be able to guess a valid value and thus assume another user’s active session.
Attackers may use many tools to analyze the strength of application SessionIDs, but we will show some examples using Burp Suite. In the proxy module of Burp Suite, you can right-click and send a previously captured transaction to another module. Figure 8-1 shows a session in the Sequencer module.
Figure 8-1: Burp Suite’s Sequencer module
As you can see, the Sequencer module has identified the amSessionId Set-Cookie response header ...
Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
