December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's Cookbook
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 8-1: Detecting Invalid Cookies
This recipe shows you how to determine when attackers attempt to submit invalid cookie data.
Ingredients
- OWASP ModSecurity Core Rule Set (CRS)
- modsecurity_crs_40_appsensor_detection_point_2.3_session_exception.conf
- ModSecurity
- RESPONSE_HEADERS:Set-Cookie variable
- REQUEST_HEADERS:Cookie variable
- setsid action
- setvar action
Session-Guessing Attacks
Although web application authentication serves as the front line defense against unauthorized access, developers tend to overlook an underlying weakness. An attacker does not have to successfully authenticate to the application to gain access. He must simply submit a valid SessionID when making his requests! This means that attackers often focus on analyzing the strength (length, character set, and entropy) of SessionIDs. If the SessionID data is weak and predictable, an attacker may be able to guess a valid value and thus assume another user’s active session.
Attackers may use many tools to analyze the strength of application SessionIDs, but we will show some examples using Burp Suite. In the proxy module of Burp Suite, you can right-click and send a previously captured transaction to another module. Figure 8-1 shows a session in the Sequencer module.
Figure 8-1: Burp Suite’s Sequencer module
As you can see, the Sequencer module has identified the amSessionId Set-Cookie response header ...