Session Hacking Plugins 

Author: David Endler 
Email: dendler@idefense.com
Site: http://www.idefense.com

See the main WebSleuth help file for more detailed help and descriptions of 
each plugin component.

The following three plugins allow for brute-forcing active authentication 
tokens stored either in a URL, a cookie, or an HTTP header in the form of 
Basic Authentication. 

* Grabbing Sequential Cookies Plugin

The Grab Sequential Cookies plugin is meant as a web application auditing 
tool to determine the relative "randomness" of potential session ID's that 
may be generated in sequence. When strong cryptographic algorithms are used 
for this purpose, it is almost impossible to predict the next ID in a sequence 
generated by the same application. However, many of these applications generate 
session IDs in a linear or predictable manner, allowing an attacker to guess 
or brute-force them using automated programs such as WebSleuth. If a session 
ID can be forged or guessed, it saves the attacker from having to brute-force 
a user's legitimate logon credentials in order to access the account or hijack 
the active session.


* Basic Authentication Brute-Forcer PLugin

Many pages on the web are protected with a mechanism called Basic Authentication 
(RFC 2617) which means that a web server responds with a 401 Unauthorized status 
code and includes a WWW-Authenticate header field in the response of a page that 
is protected in this manner.  The client then responds, this time including an 
Authentication header field which contains the client's base64-encoded credentials
applicable to the server's authentication challenge. A main drawback of the basic 
authentication scheme is that it is relatively straightforward to set up a 
brute-force scenario since all we need to do is base64 encode combinations of 
"username:password" strings from any given wordlist (some decent wordlists can 
be downloaded with the latest version of whisker by rain forest puppy at 
http://www.wiretrip.net/rfp in the research/tools section).  This plugin is a 
web application authentication strength checking tool to grind through a list 
of usernames and passwords to brute-force a legitimate Basic Authentication 
protected URL.


* URL/Cooke Brute-Forcer

This plugin is a tool to brute-force session IDs stored in a URL or a cookie 
to access a protected page or hijack an active session.  Read the help file for 
specific instructions on how to configure the range notation for specific 
characters in each string of Session IDs. Basically, session IDs are usually 
long random alphanumeric strings transmitted between client and server either 
within cookies or directly in URLs. Once a user has logged into an application 
(e.g., Hotmail, Amazon, eBay, etc.), these session IDs can serve as stored 
authentication mechanisms so that the user does not have to retype a password 
after each click within the website. Ideally, during logon, a session ID is 
generated on the web server in such a manner that a potential attacker could 
not guess or calculate its value while the user's session is still active.  
When strong cryptographic algorithms are used for this purpose, it is almost 
impossible to predict the next ID in a sequence generated by the same 
application. However, many of these applications generate session IDs in a 
linear or predictable manner, allowing an attacker to guess or brute-force 
them using automated programs. If a session ID can be forged or guessed, it 
saves the attacker from having to brute-force a user's legitimate logon 
credentials in order to access the account or hijack the active session. 
This tool enables the web application tester to enumerate though a range of 
characters quickly and try to discover any active Sessions that are in the 
range of session ID's being tested.


Feedback welcome at dendler@idefense.com

TO DO

* Adding session timeouts
* Making the brute-force URL/Cookie range notation more user friendly 
	(i.e. graphical)
* Enabling brute-force expansion of characters, right now the brute-force 
	only works on fixed length COOKIES/URLS
* Do some mathematical magic to examine strength of sequential cookies