Attacks Against Weak Token Generation

During our last post to this we discusses about basics of Session Management Attack which is also known as session hacking. In this post we will have a look on how you can attack weak token generation method to attack session management. Following are most common methods of generating weak tokens,
  • Using meaningful tokens
  • Predictable token generation
  • Adding time dependent variations in tokens
Now some important things before we discus real hack steps. In applications that use standard cookie mechanism for transmitting session tokens, it is easy to identify which item of data contains the token. In other cases it needs real brain work to identify them. Many web developers add extra tokens to cookies to fool hackers for example an application might add 14 tokens to yours browser’s store, out of which only six are responsible for session management no matter what value other eight have only six of them will handle session. An application may apply several different items of data collectively to implement as token including, cookies, URL parameter, hidden form filed and even stored IP addresses. So it is important for a hacker to keep an eye on each of them while implementing hacking steps.
Tools that are required for session hacking are Mozilla Firefox web browser and Add N Edit addon to it.
  • First of all log-in to your account several times a day and copy cookie parameters in a text file, for each time you logged also note down time, changes in URL and hidden values.
  • Next step would be finding out which tokens are really useful for session handling and which one are for fooling. So log in once again copy original cookie values and try to alter value for each token. If you were unable to log-on or you got logged in as another user after altering a token then that is the token useful for you. Try same on all tokens.
  • Last step would be identifying what is weakness in tokens, sorry that can’t be done using tool it requires you some brain-work.
So after identifying which type of weakness a token has we will craft our attack against them. Suppose you logged in with,
User-name= Xtraweb
Password = M*tAdJw6Wd+
and tokens generated includes values like following,
u_u=36e672d41e98209fa80b34375d4316bd
pd_=c521b8e207540b324f6beeb34157b47b
then its not difficult to identify that the above tokens are nothing but MD5 hashes. The hacker will have no problem identifying it no matter it is salted or not.
Other weakness like predictable tokens and time dependent variations in tokens are difficult to find out. Usually no developer ever uses easy predictable and time dependent variations in tokens. If anyhow you were able to detect them manually then it surely gives you an idea about qualification and experience of developer who has implemented those tokens in cookies. To detect them Burp Intruder a tool from Burp Suite is used. Burp suite is an application that can used be to audit and attack web applications. Burp suite is developed by Port Swigger Web Security and is available for download in both free and paid versions. Without any doubt burp suite is best web application scanner and can scan and detect weakness and vulnerabilities more than what I have so far ever discussed on my blog regarding session management. Download burp from following link.
Interface of Burp Suite is self explanatory so you’ll hardly face any problem using it. By the way in future posts we will surely discus more about Burp Suite and various tools it have for web application scanning.
So here we complete attacks against weak token generation, in next post to this we will cover attacks against mishandling of tokens. Till then thanks for reading have a nice time and keep visiting.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s