We used Burp Suite to demonstrate an experiment on enumerating sessions IDs created using PHP language. The source code used a vulnerable mechanism in creating the session ID by assigning a numerical value in a pre-determined range and linking it to the user’s profile. When the session ID isn’t randomly generated, it makes the web application vulnerable to session hijacking attacks. We used OverTheWire war games Natas Level 18 – 19 challenge for demonstration purposes. . This was part of OverTheWire War Games Natas Level 18 – 19
Accessing Level 18
We begin by heading over to the Natas 18 login page, entering the password from Level 17 to gain access.
Upon loading, we’re greeted with a login form.
Since this challenge allows white-box testing, we have access to the application’s source code. Let’s inspect it by clicking “View sourcecode.”
Understanding the Vulnerability
While analyzing the source code, one line stands out:
phpCopyEdit$maxid = 640;
This line defines the maximum session ID value, limiting it to 640
.
A function further down in the code shows that user session IDs are randomly generated between 1
and 640
. Here’s the key problem:
The application uses numeric session IDs within a small, predictable range.
This makes the application vulnerable to session prediction attacks. If an attacker can guess or brute-force a valid session ID tied to an admin account, they can bypass authentication and hijack the session,no password required.
This is a textbook example of insecure session management.
Exploiting the Vulnerability
There are two main ways we can brute-force the session ID:
- Using Python – Create a script to try every ID from
1
to640
, checking for an admin response. - Using Burp Suite – A powerful web application testing tool, which we’ll use in this video.
Setting Up Burp Suite
- Launch Burp Suite and configure your browser to work with it.
- Submit a dummy login (e.g.,
admin:admin
) to capture the request. - Intercept the response and examine the Set-Cookie header.
We see a session cookie like:
javascriptCopyEditSet-Cookie: PHPSESSID=498
Now that we know how the session ID is structured, let’s brute-force it.
Brute-Forcing with Intruder
- Send the request to Intruder.
- Clear all payload positions.
- Highlight the session ID value in the cookie and click “Add” to mark it as the target.
- Go to the Payloads tab:
- Payload type:
Numbers
- Start at:
1
- End at:
1000
(to be safe, since the upper bound is 640) - Step:
1
- Payload type:
- Click Start attack.
Analyzing the Responses
During the attack, keep an eye on the length of the server’s responses.
Most responses will have similar lengths (608
, 607
, etc.), indicating failed login attempts. Look for a response that deviates significantly from the average ; that likely signals a successful admin session.
After scanning the results, we identify a different response with a session ID of:
iniCopyEditID = 119
Let’s use this session ID to log in.
Natas Level 19 Password
8LMJEhKFbMKIL2mxQKjv0aEDdk7zpT0s