How to hijack a session?

  • Despite the blatant title of the question, this is actually for a genuine purpose.

    My site uses PHP code like this:

        $select="select id from tableA where user_id='".$_SESSION['sess_user_id']."'";
    

    I'm really trying to think like a hacker and figure out how I can alter this value. I've read articles talking "about" session hijacking, but being vague about how that can be done...

    what you're asking about is not "hijacking", it's poisoning, manipulation, injection... it does have a lot of names, but hijacking is something else: that is when you steal someone *else's* session.

    Wait, my previous comment may have been jumping the gun... What is it you're trying to do? Get access to someone else's record, or go for the bigger SQL Injection vulnerability there?

    What's you website address? that sql query looks like a lot of fun.

    Wow talk about a bad design. I can use sql injection to obtain the session id and then just login as that user. I don't even need to crack a password.

    I don't think this question provides enough details to answer the question. Sample ambiguities: What kind of control does the attacker have over the value of `$_SESSION['sess_user_id']`? Is this part of the session state derived from an attacker controlled value, such as the username entered on a login form? How is the value `$select` used subsequently in the code?

  • Chris Dale

    Chris Dale Correct answer

    10 years ago

    Basically when you hijack someones session you take their sessionID and pretend its your own. Usually the sessionID is transferred in the cookie, meaning that if you can access the other parties cookie you can just put it in your own cookie and you've stolen their session.

    This can be done in several ways, for example by sniffing the wireless network and looking at the HTTP packets being transfered or by XSS attack where you can tell the victims browser to reveal their cookie information to you.

    I would like to mention that the example you describe in your question may also be vulnerable to SQL-Injection. If I change my cookie's sessionID to

    asdf' OR 1=1-- 
    

    I would most likely be authenticated as a valid user. To prevent this you have to make sure you have proper sanitizing on dirty data coming from your clients before you use the data for anything.

    very interesting to learn about manipulating _my own_ cookies... In the above / the code that I have, how are you assuming that the value is being retrieved from a cookie? (is that an assumption you made, or something about $_SESSION)?

    @Steve, *Usually* the sessionID is distributed via cookie. You can also transfer the session in GET or POST, but the end result is the same. The client can always modify this value and you need to sanitize it.

    NEVER ever trust anything coming from a client. note sure if thats rule #1 but its in the top 10

    -1 No, I'm sorry but its probably not vulnerable to sql injection. If any other query in the application was vulnerable then the results would be disastrous, because the attacker could login without needed to crack a password hash. Also your injected query would error out.

    @Rock, please stop insulting people. If you have a point, it is likely that it will be taken much more seriously, if you use proper arguments to support it, instead of insults.

    `$_SESSION['sess_user_id']` is probably not the session ID but the user ID.

    I fixed your clearly incorrect sql injection payload. (which would never be an attack pattern anyway...)

    Thanks. Forgot to comment out the rest of the query. This query would also work: asdf' OR '1'='1

    @ChrisAndrèDale : Cookie stores session_id, which is retrieved by the server which accesses the the member of `$_SESSION` array, so, changing cookies to `asdf' OR 1=1--` or something like that should not probably work because it would not be a valid Session ID.

    In this very example, putting my sample sql injection into your cookie would hijack someone elses session

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM