Session Hijacking

For this tutorial, you will play with cookies, sessions and session hijacking.

  1. Bring up a browser
  2. Point your browser at the sample application
  3. Play with the application a bit.
  4. Toggle developer tools and bring up the developer tool bar.
  5. In the developer toolbar, type 'help cookie'.
  6. 'cookie list' to see all of the cookies that your browser is sending back to the server on each request. Notice how much you are being tracked, note that I did not set those cookies on your browser, other than PHPSESSID!
  7. Clear the PHPSESSID cookie we have from the server. To do this, type 'cookie remove "PHPSESSID"' into the developer toolbar and switch to the Network tab.
  8. Reload the secrets page. This now simulates a first visit to the webpage.
  9. Take a look at the request and response (look at 'GET secrets.php' in the Network console).
  10. Note the set-cookie directive sent from the server as part of the response headers.
  11. Add a few secrets, note the request headers, that the cookie is sent from the browser to the server on each request.
  12. Play with the application a bit. Note that your experience with the application is different from your neighbours. Everyone has their own secrets.
  13. In your browser, find the cookie set for this website and give it to your neighbour.
  14. Using the developer toolbar you can change your secrets cookie with theirs, do this and visit the secrets website. To do this, remove your PHPSESSID and add theirs ('help cookie' in the developer toolbar).
  15. Look at the requests and responses in the Network console.
  16. Discuss what could be done to prevent session hijacking and their benefits/drawbacks. Note: This is using https.
  17. Play with curl -v --insecure -d "submitSecret=xx" -d "newSecret=something" https://cs.utm.utoronto.ca/~rosenbl6/347/session_hijack/secrets.php --header "Cookie:PHPSESSID=s3l5hfuh3f8q6inh97p7g6m8d3"

References