Web Hacking: Cookie Tampering, Directory Traversal, Session Hijacking, Authentication Bypass, Brute Force Attack

Web hacking is a common technique used by attackers to exploit vulnerabilities in web applications. In this article, we will explore some common types of web attacks, including cookie tampering, directory traversal, session hijacking, authentication bypass, and brute force attacks.

Cookie Tampering

Definition

Cookie tampering refers to the malicious act of modifying cookie values used in web applications.

Purpose

Cookies are stored on the client-side and are used to maintain the state between the client and server (such as authentication, session management, user identification, etc.).

Prevention

• Authentication and encryption for cookies
• Filtering and validation for input values
• Filtering for output values
• Appropriate cookie settings based on the purpose and duration of use

Example

Using Burp Suite:

Let's confirm a successful login. The response status code is 302.

A status code in the 300s indicates redirection. This means that the user has been redirected to another webpage.

Let's check the cookies. We can see that the username is stored in the cookie, rather than using a session to differentiate users.

By changing the value of loginUser to "admin," we can steal authorization through cookie tampering.

Directory Traversal

Another name

• File Path Traversal

Definition

Directory traversal is an attack that involves guessing the paths of files or directories within a website in order to directly access those files or directories.

Prevention

To prevent these vulnerabilities, it is important to:

• Limit access to files or directories
• Filter and validate input values
• Filter output values

Example

Using Burp Suite:

If the homepage is split into step1 and step2, you can try to access step3 directly without logging in.

Session Hijacking

Another name

• Session Fixation

Definition

Session hijacking involves an attacker acquiring a valid session and then using that session to impersonate the user or access other accounts.

Prevention

Proper session management is essential:

• Generate session IDs using random and unpredictable values
• Set a reasonable session expiration time
• Use encrypted protocols such as SSL or TLS to transmit session IDs

Example

1. The attacker monitors network traffic to capture the user's session ID.
2. The attacker uses the stolen session ID to log in to the website as an authenticated user.
3. The attacker can now perform malicious actions with the user's privileges.

Authentication Bypass

Another name

• Login Bypass

Definition

Authentication bypass occurs when login is possible without verifying the ID and password or when login can be done through other means.

Prevention

• Authenticate and verify login credentials

Example

1. The attacker discovers a vulnerable authentication mechanism (e.g., weak password policy, missing input validation).
2. The attacker finds a way to bypass the authentication mechanism (e.g., SQL injection, using default passwords, tampering with authentication tokens).
3. The attacker bypasses the authentication process and gains unauthorized access to the system.
4. The attacker can now steal information or manipulate the system without being authenticated.

Brute Force Attack

Definition

A brute force attack is an attack that guesses passwords by trying all possible combinations.

Prevention

• Encourage users to use safe passwords
• Use blacklisting to lock accounts after a certain number of failed logins
• Add security features such as CAPTCHA

Example

Using Burp Suite:

Although the Intruder function in Burp Suite can be used, it is much faster to use Python:

import httplib2

# Suppose that the GET request is made to example.php?otpNum=0000.
# URL of target website (in this case, example.php)
url = "<http://example.php>"

# httplib2 instance creation
http_obj = httplib2.Http()

# Range of otp_num (0000 to 9999)
for otp_num in range(10000):
    # Format otp_num into a 4-digit number (e.g., 0035)
    otp_num_formatted = f"{otp_num:04d}"

    # Add otp_num parameter to GET request
    request_url = f"{url}?otpNum={otp_num_formatted}"
    response, content = http_obj.request(request_url, method="GET")

    # Depending on how the results are found, the processing can be modified.
    # For example, if the server returns a specific message, it can be checked.
    # Use print(content) to check and set success conditions.
    if not b"Login Fail" in content:
        print(f"Success! OTP number is: {otp_num_formatted}")
        break
    else:
        print(f"Failed for OTP number: {otp_num_formatted}")