Broken Authentication and Session Management – part Ⅱ

HTTP is a stateless protocol, hence web server does not maintain any track of user activity. To track user activity we generally use Sessions. There are various ways of session management where the server generates a session identifier (ID) initially and ensure that the same ID will be sent back by the browser along with each subsequent request. This helps us to maintain a record of user. Improper handling of these session variables could be a serious threat and allows attackers to gain access to the system. This article illustrates session fixation considering ASP.NET web application. For better understanding I have created a simple ASP.NET application. You can download the project from here. This project has two folders ‘SecureLoginFunc’ & ‘InsecureLogin‘ which contains login & logout mechanism of the application. You need to import the downloaded project to Visual Studio or create a virtual directory in IIS and add this project to it.

As you know a Session is used to track the user activity using a Cookie. In ASP.NET, server creates a cookie named as ‘ASP.NET_SessionId‘ on the client. This ‘ASP.NET_SessionId’ cookie value will be checked for every request to ensure the authenticity & Identity. ASP.NET has two ways of transmitting session IDs back and forth to the browser, either embedded in the URL or through a session cookie. You can easily spot the session ID when it’s embedded in the URL, for example ‘’. Anyway this is not recommended solution.

Continue reading


Broken Authentication and Session Management – part Ⅰ

According to OWASP, Broken Authentication and Session Management was defined as  ‘Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.’ In other words, an attacker can get unauthorized access of the user due to the flaw in the implementation. Before exploiting this vulnerability you need to know few concepts

  1. What is a Session and why do we need a Session
  2. What is a Cookie
  3. What is an Authentication

Continue reading

SQL Injections – Part 2

As you already familiar with the subject SQL injections from the previous article part 1, we will quickly dive into exploitation with SQLi. Login to your bWAPP and select vulnerability SQL Injection (Login Form/Hero). As stated in previous post, we need to do some manual analysis to know the functionality and it’s implementation. Try to login with your some random text (test, test). Now let’s do some dynamic analysis by reviewing source code of the functionality.

Continue reading

SQL Injections – Part 1

Though there are many vulnerabilities, SQL injection (SQLi) has it’s own significance. This is the most prevalent and most dangerous of web application vulnerabilities. Having this SQLi vulnerability in the application, an attacker may cause severe damage such as bypassing logins, retrieving sensitive information, modifying, deleting data. Sometimes this costs life when it comes to Healthcare, Banking domains. Okay introduction apart, the objective of this article is to exploit and read some sensitive data from the database. If you don’t know what exactly is this SQLi then read my other article which may throw some light. I am splitting the subject into two parts, having everything in one might throw you out of interest.

Continue reading

Server side include (SSI) Injection

What is Server side include

Before knowing what exactly it is, I would ask you a simple question. Let’s assume that you need to develop an application of 100 pages with dynamic content. And each page must have a Header, Footer, Logo. What would be your answer? How much time does it take to add header and footer in all the pages?

Continue reading

HTML Injection – Stored

Compared with other types of HTML injections, this would be quite interesting. We can easily trick others with this injection. You can create duplicate login screen, you may inject the code to trick users to click on it. Basically, this HTML stored injection will be stored in the database and retrieved later as per the need.
Continue reading

HTML Injection Reflected – POST

From the previous article we came to know how to find and exploit HTML injection with HTTP verb ‘GET‘. Now we will inject with method ‘POST‘. Pass some values in first name and last name and click on ‘Go’. There’s no much difference in the exploits but notice the URL here, there are no parameters being passed in URL. Whereas in GET method we could see parameters with values in the URL. You can try the examples shown in article HTML Injection with GET.
Continue reading

HTML Injection – Reflected (GET)

Now you know what exactly is HTML injection from my previous article. It’s time to break some code. Once you login to bWAPP, you should see a dropdown ‘Choose your bug‘. Then select HTML injection- Reflected GET and click on Hack button.
Continue reading

HTML Injection Introduction

What is HTML injection?

As you know, HTML is used to design web pages. Yes, you’re right. But what happens if developer forget to sanitize the user input. What happens if developers doesn’t predict when a hacker use the application. Do you know what all could be done if this vulnerability exist? To inject you don’t even need a toolkit. You may deface the site, you may redirect the legit user to malicious site. You may change the content or images by injecting your own HTML code. But yeah, to injection something you need to know HTML basics. HTML injection is bit similar to XSS but the difference here is that you just use plain HTML for injection whereas in XSS you may use script tag with chunk of JavaScript code.
Continue reading