1 00:00:00,300 --> 00:00:02,010 Session management testing. 2 00:00:03,050 --> 00:00:08,470 As I mentioned before, HDP is a state less protocol. 3 00:00:09,500 --> 00:00:16,910 So does that mean exactly it just means that at least two consecutive requests to the same domain are 4 00:00:16,910 --> 00:00:19,340 not associated by the Web server? 5 00:00:20,770 --> 00:00:28,480 So Web servers cannot bind these requests and perform user based tasks to accomplish this, Web server 6 00:00:28,490 --> 00:00:34,930 set cookies to the related HTTP responses by adding the set cookie header. 7 00:00:35,790 --> 00:00:42,290 And here, cookies can store a unique session information for each user to interact with the application 8 00:00:43,050 --> 00:00:49,740 so the application can differentiate between users based on these unique session identifiers. 9 00:00:50,650 --> 00:00:55,270 So that's why session management is one of the core components of a Web application. 10 00:00:56,890 --> 00:01:03,970 And we strongly need it, it's essential it helps to control, maintain and follow the state of the 11 00:01:03,970 --> 00:01:08,170 users or any other entity that interacts with the application. 12 00:01:09,370 --> 00:01:18,010 So session management broadly covers anything from how the user authentication is performed all the 13 00:01:18,010 --> 00:01:20,920 way to what happens to them until they log out. 14 00:01:22,450 --> 00:01:30,130 So in this section, we're going to examine cookies in great detail and then cover some of the necessary 15 00:01:30,130 --> 00:01:31,290 session controls. 16 00:01:31,930 --> 00:01:38,170 Then we're going to continue with two very popular session management vulnerabilities, session fixation 17 00:01:38,590 --> 00:01:41,140 and cross site request forgery. 18 00:01:41,740 --> 00:01:44,460 OK, so let's dive right in. 19 00:01:45,160 --> 00:01:49,500 Now, you, of course, know what cookies are and what they're used for. 20 00:01:49,510 --> 00:01:53,260 I don't want to, you know, add something else to the definition. 21 00:01:55,390 --> 00:02:01,240 So when a Web server sets a cookie with a set cookie header, it can also add some other parameters 22 00:02:01,240 --> 00:02:01,990 to that header. 23 00:02:02,980 --> 00:02:08,860 And we can assume that they are part of the configuration and security parameters of the cookie, right? 24 00:02:09,980 --> 00:02:15,860 So with these parameters, a Web server can define the cookie policy of the application. 25 00:02:17,190 --> 00:02:21,510 So each of these cookie attributes can impact the application security. 26 00:02:22,490 --> 00:02:23,080 Makes sense. 27 00:02:24,260 --> 00:02:33,080 So the next couple of lessons, we're going to cover cookie attributes, so open carry and log in to 28 00:02:33,080 --> 00:02:33,560 be Web. 29 00:02:34,380 --> 00:02:35,970 And enable Foxe proxy. 30 00:02:37,040 --> 00:02:44,990 Then open HDB only cookies from the drop down menu, and when you click on the hack button, Berp will 31 00:02:44,990 --> 00:02:46,040 get the first request. 32 00:02:46,910 --> 00:02:48,920 And that's what we're looking at here. 33 00:02:49,840 --> 00:02:56,880 So let's forward it and it will redirect us to the associated page, so forward it again. 34 00:02:58,720 --> 00:03:04,030 And then the browser automatically requests the redirected page forwarded. 35 00:03:05,310 --> 00:03:07,740 OK, so this is the response that I want to capture. 36 00:03:09,420 --> 00:03:15,900 Hear the allegations set and other kookie top security with the value No. 37 00:03:17,230 --> 00:03:21,480 And also, there are some other parameters for that cookie it. 38 00:03:22,530 --> 00:03:30,770 It has expired and HARTH parameters so expires tells the browser the point in time when the cookies 39 00:03:30,780 --> 00:03:31,380 not valid. 40 00:03:33,020 --> 00:03:40,130 This parameter causes the browser to store the cookie into persistent storage until the specified date 41 00:03:40,130 --> 00:03:41,390 value that was set. 42 00:03:42,420 --> 00:03:50,220 It is used to define the persistent cookies and it is reused in subsequent browser sessions until the 43 00:03:50,220 --> 00:03:51,520 expiration date is reached. 44 00:03:52,710 --> 00:04:00,120 So if this attribute is not set, the cookie is used only in the current browser session. 45 00:04:01,210 --> 00:04:05,380 And a path tells the browser for which path is cookie is valid. 46 00:04:06,580 --> 00:04:10,900 So the path parameters used for locking down the cookie to a particular path on the server. 47 00:04:12,200 --> 00:04:20,240 If the domain specified is Abdul-Karim and the path is set to mail, the cookie would only be sent to 48 00:04:20,240 --> 00:04:23,010 the pages inside Abdulkarim Mail. 49 00:04:23,050 --> 00:04:23,390 OK. 50 00:04:24,690 --> 00:04:29,850 And top security is valid for all the applications directorate. 51 00:04:31,470 --> 00:04:32,550 OK, so forward it. 52 00:04:33,490 --> 00:04:36,940 Disable interception and go to the browser. 53 00:04:38,620 --> 00:04:42,970 Now the developer prepares a simple page to watch how cookies behave. 54 00:04:44,040 --> 00:04:47,580 So quick, the cookies button to see your current cookies. 55 00:04:48,620 --> 00:04:50,930 All right, so we have three cookies with these values. 56 00:04:51,810 --> 00:04:58,170 And if you click here, the JavaScript alert code will execute and show the cookies. 57 00:04:58,890 --> 00:05:03,540 So what we're looking at here is three of the cookies are shown in the alert message. 58 00:05:04,290 --> 00:05:06,810 Now enable berp interception. 59 00:05:08,010 --> 00:05:10,860 OK, let's change the level to medium. 60 00:05:12,880 --> 00:05:14,590 And forward the request. 61 00:05:16,390 --> 00:05:22,820 And the levels changed, so I'm going to forward until I see, you know, Cookie, OK? 62 00:05:22,930 --> 00:05:25,080 And there is a new cookie here. 63 00:05:25,720 --> 00:05:29,230 It's the same name, but with a value maybe. 64 00:05:30,460 --> 00:05:37,600 Expire and path parameters are still present and there is one more parameter HTP only. 65 00:05:38,350 --> 00:05:45,820 So this parameter is set to mitigate the risk posed by cross site scripting attacks, since it does 66 00:05:45,820 --> 00:05:50,290 not allow the cookie to be accessed via a client side script such as JavaScript. 67 00:05:51,900 --> 00:05:58,700 So if this attribute is set, the cookie cannot be directly accessed via clients by JavaScript, right? 68 00:06:00,120 --> 00:06:04,170 All right, so forward the response and go to the page. 69 00:06:05,320 --> 00:06:09,550 Now click to see cookies, so we have three cookies again. 70 00:06:10,180 --> 00:06:13,810 All right, so glad to have you with JavaScript. 71 00:06:14,900 --> 00:06:19,340 And you see the top security cookie is not the message now. 72 00:06:20,770 --> 00:06:24,100 Because JavaScript cannot reach HDP only cookies. 73 00:06:25,170 --> 00:06:30,360 So this is true, there is no exploit in the browser and the server software. 74 00:06:32,860 --> 00:06:36,670 Now, there's not a significant difference if you go to high level. 75 00:06:37,990 --> 00:06:42,460 So I'm just going to view the code, go to terminal, opened up this page. 76 00:06:44,600 --> 00:06:45,800 Scroll down a little bit. 77 00:06:46,780 --> 00:06:48,160 All right, so here's the code. 78 00:06:49,160 --> 00:06:55,790 The set cookie function defines the cookie with its attributes and weight as parameter, and the argument 79 00:06:55,790 --> 00:07:00,920 specifies HDTV only and is set for medium and high level. 80 00:07:01,910 --> 00:07:08,240 In case you were doubting me earlier, but the high level is different only because of the expiration 81 00:07:08,240 --> 00:07:08,690 value. 82 00:07:09,980 --> 00:07:14,090 All right, so let's let's now look at another important parameter.