OWASP A2 Broken Authentication and Session Management

OWASP A2 Broken Authentication and Session Management

bypass authentication via cookies

Tools: Burp Suite
web app: mutillidae 

To achieve this hack I do the following

• setup our proxy
• register 2 brand new usernames HelenC & SamF
•  login as HelenC then logout
• login as SamF then logout
• next  (in burp) under proxy > http history > pick out the 2 requests that authenticated both users (they have a response code of 302 AND the method is POST 
  

•  right click on the first post message and select send to comparer (request) 
• right click on the second post message and select send to comparer (request) 

we want to compare the server responses when logging in as both users to see if there is any pattern we can detect, if there is a well defined pattern in the servers responses we might be able to exploit this to gain unauthenticated access to another users data

• next click on the comparer tab and select words

as you can see burp automatically compares the 2 server responses and highlights any changes. From this we can clearly see that  server first responded to the user HelenC with (amongst other things) the following header;
Set-Cookie: uid=24
for Sam this value has increment in value by 1, therefore SamF recieved the following header
Set-Cookie: uid=25

This tells me that server (potentially) increments the value of the set-cookie: uid by 1 each time a user registers. Now I will attempt to exploit this behavior by modifying the value of
Set-Cookie: uid=24
to
Set-Cookie: uid=1

lets see what happens

and it worked we have sucessfully logged in as the admin simply by changing the value of 

Set-cookie: uid= 

in the response from the server

for this hack to work you must log in with a known good  username & password (simply register one yourself)

**pls note there are other paramemters that could be tampered with to achieve the same result but this post is simply about tampering with the 

Set-cookie: uid=