Till now we know how to connect with the application and find some useful information and understand the application. Till now we have found some basic vulnerability for our report. Like server information in response headers, If sensitive information is available etc.
Now let’s try to find the real one like SQL injection XSS etc. to find all these vulnerabilities we need to understand the application which we did before. Let’s start with Cookie-related issues.
- PART 1
- PART 2
- Owasp Testing Guide V4
- Juice Shop
- Free Web security
- OWASP Session Management
- Missing Security Headers
- OWASP Important Security Headers
Check out the OWASP session management page to find all the cookie-related issues. Before we find let’s me tell you about report writing for cookie-related issues. If you find 3 or 5 cookies related issue don’t add them in your report as 3 or 5 different vulnerability. it doesn’t look good and professional.
Instead, add only one vulnerability as the name of Session Management. And add all cookie issues as a sub vulnerability. as owasp session management page.
Session ID Name Fingerprinting
We have already covered this one but that was for our information gathering part. But now we will add this in our report as this will give information about the application to anyone. default cookie name should be changed to a random name like SSID or Session etc, not PHPSessid or anything.
We should check it application it cookie has HTTP ONLY and the SECURE flag is set otherwise we have added it in our report. We can check it from our browser or burp suite response headers.
Here secure flag is not set soo we have to add it our report for the secure flag.
Cookie manipulation allows us to change the cookie value to something else. as you know a cookie is set by the application. But what if you change the value of the cookie to anything and application accept it.
Now every request is using your random cookie. you can replace the cookie value to some random number but with the same size or get a cookie from any third party website and paste it here. then refresh the page if your cookie is still there then that’s cookie manipulation.
Cookie manipulation allows us to do a session fixation attack.
There are other cookie-related vulnerabilities but I am talking about common which can be found in testing time. You can check OWASP page link above for other cookie issues.
Missing Response Headers
Headers are the part of the HTTP request and response some headers are there for security purpose. LIKe x-frame or XSS is important to secure the application from some attacks. It’s important to check if it’s present or not.
We can check it manually by analysing the response headers but for that, we need to know the headers which should be there. to find out we will use security headers website. it will show you all the missing headers.
CSRF is a common vulnerability you can find during pentesting. Check the resource section above to learn about CSRF vulnerability. Basically CSRF vulnerability will allow us to send an HTTP request to the application in tricking the user. So it required some social engineering to exploit it.
For example, you are at password change page and you are my victim. Two fields are required to change the password
- New password
- Confirm the new password
and you are already logged in. So as an attacker I will go to the same page to change my password and I am logged in with my username/password I will enter m new/confirm password.
Now I will capture the request for my change password request and will create an HTML file with a hidden form where new password and confirm new password is hidden and value is set by me.
Plus I will as a submit button visible and then save it as index.html page. if the victim opens my HTML file and clicks on submit page then in the background it will send a password change request to the application from victim browser.
But for that, we either need to send this HTML file to the victim and he will open it in the same browser where he is logged in or we need to host this file in our server and have to send the link for our server.
CSRF can be done on logout page but it is not considered. so check pages where you can do something. like purchase page, password change or send message page etc.