Jump to content
Tuts 4 You

Session Hijacking


mcanpuneet

Recommended Posts

You can find many tools for changing Session ID in cookie, form bases and many more. You can do this using nay proxy, Http debugger and many more. But if you will not find any tool to decode session id in cookie. In Cookie, Session IDs are normally in form of 1600401588313630099709319853232030099705 which is encoded representation.

Is nay one help me to decode this value to get the original session ID.

Thanks in Advance

Nebie in Security Domain

Email me

Link to comment
Share on other sites

you're unlikey to be able to decode a session id hence why hijacking is more common. A cookie stealer then replacing the session id will work, even that assumes that the session id isn't locked to a particular IP etc

There are plenty of specialist sites and papers for this stuff....

Link to comment
Share on other sites

  • 2 months later...

you're unlikey to be able to decode a session id hence why hijacking is more common. A cookie stealer then replacing the session id will work, even that assumes that the session id isn't locked to a particular IP etc

There are plenty of specialist sites and papers for this stuff....

Hi

Would you mind introducting some of these sites and papers? I'm looking for a full tutorial of stealing the coockie and changing session ID.

Thnx.

Edited by Arash.A
Link to comment
Share on other sites

Decoding is pointless from all aspects, Apache and IIS don't bind it to IP or host string, the domain owner does it through custom session handling if they even do. PHP and Perl session globals also don't. This is why hijacking is so easy. Even more so on ASP.

One of the easiest ways to deface sites is actually through poorly managed sessions on shared host, this is the most popular method among turkish and persian defacement groups who do 20+ sites in a sitting.. No popular forum or CMS software does truly custom handling, it's all CGI globals supplemented by DB. It doesn't take a smart person to develop software and convince companies or organizations to buy it with all these new streamline frameworks. Everyone is an expert in their marketing ^^

I developed an easy to use CMS that manually handled sessions and even was efficient on metered hosts, and basically nobody ever used it even though it was free. It's fun to go on security sites and see the domain-caches and bug-trackers of what IS being used sometimes..even more so when the domain just got audited by some notable firm xD

Edited by chickenbutt
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...