LABORATORY 3

ITT 557
SESSION HIJACKING PART 1

NAME: SITI FARHANA BINTI MOHAMMAD TAJUDDIN

STUDENT ID: 2020878252
LAB OBJECTIVES
At the end of this laboratory session, students should be able to:
i. Understand session hijack attack
ii. Provide solution to stop session hijack attack on both the server side and on
coding side.

REQUIREMENTS
For this laboratory session, students are required to have the following:
i. A running web server installation (WAMP or XAMPP)
ii. Code Editor (Notepad++, Sublime Text or Visual Studio)
iii. 2 Different types of browser (Chrome, Firefox or Edge, either 2) iv.
Postman

FOR THIS LAB, THERE ARE 2 PARTS.

PART I – SESSION FIXATION ATTACK.
PART II – SESSION HIJACKING ATTACK.

INSTRUCTIONS (PART I)

PART 1A: UNDERSTANDING SESSION FIXATION ATTACK

1. Download your preferred Apache and PHP package installation (MAMP or XAMPP)
and install.
2. Once the installation is completed and you have verified that the webserver is up
and running, create a phpinfo() page to see the PHP configuration.
a. Create a file called akurindukucingku.php
b. Insert the following code inside the file, and save.

<?php
phpinfo();
?>

c. Access the file created using a web browser, you should get page like the
following:
 2 | Mohd Ali Mohd Isa © 2022

Figure 1: phpinfo( ) page

d. Scroll down through the page until you reach the section for Session. Look
for the following settings session.use_only_cookies and
session.use_strict_mode.
e. For this lab, the setting for both parameters needs to be:

Session.use_only_cookies = 0
Session.use_strict_mode = 0

3 | Mohd Ali Mohd Isa © 2022

 f. If your settings are already correct, then skip to step 3, else continue with
the next steps.
g. To edit the configuration settings, you need to edit the php.ini file. You can
find the location of your php.ini file by looking at the phpinfo( ) page, and
look for the setting Loaded Configuration File.
h. Open php.ini and search for the above 2 configurations, edit so that both are
set to 0. Save the file and restart your webserver.
i. Reload your phpinfo page and verified that both settings have been changed.

3. Download the sessionfixation.php file from Google Classroom and save it inside your
web home folder. This is normally a folder called htdocs or www in some cases.

4. Open up a browser (Let us call it Browser 1) and access the file via URL:

http://localhost/sessionfixation.php

5. You should get the following page.

6. Now we need to find the complete session ID. By using your knowledge learnt in
Laboratory session 1, find the complete Session ID in the Request Headers.
7. Once you have the session ID, copy the session ID.
PHPSESSID=lhco3v2ld8ucjqghaje6f35v41

8. Open a new browser (Browser 2) other than the one you are using now. (For
example, if now you are using Chrome, open Edge or Firefox)
9. Type in the following URL:

http://localhost/sessionfixation.php?PHPSESSID=<session id>

10. Make sure to replace <session id> with the complete session id that you have found.
11. You should get the following:

4 | Mohd Ali Mohd Isa © 2022

12. Notice that Browser 2 also have the same Session ID as Browser 1.
In this lab, we only copied the crafted URL and open it in a new browser. In real life
scenario, an attacker could send this crafter URL to another user via instant
messaging, SMS, or email, forcing the user to use the same Session ID as attacker
when the user clicked on the link provided.
This attack is called Session Fixation attack. In this attack, attacker force
unsuspecting user into using the same Session ID as the attacker.
13. Now we are going to authenticate user in Browser 2, change the URL so that it
becomes:
http://localhost/sessionfixation.php?PHPSESSID=<session
id>&password=allahisgreat
press Enter
14. The page should refresh and user in Browser 2 should have logged in and receives a
welcome message.
15. This is what it should look like, Browser 2 (at the bottom) is logged in while
Browser 1 (at the top, attacker) is still not logged in.

16. Now since both user and attacker is sharing the same session ID, when the user log
in then the attacker should get logged in too. Go back to Browser 1 and hit refresh.

You should see that Browser 1 will also change to logged in without the need for the
attacker to insert the password. And this my friend is what we called Session
Fixation attack.

17. Clap 5 times so that I know you have completed the first part of the lab! :D

5 | Mohd Ali Mohd Isa © 2022

PART 1B: DEFENSE AGAINST SESSION FIXATION ATTACK
In this part, we are going to look at ways to defense against the session fixation attack.
There are 2 ways:
1. Via coding
2. Via server configuration

Sometimes as a programmer, we do not have access to change the server configuration,

so we need to implement the defense in our code.

1. Open the file sessionfixation.php using your chosen text editor.

2. Go to line 7 and add the following:

session_regenerate_id();

3. The function will generate a new session ID for user , when they logged in.
4. The code should look like the following:

5. Save the file, and try to carried out the attack again. You will notice that this time the
attack will fail.
6. This is how to defense against the attack via code.
7. Comment out the line session_regenerate_id(), and verify that the attack can be
carried out again.
8. Now we are going to see how to defense from the attack via server configuration.
9. Open php.ini using editor.
10. Search for the following variable:

Session.use_only_cookies

6 | Mohd Ali Mohd Isa © 2022

11. Change the settings from 0 to 1, like so:

Session.use_only_cookies = 1

12. Restart webserver and try to carried out the Session Fixation attack again. You
should get that the user Session ID will always be different than the attacker Session
ID.
13. Well Done! Clap 7 times so that I know you have completed part 1B.
PART 2: ADVANCED SESSION ATTACK

In part 1 we have seen that attack can be stop if we set the variables session.use_only_cookies
= 1 in our configuration file. Since this will stop the attacker from forcing the client to use the
same session ID as the attacker.
But what if the attacker manages to get the user session ID, can the attacker hijack the user
session?
1. Open the phpinfo() page and verified that the settings for variable
session.use_only_cookies is set to 1.

2. Download the zip file session-hijack.zip from Google Classroom. Unzip the file and place it
inside your webserver root folder. This is normally a folder called htdocs.

3. Open the index page which can be access via the following URL:

http://localhost/session-hijacking/

4. You should get the following page:

7 | Mohd Ali Mohd Isa © 2022

5. The page shows the current session ID at the top and a form for user to login at the
bottom. Try and refresh the page a few times, does the session ID changes every time
the page is refresh?

Answer: No

6. Let us try to access the admin page directly to see if the session has been implemented
correctly. Access the following URL:

http://localhost/session-hijacking/admin.php

7. We should get a message saying that we are not authorized to view the admin page.

8. Now go back to the login page, and login using admin/admin as the username and
password combination.
9. You should get access to the admin page. Once you have login, does the session ID
change to a new one?
Answer:No
10. We are now going to mimic another request by attacker by using a software called
Postman. Postman is a tool normally used by web developer to test out their
websites request/response and API.
11. Head over to https://www.postman.com/downloads/ and download version
compatibles with your computer.
12. Once the files have been downloaded, run Postman.
13. You will need to have an account before you can start using Postman, so sign up for
an account.

8 | Mohd Ali Mohd Isa © 2022

14. Sign in into your account and you should get the following interface.

15. Click on Send a request

16. In the enter request URL field, type in http://localhost/session-hijack/
17. Notice that here, the session ID of the attacker is different that the admin user.

18. Try to also access the admin page via Postman to verify that we are unable to access
the admin page.
 9 | Mohd Ali Mohd Isa © 2022

19. Click on the Cookies tab, it will show the current session ID of the attacker.

20. Let’s assume that the attacker has managed to steal the admin session ID via other
attacks, such as Cross Site Scripting (which we will cover later). Can the attacker log in
as admin, only by knowing the Session ID? Let us try.
21. Copy the Session ID obtained from the admin page.
22. Replace the Session ID value inside Postman with the admin Session ID. How?
23. Click on the Cookies button.
24. On the resulting Cookies panel, click on PHPSESSID and then modify the value so that
the Session ID is the same as the admin Session ID.

10 | Mohd Ali Mohd Isa © 2022

25. Click on Save and close the Cookies panel.

26. Access the admin page again and now you should be able to logged in as admin.
 27. This is an example of why it is dangerous if an attacker can gain access to a user
Session ID. Even if the server has been configured to only use cookies, it is still
susceptible to session hijacking attack.
28. Based on the above scenario, modify the source code for admin.php and logout.php
so that attacker will not be able to carry out the session hijack attack. Write down
the answer indicating line number where changes should be made and what
code should be added along with explanation why do you think this should
work.
29. Well done for completing the lab and hope you enjoy learning about how session can
be compromised.

11 | Mohd Ali Mohd Isa © 2022

Answer:
12 | Mohd Ali Mohd Isa © 2022