Ready to Start Your Career?

Preventing Authentication Bypass with SessionID

sranjanbehera 's profile image

By: sranjanbehera

March 3, 2017

What is SessionID?SessionID is a unique ID for checking the authentication of a logged on user. Based on the SessionID the Server responds to a browser. And the Session Hijacking involves, accessing the random sessionID based on user input. This sessionID is being used for both the Web and Mobile applications. Authentication Bypass places a major stack in application vulnerability.

Possible hybrid strings from user input.username+stringpassword+stringusername+passwordusername+date+string

Here, '+' is used to concatenate two different strings.

The following code could be helpful in order to crosscheck the severity based on the SessionID.

class SessionProgram{static string randomString(int length){const string validChars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789”  //This is the value for defining the string                                stringBuilder res = new StringBuilder();           // Creating Null ObjectRandom rnd = new Random();while (0 < length --){res.Append(validChars[rnd.Next(validChars.Length)]);}}             //End of randomString()                static void Main(string[] args){int length = Console.Read();string usedCase = Console.ReadLine();      // Get string from userstring hybridPass = randomString(length);Console.WriteLine(hybridPass +usedCase);}}

This is a program based on C#. In order to try this code, import the following modules and define this whole SessionProgram class under a Namespace.using System;

using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;

This payload can be used to get sample permutations of various username/password and random strings. The same can be modified for a set of used cases only. Edit the constant string ‘validChars’ with a frequently used parameter value.

**This is for educational purposes only.**

Schedule Demo