January 21, 2020

Preventing Authentication Bypass with SessionID

sranjanbehera
Share

What is SessionID?SessionID is a unique ID for checking the authentication of a logged on user. Based on the SessionID the Server responds to a browser. And the Session Hijacking involves, accessing the random sessionID based on user input. This sessionID is being used for both the Web and Mobile applications. Authentication Bypass places a major stack in application vulnerability.

Possible hybrid strings from user input.username+stringpassword+stringusername+passwordusername+date+string

Here, '+' is used to concatenate two different strings.

The following code could be helpful in order to crosscheck the severity based on the SessionID.

class SessionProgram{static string randomString(int length){const string validChars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789”  //This is the value for defining the string                                stringBuilder res = new StringBuilder();           // Creating Null ObjectRandom rnd = new Random();while (0 < length --){res.Append(validChars[rnd.Next(validChars.Length)]);}}             //End of randomString()                static void Main(string[] args){int length = Console.Read();string usedCase = Console.ReadLine();      // Get string from userstring hybridPass = randomString(length);Console.WriteLine(hybridPass +usedCase);}}

This is a program based on C#. In order to try this code, import the following modules and define this whole SessionProgram class under a Namespace.using System;

using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;

This payload can be used to get sample permutations of various username/password and random strings. The same can be modified for a set of used cases only. Edit the constant string ‘validChars’ with a frequently used parameter value.

This is for educational purposes only.

Start learning with Cybrary

Create a free account

Related Posts

All Blogs
Building a Security Team
June 27, 2023

Digital Forensics and Incident Response: What It Is, When You Need It, and How to Implement It

A quick guide to digital forensics and incident response (DFIR): what it is, when it’s needed, how to implement a cutting-edge program, and how to develop DFIR skills on your team.

Read More
Building a Security Team
June 28, 2023

How to Build a Red Team

An overview of what a red team is (and isn’t), and practical tips on how to build a Red Team and develop offensive security skills in your team.

Read More
Tools & Applications
June 7, 2023

How to Make the Most of Blending Learning with Cybrary Live

Learn how to get the most from your cybersecurity training platform by blending on-demand learning with virtual, live courses led by industry experts.

Read More
News & Events
June 7, 2023

Introducing the New Cybrary Learner Experience

Cybrary is launching a key update to the Cybrary Learner experience to elevate hands-on learning and measurement as guiding tenets of Cybrary’s mission.

Read More