Personal Website Github LinkedIn

Personal Website Github LinkedIn

Home
Blue Team Labs Online
bWAPP
Command Challenge
CryptoHack
- General
  Encoding
  ASCII
  Hex
  Base64
  Bytes and Big Integers
  XOR
  XOR Starter
  XOR Properties
  Favourite byte
  Mathematics
  Greatest Common Divisor
  Extended GCD
CSAW 2023
CTFLearn
CyberDefenders
DVWA
Ethernaut
- 00 - Hello Ethernaut
Exploit Education
- Protostar
  Stack Zero
  Stack One
  Stack Two
  Stack Three
  Stack Four
  Format Zero
Google CTF - Beginner's Quest
- 0000
- 1837
- 1943
- 1965
- 1987
- 1988
- 1989
- 1990
- 1994
Hacker101
- Postbook
LetsDefend
- DFIR
  Phishing
  Email Analysis
  Phishing Email
Microcorruption
NetGarage IO
- level 1
- level 2
OverTheWire
- Bandit
PicoCTF
PortSwigger labs
- Client-side topics
  Cross-site scripting (XSS)
  Reflected XSS into HTML context with nothing encoded
  Stored XSS into HTML context with nothing encoded
  DOM XSS in document.write sink using source location.search
  DOM XSS in innerHTML sink using source location.search
  DOM XSS in jQuery anchor href attribute sink using location.search source
  DOM XSS in jQuery selector sink using a hashchange event
  Reflected XSS into attribute with angle brackets HTML-encoded
  Stored XSS into anchor href attribute with double quotes HTML-encoded
- Server-side topics
  SQL injection
  SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
  SQL injection vulnerability allowing login bypass
  SQL injection attack, querying the database type and version on Oracle
  SQL injection attack, querying the database type and version on MySQL and Microsoft
  SQL injection attack, listing the database contents on non-Oracle databases
  SQL injection attack, listing the database contents on Oracle
  SQL injection UNION attack, determining the number of columns returned by the query
  SQL injection UNION attack, finding a column containing text
  SQL injection UNION attack, retrieving data from other tables
  SQL injection UNION attack, retrieving multiple values in a single column
  Authentication
  Username enumeration via subtly different responses
  Password reset broken logic
  Username enumeration via different responses
  2FA simple bypass
  Path traversal
  File path traversal, traversal sequences stripped non-recursively
  File path traversal, traversal sequences blocked with absolute path bypass
  File path traversal, simple case
  File path traversal, traversal sequences stripped with superfluous URL-decode
  File path traversal, validation of start of path
  File path traversal, validation of file extension with null byte bypass
  Command injection
  Blind OS command injection with output redirection
  OS command injection, simple case
  Blind OS command injection with time delays
  Business logic vulnerabilities
  Flawed enforcement of business rules
  Excessive trust in client-side controls
  Inconsistent security controls
  High-level logic vulnerability
  Information disclosure
  Authentication bypass via information disclosure
  Source code disclosure via backup files
  Information disclosure on debug page
  Information disclosure in error messages
  Access control
  Referer-based access control
  Multi-step process with no access control on one step
  Insecure direct object references
  URL-based access control can be circumvented
  Method-based access control can be circumvented
  User ID controlled by request parameter with password disclosure
  User ID controlled by request parameter with data leakage in redirect
  User ID controlled by request parameter, with unpredictable user IDs
  User ID controlled by request parameter
  User role can be modified in user profile
  Unprotected admin functionality with unpredictable URL
  Unprotected admin functionality
  User role controlled by request parameter
  Server-side request forgery (SSRF)
  Basic SSRF against another back-end system
  Basic SSRF against the local server
  SSRF with blacklist-based input filter
  XXE injection
  Exploiting XXE to perform SSRF attacks
  Exploiting XXE using external entities to retrieve files
Pwn College
pwanable.kr
- fd
- random
Root Me
ROP Emporium
- ret2win
- split
TryHackMe
- Easy
  Agent Sudo
  Anthem
  Archangel
  Bounty Hacker
  Brooklyn Nine Nine
  Brute It
  c4ptur3-th3-fl4g
  Chill Hack
  Crack the Hash
  CTF collection Vol.1
  Cyborg
  Fowsniff CTF
  GamingServer
  h4cked
  LazyAdmin
  Lian_Yu
  OhSINT
  Overpass
  Pickle Rick
  RootMe
  Searchlight - IMINT
  Simple CTF
  Startup
  Sudo Security Bypass
  tomghost
  Wgel CTF
  Year of the Rabbit
- Medium
  Anonymous
  ConvertMyVideo
  UltraTech
Under The Wire
- Century
- Cyborg
W3Challs
- Web
  Change your browser
Websec.fr

Powered by GitBook

On this page

Security Level: Low
Security Level: Medium

Was this helpful?

Weak Session IDs

Last updated 1 year ago

Objective
This module uses four different ways to set the dvwaSession cookie value, the objective of each level is to work out how the ID is generated and then infer the IDs of other system users.

Security Level: Low

The cookie value should be very obviously predictable.

Let's inspect the page and check for the cookies.

As we can see, the dvwaSession cookie is set to 1. Let's click on the Generate button and check what happens.

The dvwaSession cookie is now set to 1. Now we know that the application increments the cookie every time the user clicks on the Generate button.
We could also check the provided source code to be sure.

Security Level: Medium

The value looks a little more random than on low but if you collect a few you should start to see a pattern.

In this level the value of the dvwaSession cookie increments by 1 the first we click the button and then by 2.
This process is repeated as many times as the user clicks the button.