Weak Session IDs
ObjectiveThis module uses four different ways to set the dvwaSession cookie value, the objective of each level is to work out how the ID is generated and then infer the IDs of other system users.
Security Level: Low
The cookie value should be very obviously predictable.

Let's inspect the page and check for the cookies.

As we can see, the
dvwaSession
cookie is set to 1. Let's click on theGenerate
button and check what happens.

The
dvwaSession
cookie is now set to 1. Now we know that the application increments the cookie every time the user clicks on theGenerate
button.We could also check the provided source code to be sure.

Security Level: Medium
The value looks a little more random than on low but if you collect a few you should start to see a pattern.
In this level the value of the
dvwaSession
cookie increments by 1 the first we click the button and then by 2.This process is repeated as many times as the user clicks the button.
Last updated
Was this helpful?