Learn Ethical Hacking | Learn Hacking Online | Learn How To Hack|Hack Counter Hack| Ethical Hacking Tutorials

Home   ||   See All Tutorials  ||   Products  ||   About This Blog   ||  Subscribe To RSS Feed

Join facebook group THE HACKER DEVIL

Hacked Session XSRF Attack

Hacked Session XSRF Attack

In our last post we discussed countermeasures against session hacking. Here we gonna discus one more attack that can be done if session is not protected. Hacked session XSRF attack is combination of session hacking and cross site request forgery(XSRF). Hacked session XSRF vulnerabilities arise where HTTP cookies are used to transmit session tokens. That means once HTTP cookie is set in browser it'll automatically submit that cookie back to application for every request.
This purely states that if application does not take precautions against misuse of tokens it will be not be only vulnerable to session management attack but also to XSRF attack and when both will be combined a more stronger attack can be performed. Exploiting this vulnerability is easy, have a look on following steps.

  • Find vulnerable website.
  • Find application which performs action without user's knowledge.
  • Now create a HTML page that will perform desired action by application without interacting with user to set cookie. Use PHP or Java script to perform desired action.
  • When user is logged on, anyhow make him/her load your HTML page. You can select email or link on social network to vector your page.

The very first step countermeasure to this attack is same as countermeasures against session management attacks. If you are reading this post for very first time you are requested to read our previous posts on session hacking and XSRF to understand attack thoroughly. In next post to this we will have our look on preventive measures against XSRF attacks. Till then thanks for reading, have a nice time and keep visiting.

Free Ethical Hacking Training | Learn Ethical Hacking Online Free | Learn How To Hack | Hack Counter Hack | Ethical Hacking Tutorials | Devil's Blog On Security