Amit Kumar 🇮🇳

Lets learn Auth Bypass via Session Stuffing! Easy P1s to find if the target is susceptible. Ok, so what's "Session Stuffing"? In the wonderful land of server-side code, developers can use session variables to store information. These variables can be things like your username, your user id, your preferred pickup location for groceries, really anything. These variables are stored server side only, so in general, some action triggers creating or changing them. Imagine we have a variable scope called "session" (that stores the session variables). So we may have a "session.userId" and "session.userName" and "session.idLoggedIn". Login Dialogue When you enter the correct username and password on a login screen, the server could decide it wants to store your user name, and the fact that you are logged in. So server code may say "if session.isLoggedIn = true, do some lookup using session.userName". You with me? Forgot Password Nobody that is already logged in would need to hit a forgot password screen right? So devs don't necessarily think of this use case. But imagine you open the forgot password screen intended for unauthenticated visitors, after already having logged in. Lets say the forgot password box asks for your username, so it can send you a password reset link or ask you a password reset question. It needs to know if you have an account first. It temporarily sets session.userName to whatever you type in. Lets stuff this puppy So what happens if we login to bobs account? Server sets: session.isLoggedIn = true session.userName = bob Now while still logged in, we pivot to the 'forgot password' tab. We key in username "tina". Server temporarily sets session.userName = "tina" to pull back password reset questions. Back on bobs account page, I now hit refresh, and I'm now logged in and see all of Tinas information, and actually have become Tina. What happened here? The doofus devs used the same session variable for forgot password and login dialogues and did not force logout when utilizing password reset. So one page stuffs/replaces a variable in an already authenticated session, resulting in a total auth bypass for anyone else's account via username only. Result? I've done this on some Fortune 10 websites, some banking software used by 1000s of banks, and on some electric utilities (all with permission). In the case of the online banking software, it was absolutely terrifying that something this dumb could have led to many, many millions in theft. Make sure to test for dumb stuff like this! And people say hacking is hard... 😜 #CyberSecurity #infosec #bugbounty #Hacking