Using (and Abusing) Session IDs
Once my victim had fallen prey to the XSS attack, I had all the information I needed to access the site. Now I just needed to put this information to good use to see how far it would take me.
There are several tools available that make web application testing much easier. One of these is called Burp, which is available from http://portswigger.net. This program is a Java-based proxy that you can use to control your web traffic. It includes a scanner, repeater, proxy, and even a fuzzer that can quickly find flaws and expose bugs in a program. I used it to intercept a web request and overwrite the session ID value with the captured one, which allowed us access to the site.
To do this, I viewed the captured value (i.e. 810fcb55ded4c14f75a8a1b8807266b3) and then loaded up Firefox and changed the Connection Setting under Tools — Options — General tab. In this screen, I added an HTTP Proxy value of 127.0.0.1 and port 8080, the default for Burp. Next I executed Burp, waited for it to load, and directed the browser to http://targetsite.com/index.php. Figure 2 illustrates what happens in Burp and how easy it is to overwrite a session ID value. Once the value was overwritten, I disabled the intercept feature and hit the Forward button. At this point, I was given access to the client portion of the application, as Figure 3 highlights.
Figure 2: Burp in action
Figure 3: Inside the client application