Students are introduced to the concepts underpinning website logins: specifcally, sessions and the cookies that underlie them. Using an insecure session cookie encoded in base64, students are asked to switch to a different account to perform actions as that user. Note: This exercise uses the names “Swiss National Bank” and “Donald Trump” due to student interest; the details of this exercise are in no way related to the actual Swiss National Bank or the “real” Donald Trump.
- A Kali Linux instance:
- No extra programs beyond those provided by a clean install are needed to complete this exercise.
- A Linux-based target VM running atop Kali Linux:
- With static IP, reachable from Kali on a VirtualBox Host-Only network (if previous exercise was used, change the IP to make students search for it again).
- Without the SSH server daemon running.
- With a secure password for all UNIX users that can login to the system (students should be discouraged from trying to hack into the VM itself, as the point of this exercise is to exploit a hole in the web application).
- With this Django application or a similar one running on port 80 of the VM and accessible from Kali. This is a standard Django application using a SQLite database that expects to be run under Nginx within the VM. Nginx should be configured to start automatically each time the VM boots.
Background Info to Provide Students
Inform students that the VM serves up a Swiss National Bank login page on port 80. Using what they’ve learned in previous exercises, have them find the IP of the VM and open the bank’s site in their browser.
Then, inform them that there are two important accounts accessible from the bank’s website:
- They have access to the ‘tumaini’ account, with password ‘senior’.
- There is also an account named ‘trump’, but the password is unknown and cannot easily be cracked.
Their goal is to login as ‘tumaini’, then switch to the ‘trump’ account by way of a vulnerability in the website. Show them how to use Firefox’s Inspector panel and browse to different areas of interest. Tell them that anything to do with cookies, users, or passwords should be looked at closely.
If they get stuck, refer them to page 240 of The Web Application Hacker’s Handbook by Dafydd Stuttard and Marcus Pinto, keeping a close eye out for references to “cookies.”
- Shows the
vboxnet0interface as having an IP address range of i.e. 192.168.56.??? (depending on specific configuration in VirtualBox and assuming subnet of 255.255.255.0).
- Shows the
$ nmap 192.168.56.0-254
- To find all hosts on the network with open ports; this will turn up one IP with port 80 open.
- In Firefox, browse to the IP address discovered above.
- Log in to the Swiss National Bank website as ‘tumaini’ with password ‘senior’.
- In the Cookies view of Firefox’s Inspector tool, observe that there is a
USERNAMEcookie set to
$ base64 --decode
dHVtYWluaQ==followed immediately by
- Output is
tumaini; can we change this to
trumpfollowed immediately by
- Ouput is
- Return to the Inspector tool and change the value of the
- Refresh the page to see that we are now logged in as Trump.
- Click the “Transfer Money” button in Trump’s account.
- Enter the Client ID for the ‘tumaini’ account (
549302994) and amount to transfer (
- Click “Begin Transfer” to get password confirmation prompt.
- But without knowing the password, there’s no way to continue.
At this point, students should be blocked from making further progress and seek assistance. Point out the lack of a green security lock on the bank’s page, and explain that without it, information can be intercepted from any session by eavesdropping. In this scenario, Trump’s session has been eavesdropped on, resulting in this pcap file. Provide the students with the capture file and have them open it with Wireshark. They should browse through the packets looking for Trump’s password.
- Once found, students should attempt the transfer again, this time providing the password found in the capture file (
- Log out of the site as ‘trump’ and log back in as ‘tumaini’.
- Verify that the balance for the ‘tumaini’ account is now non-zero, and that all funds were transferred successfully.
Overall students did well with this exercise. They did struggle with identifying what specific aspect of cookies could be useful in switching accounts. Eventually they were pointed to the
USERNAME cookie and walked through how to decode it from base64. From an example of how to encode into base64, they were able to figure out how to get the necessary cookie value for switching accounts.
The need for password confirmation provided some suspense. After providing them with the Wireshark capture file, they found Trump’s password entirely on their own and successfully transferred the funds.