Nytro Posted October 1, 2013 Report Posted October 1, 2013 WordPress Session Hijack (Seshn Proof of Concept)So, I recently got an beta invite to the new(ish) website Seshn. I’ve been giving them plenty of feedback via twitter. One of my latest tweets to them, I made a bold claim: Their website is at risk of session hijacks (in theory). Why do I saw this? Well, as it turned out, Seshn is powered by WordPress and if my research serves me correctly, many installations of WordPress are vulnerable to this type of attack without some backend changes. For those of you who don’t know, a session hijack is when I, the bad guy, somehow get a hold of your cookies and then impersonate you (And by impersonate I mean I can be logged in as you without knowing your password.) So, how would this work? My setup for the test was two chrome windows, one in incognito mode. Both have the extention Edit This Cookie installed. On window 1 (The one I am logged in as, if I open edit this cookie I can see the cookies currently on my computer from that website. As you can see, one of those cookies is called “wordpress_logged_in_138ec16e1cd2a6203cb11a99a9cd21b0?. It is marked as a session cookie and it is marked as http only (Which is GOOD. That helps protect against XSS attacks). HOWEVER, it is not secure. (AKA: It is transferred freely with no encryption (plain text). So, if I, the attacker from windows 2 (incognito mode) somehow got a hold of window 1?s cookies (through something like wire tapping), what could I do with them? Let’s find out. So here we are, not logged in. Let’s open up Edit This Cookie, click “Add New Cookie” and add that “wordpress_logged_in_138ec16e1cd2a6203cb11a99a9cd21b0? cookie with the value that we stole from window 1. Save changes…. and voila! Windows 2 is now logged in as window 1! I suppose I could have gone into more detail and showed more screenshots, but it is a “proof of concept” after all. Troy Hunt on Session Hijacking: Troy Hunt: ASP.NET session hijacking with Google and ELMAH Troy Hunt: Is Stack Overflow “secure”? Kind of… Troy Hunt: C is for cookie, H is for hacker – understanding HTTP only and Secure cookiesSursa: WordPress Session Hijack (Seshn Proof of Concept) | Andrew McGivery Quote
