HTTP is a stateless protocol so how a web application maintains the state of a user/client. This is where ‘Session’ comes in the picture. Server initiates a session as soon as any client request comes for something (HTTP Request).
So when I log in to any web application using my registered user id and password, server maintains a session which is basically a long unique alphanumeric id. Just think like a hacker, this long unique alphanumeric id is your KEY to log in to website.
There is one technique under which people use lot of real data and analyze that to get the clue of the formula used for generating the session id.
I will share a very simple technique which can be called as session stealing but here comes a condition which should be fulfilled.
Normally people feel that when they log into a website using their user id and password only then a session gets created BUT as I said above, server generates a session as soon as client does its first HTTP Request. So when client/browser asks for the web page in which user had to enter his details, a session get created.
1 – Open any page which asks for your user id and password
This will give your session id. Secure websites change the session id as you logs into the website but some foolish webmasters don’t do that. If you know any website like that:
1- Open the webpage which asks for your login details
3- Note down this id and ask any of your friend to log into that website using his details. (Obviously through the same Login webpage)
Replace XXX with the value which you noted earlier. (In the 3rd step)
Its done. You have successfully stolen your friend’s session. Now hit any internal URL of the website and it will not ask you for login 😉
Fix: Not difficult, just do not forget to change the session id after a user logs into your website/system.