HTTP is a stateless protocol so how a web application maintains the state of a user/client. This is where ‘Session’ comes in the picture. Server initiates a session as soon as any client request comes for something (HTTP Request).

So when I log in to any web application using my registered user id and password, server maintains a session which is basically a long unique alphanumeric id. Just think like a hacker, this long unique alphanumeric id is your KEY to log in to website.

There is one technique under which people use lot of real data and analyze that to get the clue of the formula used for generating the session id.

I will share a very simple technique which can be called as session stealing but here comes a condition which should be fulfilled.

Normally people feel that when they log into a website using their user id and password only then a session gets created BUT as I said above, server generates a session as soon as client does its first HTTP Request. So when client/browser asks for the web page in which user had to enter his details, a session get created.

1 – Open any page which asks for your user id and password

2- Type in the address bar of the browser:: javascript:alert(document.cookie);

This will give your session id. Secure websites change the session id as you logs into the website but some foolish webmasters don’t do that. If you know any website like that:

1- Open the webpage which asks for your login details

2- Type in the address bar of the browser:: javascript:alert(document.cookie);

3- Note down this id and ask any of your friend to log into that website using his details. (Obviously through the same Login webpage)

4- Use any other PC and open that Login page and type in the address bar::   javascript:alert(document.cookie=”XXX”);

Replace XXX with the value which you noted earlier. (In the 3rd step)

Its done. You have successfully stolen your friend’s session. Now hit any internal URL of the website and it will not ask you for login 😉

Fix: Not difficult, just do not forget to change the session id after a user logs into your website/system.


  1. The real question is how to steal the session id with out the user being aware. What would you do with a site that was suceptible to persistent XSS?

  2. Step 4 – javascript:alert(document.cookie="XXX"); – needs additional parameter to set the cookie properly .. @Pankaj – You may want to know who am I 🙂 .. any plans of stepping out of India especially Australia (i guess you had one) 🙂 Cheers!!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s