#30 Attacker which scans for Session ID in URL

[JessicaBachmann]

Testcase and Attacker that scans for the String phpsid sid and sessionid in the URL which identifies a session id.

Still a Syntax/ escaping error in Testcase.

[rliebig]

def check_id(page):
    if "sid" in page.url:
        return true
    if "sessionid" in page.url:
        return true
    if "phpsessid" in page.url:
        return true

    return false

I don't like this approach really... Scanning for several keywords in the URL could generate results but it wouldn't uncover every possible vulnerability. How about if we scan for a URL parameter in "token format" which is present at every/several URL?

[phihag]

But tokens would be fine, wouldn't they? This attack targets a specific vulnerability. Tokens can be in the URL, for example as a CSRF defense, but that's totally fine and not a security problem at all.

[rliebig]

Tokens are too general. But my point was however, that I don't like this solution. What if the session id is transported under the parameter "id_session"? I think we need a less specific approach.

[phihag]

Ok, so what's your idea for this approach? How should it work?