https://wiki.owasp.org/index.php?action=history&feed=atom&title=OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_16.1OWASP ModSecurity Securing WebGoat Section4 Sublesson 16.1 - Revision history2026-06-02T11:49:29ZRevision history for this page on the wikiMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_16.1&diff=45315&oldid=prevStephen Evans at 05:02, 1 November 20082008-11-01T05:02:12Z<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 05:02, 1 November 2008</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1" >Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>16. Session Management Flaws -> 16.1 Hijack a Session</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>16. Session Management Flaws -> 16.1 Hijack a Session</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">(This sublesson was not formally solved by the project)</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Lesson overview ===</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Lesson overview ===</div></td></tr>
</table>Stephen Evanshttps://wiki.owasp.org/index.php?title=OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_16.1&diff=44689&oldid=prevStephen Evans: add content2008-10-27T10:57:54Z<p>add content</p>
<p><b>New page</b></p><div>16. Session Management Flaws -> 16.1 Hijack a Session<br />
<br />
=== Lesson overview ===<br />
<br />
The WebGoat lesson overview is included with the WebGoat lesson solution.<br />
<br />
=== Lesson solution === <br />
<br />
Refer to the zip file with the WebGoat lesson solutions. See Appendix A for more information. <br />
<br />
=== Strategy ===<br />
<br />
This WebGoat lesson teaches how to hijack another user's session using brute force attacks. The vulnerability is that the session ID is not complex and random enough; the exploit is complex and is done by using WebScarab and another tool called Crowbar.<br />
<br />
Session Management Flaws are one of the few areas where a WAF will not be of much help. <br />
<br />
The only action that can be taken is a reactive one instead of a preventative action: issue an alarm in the event of irregularities (e.g. a changing IP) or terminate a session with changing IP. Besides that, a ModSecurity solution is not possible for this lesson.<br />
<br />
=== Implementation === <br />
<br />
None<br />
<br />
=== Reviewer comments ===<br />
<br />
You had listed this as a Lesson where Mod (WAF) can’t really help however two practical solutions are possible:<br />
<br />
1. Anti-automation rules – in order to gather a large enough collection of SessionIDs to analyze their entropy, most attackers will use automation such as with the Session Collector plugin of WebScarab. When these tools run, they will send a large number of requests that will go over a ModSecurity set threshold of request/time and then you can block them. This is not a direct mitigation for the weak SessionIDs but may tactically help to identify people conducting this type of analysis.<br />
<br />
2. The critical point in identifying Session Hijacking attacks is to bind the client IP (and possibly other browser data) to the SessionID when the webapp hands it out in the Set-Cookie response header. If this is done, you can then identify when someone guesses a SessionID and adds it to their browser as the REMOTE_ADDR variable data will not match what ModSecurity saved in the setsid Session collection when the app handed it out.</div>Stephen Evans