According to OWASP, Broken Authentication and Session Management was defined as ‘Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.’ In other words, an attacker can get unauthorized access of the user due to the flaw in the implementation. Before exploiting this vulnerability you need to know few concepts
- What is a Session and why do we need a Session
- What is a Cookie
- What is an Authentication
As you already familiar with the subject SQL injections from the previous article part 1, we will quickly dive into exploitation with SQLi. Login to your bWAPP and select vulnerability SQL Injection (Login Form/Hero). As stated in previous post, we need to do some manual analysis to know the functionality and it’s implementation. Try to login with your some random text (test, test). Now let’s do some dynamic analysis by reviewing source code of the functionality.
To excel at penetration testing, you need to have your lab for practise/research. I would suggest one to use virtual machines which are free in the market. I would go with VMware Workstation rather than Virtual box, it’s just my personal option. You can choose any one.
1. VMware Workstation
Click here to download VMware Workstation
2. Kali Linux iso
Click here to download Kali Linux Iso
Click here to download bee-box