Selasa, 07 Juni 2011

TESTING FOR SESSION FIXATION (OWASP-SM_003)

black box testing using webscreb i was found like this below

GET http://www.akakom.ac.id:80/? HTTP/1.1
Host: www.akakom.ac.id
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: akakom_tpl=akakom; 69cb2eb0a19889c0e172765110b05475=ujpkrlda8l3rpm3qh3127t7i07
DNT: 1

GET http://www.akakom.ac.id:80/components/com_jcomments/js/jcomments-v2.1.js?v=2 HTTP/1.1
Host: www.akakom.ac.id
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.akakom.ac.id/
Cookie: akakom_tpl=akakom; 69cb2eb0a19889c0e172765110b05475=ujpkrlda8l3rpm3qh3127t7i07
DNT: 1
If-Modified-Since: Thu, 21 Apr 2011 08:39:28 GMT
If-None-Match: "58e206-6a2b-ade5d000"

GET http://www.akakom.ac.id:80/plugins/system/jcemediabox/js/mediaobject.js?v=101 HTTP/1.1
Host: www.akakom.ac.id
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.akakom.ac.id/
Cookie: akakom_tpl=akakom; 69cb2eb0a19889c0e172765110b05475=ujpkrlda8l3rpm3qh3127t7i07
DNT: 1
If-Modified-Since: Thu, 21 Apr 2011 08:33:04 GMT
If-None-Match: "55602a-fdb-97027000"

GET http://www.akakom.ac.id:80/plugins/system/jcemediabox/css/jcemediabox.css?v=101 HTTP/1.1
Host: www.akakom.ac.id
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.akakom.ac.id/
Cookie: akakom_tpl=akakom; 69cb2eb0a19889c0e172765110b05475=ujpkrlda8l3rpm3qh3127t7i07
DNT: 1
If-Modified-Since: Thu, 21 Apr 2011 08:33:06 GMT
If-None-Match: "556087-d49-9720f480"

GET http://www.akakom.ac.id:80/components/com_jcomments/tpl/default/style.css?v=10 HTTP/1.1
Host: www.akakom.ac.id
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.akakom.ac.id/
Cookie: akakom_tpl=akakom; 69cb2eb0a19889c0e172765110b05475=ujpkrlda8l3rpm3qh3127t7i07
DNT: 1
If-Modified-Since: Thu, 21 Apr 2011 08:39:32 GMT
If-None-Match: "58e281-368d-ae22d900"

GET http://www.akakom.ac.id:80/index.php/component/option,com_jbolo/format,raw/view,js/ HTTP/1.1
Host: www.akakom.ac.id
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.akakom.ac.id/
Cookie: akakom_tpl=akakom; 69cb2eb0a19889c0e172765110b05475=ujpkrlda8l3rpm3qh3127t7i07
DNT: 1

GET http://www.akakom.ac.id:80/plugins/system/jcemediabox/themes/standard/css/style.css?version=101 HTTP/1.1
Host: www.akakom.ac.id
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.akakom.ac.id/
Cookie: akakom_tpl=akakom; 69cb2eb0a19889c0e172765110b05475=ujpkrlda8l3rpm3qh3127t7i07

now go to the webscreb lite and you would fount an interface like this
DNT: 1

after that i tried to view login script on akakom.ac.id like this
you can try with the other same to see script or conversation like are below :



Tidak ada komentar:

Posting Komentar