Close Menu
    What's Hot

    Ultimate Guide to Attack Surface Scanning

    April 10, 2025

    Recent Trends in Zero Trust Architecture

    March 3, 2025

    Modern Defensive Cybersecurity Services

    December 29, 2024
    Facebook X (Twitter) Instagram LinkedIn WhatsApp
    HITH Blog – HackerinthehouseHITH Blog – Hackerinthehouse
    • Bug Bounty

      A Beginner’s guide to Active Directory Penetration Testing

      June 21, 2023

      Building an XSS Scanner with Python

      February 27, 2023

      Journey to Website Security: Uncovering Hyperlink Injection Dangers

      February 24, 2023

      File Upload XSS | Find XSS in a different way while doing Bug bounty and Pentesting

      January 13, 2023

      How To Find DOM-based XSS Vulnerability

      December 27, 2022
    • Pen Testing

      Privileged Escalation: How Hackers Exploit Permissions to Compromise Your Systems

      March 5, 2024

      The Ultimate Guide to Vulnerability Scanning

      December 13, 2023

      Top 10 Tools for Real World Red Teaming

      November 18, 2023

      Locking Down OAuth 2.0: Critical Steps to Protect User Accounts and Data

      November 10, 2023

      Detailed guide on Password Transmutations

      April 29, 2023
    • Cyber Security

      Ultimate Guide to Attack Surface Scanning

      April 10, 2025

      Recent Trends in Zero Trust Architecture

      March 3, 2025

      Modern Defensive Cybersecurity Services

      December 29, 2024

      A Comprehensive Guide on Cyber Security Services VS Cyber Security Products

      June 14, 2024

      A Comprehensive Guide to Security Compliance

      May 6, 2024
    • Services
    • Product
      • Certifications
    • More
      1. Ethical Hacking
      2. Kali Linux
      3. Write Ups
      4. CTF
      5. Blockchain
      6. Machine Learning
      7. Computer Science
      8. View All

      Journey to Website Security: Uncovering Hyperlink Injection Dangers

      February 24, 2023

      Pentest/VAPT RoE and Best Practices

      February 3, 2023

      Emoji Deploy Attack Chain

      January 24, 2023

      Introduction to Information Security

      January 11, 2023

      Cyber Security Roadmap (Part-2)

      October 25, 2022

      How to install waybacksurls in kali linux (2022)

      September 23, 2022

      How To Find Hidden Parameters

      November 12, 2022

      Top 10 Subdomain Takeover Reports

      November 6, 2022

      Pause DeSync Attack :

      November 3, 2022

      Bypassing OTP Verification Methods

      October 31, 2022

      Tryhackme Vulnversity walkthrough

      September 26, 2022

      Ultimate Guide to Attack Surface Scanning

      April 10, 2025

      Recent Trends in Zero Trust Architecture

      March 3, 2025

      Modern Defensive Cybersecurity Services

      December 29, 2024

      Robotic Process Automation: The Key to Effortless Efficiency

      September 18, 2024

      A Peek into Facial Recognition Technology

      August 21, 2023

      How Data Scientists and Machine Learning Engineers Differs

      November 8, 2022

      Artificial Neural Networks with ML

      November 4, 2022

      INTRODUCTION TO MACHINE LEARNING

      October 20, 2022

      Robotic Process Automation: The Key to Effortless Efficiency

      September 18, 2024

      BCI: Merging Minds With Machines

      August 18, 2023

      Is Quantum Computing the future of Computing?

      August 16, 2023

      Ultimate Guide to Attack Surface Scanning

      April 10, 2025

      Recent Trends in Zero Trust Architecture

      March 3, 2025

      Modern Defensive Cybersecurity Services

      December 29, 2024

      Robotic Process Automation: The Key to Effortless Efficiency

      September 18, 2024
    HITH Blog – HackerinthehouseHITH Blog – Hackerinthehouse
    Home»Bug Bounty»Session Fixation, Session Hijacking and Captcha Bypass
    Bug Bounty

    Session Fixation, Session Hijacking and Captcha Bypass

    Lohitaksh NandanBy Lohitaksh NandanNovember 15, 2022Updated:November 15, 2022No Comments8 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Sessions

    A session is the total time devoted to an activity. In computer systems, a user session begins when a user logs in to or accesses a particular computer, network, or software service. It ends when the user logs out of the service, or shuts down the computer. A session can temporarily store information related to the activities of the user while connected. A session cookie is used in web pages for storing information in case the user leaves the web page or closes down their Internet browser. For example, this is one way a website can remember what is in your shopping cart if you leave and come back.

    Cookie

    A cookie is a small file with the maximum size of 4KB that the web server stores on the client computer. Once a cookie has been set, all page requests that follow return the cookie name and value. A cookie can only be read from the domain that it has been issued from. Most of the websites on the internet display elements from other domains such as advertising. The domains serving these elements can also set their own cookies. These are known as third party cookies. A cookie created by a user can only be visible to them. Other users cannot see its value. Most web browsers have options for disabling cookies, third party cookies or both.

    Session Fixation

    The Session Fixation attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. Because HTTP communication uses many different TCP connections, the web server needs a method to recognize every user’s connections. The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication. A session token is normally composed of a string of variable with and it could be used in different ways, like in the URL, in the  header of the http requisition as a cookie, in other parts of the header of the http request, or yet in the body of the http requisition.

    Session Hijacking

    Session Hijacking is simply the act of stealing an existing, valid session cookie. Most commonly through sniffing network traffic (a MITM attack), Cross site scripting or cross site tracing attack but also through any other ways that a session ID may be leaked. Session fixation is similar but inverted — a pre-defined session cookie is planted into the victim’s browser. So after the victim logs into a website, they will use the same session cookie that the attacker already knows, and thus the attacker-owned cookie is now authenticated and can be exploited. Of course that requires an attacker to have temporary access to the victim’s browser itself, but the principle is very simple — there’s no need to steal the data if it is under your control in the first place.

    How to Test Session Fixation

    Session-ID same pre and post login.[Session Fixation] [Require physical access to the victim’s browser to set previously known valid session ID and exploit it later to visit or modify victims web content]

    Step 1

    Visit login page. Go to cookie editor extension which is already
    installed in web browser and edit cookies. Copy Session-ID.

    Step 2

    Login into application. Again, visit cookie editor. Copy the cookie.

    Step 3

    If both cookies are same then report the issue.

    To better understand it, I would add one example which is exploited in real-world pen-testing experience.

    Note: Browser Chrome Used By- Attacker & Browser Firefox Used By- Victim.

    ● As an attacker, browse the application from chrome and make a note of the session-id without logging in from the admin by just requesting any page within the application and intercepting that request. The intercepted request will have the session-ID ―PHPSESSID.
    ● Now the task is to fix the session-ID (PHPSESSID) noted in the previous step into the victim’s browser. This can be done by exploiting XSS vulnerability or by making the victim click on the URL having session-ID in GET parameter. Here we have fixed the session into the victim’s browser that is firefox by setting the session-ID noted previously in his browser.
    ● Now, let the victim login into the application having the attackers session-ID. Note that application doesn’t set a new session-ID when user logs in into the application and session-ID (Attacker’s) remains same even after login.
    ● Now, from the attacker’s browser, hit refresh. It is observed that admin panel will be accessed without entering credentials.
    ● Boom!! Attacker can access the functionalities.

    Impact

    After the attack is successful, the account of the user can be completely compromised and the attacker will be able to perform all the operations that the user can perform.

    Countermeasures

    ● The standard method is to change the session ID right after the user logs in. This eliminates most session fixation vulnerabilities.
    ● An additional countermeasure is to change the session ID with the slightest suspicion of potential wrongdoing. For example, the web application may test whether the IP address or the user-agent of the client changed and if it did – provide a new session ID.

    ● You should also invalidate session IDs after a timeout. For example, 10 minutes of no activity should cause an automatic logout. This gives the attacker a small window of opportunity to use the fixed session ID.
    ● Some sources recommend changing the session IDs with every user action. However, this is a drastic, unnecessary, and potentially harmful – it may impact user experience and performance (for example, it might be impossible when using applets). To minimize the impact, you may change the session ID before every important user action on the website.
    ● Remember to use session cookies for session management and do not accept session IDs from HTTP requests and HTTP headers.
    ● HTTPS (HSTS), anti-CSRF tokens, and suitable cookie flags (Secure, SameSite) can be helpful in avoiding session fixation, too.

    Captcha Bypass

    Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a type of challenge-response test that is used to distinguish humans from automated programs i.e., bots. Many websites use CAPTCHAs on their login pages to protect against automated attacks such as user identifier enumeration, brute-force password guessing, credential stuffing and password spraying attacks. Typically, CAPTCHAs are image based that require users to recognize a distorted sequence of alpha-numeric letters or solve a simple mathematical puzzle. The hypothesis is that humans are good at recognizing letters and solving puzzles presented within a distorted (noisy) image whereas automated programs are not. However, advancements in computer vision have rendered seemingly complex CAPTCHAs’ ineffective. Researchers have developed efficient and accurate machine learning and deep learning algorithms to recognize characters present in the CAPTCHA images.

    Methods to bypass Captcha.

    ● Changing request methods.

    It is an easy method to check for bypass captcha just by changing the ―request method of your request‖ and removing the captcha parameter

    ex- POST — — -> GET (POST request to GET) #more preferable
    POST — — → PUT (POST request to put)

    ● Removing the parameter or using the previously used captcha.

    This might not work usually but doing things just right could hit the spot and give the results.

    ● Using extra headers for rate limiting.

    There are some headers that you can use to bypass captcha/ratelimiting.

    headers: X-Originating-IP: 127.0.0.1
    X-Forwarded-For: 127.0.0.1
    X-Remote-IP: 127.0.0.1
    X-Remote-Addr: 127.0.0.1

    if this does not work try to use ―x-forwarded-for: 127.0.0.1 twice.

    ● Missing Server Side Validation of the Captcha Field.

    Some applications send Captcha Parameters on the client side but they do not validate this on the server side.

    Simply, Remove the “Captcha” parameters and see if the request is processed successfully.

    If yes, you can now use this request to perform your brute-force or rate limiting attempts.

    ● Missing Captcha Field Integrity Checks.

    There are multiple scenarios around this one, this happens when the application validate whether the captcha parameters are present but not the “value”.

    Simply, send an empty captcha parameter and see if the request works successfully.

    Change some specific characters of the captcha parameter and see if it possible to bypass the restriction. This usually happens when only string length is validated at the server-side.

    ● Reusuable Captcha

    Just repeat the request using the same Captcha key multiple times and see if that works.

    One of my weird finding was, Capture the Request in Burp Proxy and send it to Intruder. Hold the request in Proxy Tool don’t let it go.

    Run the Intruder and observed that same captcha can be reused any no. of time until you drop off the original request from proxy.

    Reference

    ● https://owasp.org/wwwcommunity/attacks/Session_hijacking_attack
    ● https://www.geeksforgeeks.org/session-hijacking/
    ● https://us.norton.com/blog/id-theft/session-hijacking
    ● https://www.geeksforgeeks.org/session-fixation-attack/
    ● https://www.acunetix.com/blog/web-security-zone/what-issession-fixation/
    ● https://www.venafi.com/blog/what-session-hijacking
    ● https://secureteam.co.uk/articles/web-application-securityarticles/understanding-session-fixation-attacks

    Author

    • Lohitaksh Nandan
      Lohitaksh Nandan

      View all posts

    captcha bypass Cyber-Security cyberattacks Ethical-Hacking hacking session fixation session hijacking
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleHow To Find Hidden Parameters
    Next Article Adversary in the Middle Attack Explained
    Lohitaksh Nandan
    • X (Twitter)
    • Instagram
    • LinkedIn

    Related Posts

    Cyber Security

    Ultimate Guide to Attack Surface Scanning

    April 10, 2025
    Cyber Security

    Recent Trends in Zero Trust Architecture

    March 3, 2025
    Cyber Security

    Modern Defensive Cybersecurity Services

    December 29, 2024
    Add A Comment
    Leave A Reply Cancel Reply

    Advertisement
    Top Posts

    How to install waybacksurls in kali linux (2022)

    September 23, 20222,488 Views

    File Upload XSS | Find XSS in a different way while doing Bug bounty and Pentesting

    January 13, 2023829 Views

    OSCP Cheat Sheet

    October 16, 2022690 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Advertisement
    X (Twitter) Instagram LinkedIn WhatsApp Telegram
    • About us
    • Contact Us
    • Privacy Policy
    • Terms
    © 2025 HITH Blog. Powered by Hackerinthehouse.

    Type above and press Enter to search. Press Esc to cancel.

    Ad Blocker Enabled!
    Ad Blocker Enabled!
    Our website is made possible by displaying online advertisements to our visitors. Please support us by disabling your Ad Blocker.