0

I'm doing some pen testing for my place of employment. I was able to grab the session id from the browser cookies, but i still cannot get past the htaccess login. I initially thought that by setting the cookie with the stolen session id, the htaccess login would go away but it still asks for a login. Any ideas?

Anders
  • 64,406
  • 24
  • 178
  • 215
user1355016
  • 11

2 Answers2

4

I'm not sure what you refer to with the phrase "Htaccess Login" but my guess is that you refer to enabling "Basic" HTTP Authentication within .htaccess, i.e. something like this:

AuthType Basic
AuthName "My Protected Area"
AuthUserFile /path/to/.htpasswd
Require valid-user

This kind of authentication does not use any cookies. Instead it sends the username and password within each request inside a request header:

Authorization: Basic <base64-encoded-username:password>

Since no cookies are involved in checking this kind of authentication no knowledge of cookies can be used to bypass this authentication. But someone successfully sniffing the traffic might just extract the Authorization header instead of the Cookie header and use this value to not bypass but to successfully pass the required authentication.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
1

I won't answer the question you ask, but I will explain how you should work.

Before you attempt to do penetration testing, you need a excellent understanding of the protocols involved. HTTP is fairly easy; it's plain text, and it's human readable. A basic request would be 

GET /index.html HTTP/1.1
Host: www.example.com

The server will reply with some headers, followed by content. In this case, you actually send those requests to example.com on port 80, you'll get the following headers in return:

HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: text/html; charset=UTF-8
Date: Sat, 06 Apr 2019 12:00:18 GMT
Etag: "1541025663+ident"
Expires: Sat, 13 Apr 2019 12:00:18 GMT
Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
Server: ECS (phd/FD58)
Vary: Accept-Encoding
X-Cache: HIT
Content-Length: 1270

Nothing really interesting there; they don't set any cookies, or similar.

Understanding the protocol, and reading the headers will immediately show you what kind of authentication you're up against. When you mention .htaccess, I assume that it's Basic authentication. But the fact that you ask for .htaccess, and not Basic authentication reveals that you don't understand how the protocol works.

HTTP Basic Authentication is fairly well covered on Wikipedia. Basically (pun intended) it's a HTTP header. It has nothing to with cookies. The server simply sends a header signalling that it expects a password, and the client replies with the password and username. This header from the client is included in every subsequent request.

If you can gain access to a clients cookies, you can probably gain access to whatever username and password it sends as well.

But the bottom line is that you need to sit down, and learn HTTP before you can do any meaningful penetration testing. Unless you actually know how the protocol works, you can't see corner cases that the developers may have overlooked.

vidarlo
  • 12,850
  • 2
  • 35
  • 47