Web application security - the fast guide 1.1 | Page 101

Chapter 5 - Attack Execution the client
P a g e | 101
This attack depends on a simple idea, benefiting from an authority that no longer
exist because the session is not invalidated properly.
Attack requirement:
 The application gives the ability for user to extend or preserve session for
long in a high changing environment.
Attack process:
1- Normally login before the denial period and extends the session time out
using the given option.
2- After the denial period the user is still able to execute most of the denied
activities.
Example:
One of the example given about this type of attacks is a successful fraud done by
a person who was authorize to reach a shared bank account then denied.
This person opened the e-banking account and authenticate himself before the
removal of his name from the authorized users and activated the (maintain the
session opened) option.
After the removal of the person name from the shared account he still able to
initiate transfer order and move money to another account.
As noticed this type of attack is easy but it depends on the preexisting
authentication and authorization to same resources to be executed successfully
but it might cause a great damage, image what can unsatisfied high rank x-
employee do to a company with such simple attack.
5.14 JSON Hijacking
malicious user is able to hijack JavaScript to attack JavaScript Object Notation
(JSON) strings. JSON hijacking is a relatively new risk in the Web 2.0.
Attack requirement:
JSON service that returns a JSON array and response is exposed to GET requests
can be used
to read private data
 returns sensitive data.
 returns a JSON array.
 responds to GET requests.
 the browser making the request has JavaScript enabled (very likely the
case)
 the browser making the request supports the __defineSetter__ method.