DVWA 1.9+: Weak Session Cookie analysis with Burp Suite

Published in

Hacker Toolbelt

3 min readAug 28, 2019

Modern web apps establish a series of transactions between the client and the server. Since the HTTP protocol is stateless, the way to follow an user is to create sessions per authenticated user. For more information about the architecture of a web app, OWASP has a fantastic article here.

In this lab we’re going to explore the different levels of security available in the DVWA target and determine how secure and random are the session cookies.

Fire up the DVWA and Kali Linux machines. Open your favorite browser and Burp Suite. Set the browser to use Burp:

Low

Before beginning remove the ‘Intercept’ from Burp:

Open DVWA’s page and set the security level to low. Navigate to ‘Weak Session IDs’:

Every time the ‘Generate’ button is clicked, the cookie ‘dvwaSession’ will receive a new value. Let’s analyse how are these values created and how secure they are. Click the button and head to Burp. Click the button again and look at Burp:

dvwaSession’s first value was ‘1’, then ‘2’. The next one will be ‘3’. There is no randomness, the values are easily predictable. This opens a Man-In-The-Middle vector of attack.

Let’s use one of the functions Burp Suite has to evaluate the quality of randomness, the sequencer. Right click the request and choose ‘Send to sequencer’:

Do a start live capture and when finished click Analyse now.

The results are bad, has expected. There’s no randomness in the value. Let’s try the medium security level.

Medium

Clear the sequencer and set the security to medium. Go and click generate a couple of times.

dvwaSession’s value seems more secure. But is it really secure? Let’s use Burp’s sequencer to determine that. Proceed as before to obtain an analyses.

Again, the results are bad and there is no randomness. dvwaSession’s value may seem secure but it’s really just the the actual date in seconds.