How to Perform Session Hijacking? (Practical Guide)

Using Zed Attack Proxy (ZAP) to Perform Session Hijacking

In this practical, you will understand how to obstruct the traffic between a web browser and a web server. 

  1. Open Google Chrome
  2. Navigate to Customize and control Google Chrome and click on Settings.
  3. When the Chrome://settings window comes, click on Advanced.
  4. Click on Open proxy settings from the System section.
  5. When the Internet Properties window comes, click on Connections and then click on LAN settings.
  6. Next, check the Use a proxy server for your LAN.
  7. Enter the IP address of the attacker machine in Address. In the Port field, enter 8080. Click on OK. Here, the attack machine is Windows Server 2016 and its IP address is 10.10.10.16.

When you enter these details, it will show an Internet Properties window, click on Apply, and then on OK. It will configure the proxy settings for the victim machine. Close Chrome.

  1. Open Windows Server 2016.
  2. Double-click on OWASP ZAP 2.7.0.
  3. When the Do you want to persist the ZAP Session? prompt comes, choose No, I do not want to persist this session at this moment of time. Click on Start

In case you see an Always check for updates on start pop-up, click on Cancel.

  1. It will open the OWASP ZAP window. Click on the ‘+’ icon and add the Break tab. 

The Break tab will help you to make changes to the requests when it’s caught by ZAP. It also helps in modifying the header, hidden fields, disabled fields, and more.

  1. When the Break tab is available in the OWASP ZAP, work on configuring the ZAP to make it work as a proxy. For configuration of ZAP as a proxy, go to Tools and click on Options.
  2. When the Options window comes, choose Local Proxies. Write the IP address of Windows Server 2016 in the Address field. Keep the Port to default and click on OK.
  3. Click on Set break on all requests and responses from the ZAP toolbar.
  4. Open Windows 10. Open Chrome again where you had configured the proxy settings. Visit moviescope.com.
  5. Return to Windows Server 2016. It will initiate capturing the requests of the target machine in a ZAP proxy. Click on Submit and step to next request or response, until the capturing of the GET request of the website you are browsing is done. 

In case you see any OWASP ZAP pop-up, click on OK

  1. Replace moviescope.com with goodshopping.com in the GET requests that you captured in the Break tab. Once this is done, click on Submit and step to next request to response to send the traffic to the target machine. 

Do this process until the target machine shows goodshopping.com site.

  1. Now, check that Windows 10 browser has visited moviescope.com site but it shows the goodshopping.com web page. 
  2. Once the practice is done, close the applications and windows.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *