Using Burp to Attack Session Management

The session management mechanism is a fundamental security component in the majority of web applications. HTTP itself is a stateless protocol, and session management enables the application to uniquely identify a given user across a number of different requests and to handle the data that it accumulates about the state of that user's interaction with the application.

Because of the key role played by session management mechanisms, they are a prime target for malicious attacks against the application. If an attacker can break an application's session management, they can effectively bypass its authentication controls and masquerade as other application users without knowing their credentials. If an attacker compromises an administrative user in this way, the attacker can own the entire application.

Use the links below to access various tutorial pages for testing session management vulnerabilities: