Modifying PHP Session Variables

In my previous post regarding PHP session compromise, I demonstrated how a poorly configured session ID can be brute forced by an attacker.  In this post we shall look at how poor coding practices can also lead to session compromise without discovering a protected session ID.  This attack will be demonstrated against level 20 of the Natas hacking game. Continue reading “Modifying PHP Session Variables”