This is the session you are looking for
Now that we've seen all of the ways in which web app developers attempt to make our job tough, let's take a look at how we can test how well they have done. We'll see that there are several places we can attack the chain of trust, test for the resiliency of the session management mechanisms, and learn to overcome them.
Munching on some cookies?
Most attackers and pen testers will find that the sloppy management of session information is often the easiest path to compromising the application. Cookies are a pretty broad term for that session information, and intercepting and mangling that information can be a windfall. Burp Suite is well suited to help in doing this using its Proxy Intercept and Repeater capabilities. For this test, we'll begin by logging into our Mutillidae (OWASP Broken Web App VM) application's A2 - Broken Authentication and Session Management | Privilege Escalation | Login page through Firefox (as shown in the following screenshot...
