What to look for

1. Token Lifetime
   1. https://owasp.org/www-community/attacks/Session_fixation
2. Session Fixation
3. Token in URL

Example 1 ASCII decode SESSIONID

 echo -n 757365723A6874623B726F6C653A75736572 | xxd -r -p; echo

Example 2 rememberme token

Usually last for seven days. Brute force

Example 3 weak encryption

File signature
https://en.wikipedia.org/wiki/List_of_file_signatures
from base64 --> to hex (get the first 4 bytes)

Cyberchef
https://gchq.github.io/CyberChef/
Magic - operations

Decodify
https://github.com/s0md3v/Decodify

Automatecoodie Tampering
https://academy.hackthebox.com/storage/modules/80/scripts/automate_cookie_tampering_py.txt

Example 4 Weak Session token

Two users receive same token.

john --incremental=LowerNum --min-length=6 --max-length=6 --stdout| wfuzz -z stdin -b HTBSESS=FUZZ --ss "Welcome" -u https://test.test.test/profile.php