Main:advertisement
A basic introduction to cookie poisoning
One of the major mistakes which web masters make is considering that all data they set stay the same. These things are usually harmless to them such as cookies and hidden form details.
To start with I am going to show how the web master sets his data for his vulnerable CMS.
He begins with a form :-
[username] Username
[********] Password
[Button] Submit button
Once the form is submitted, the backend PHP which recieves the $_POST is as follows.
<?php
if ((isset($_POST['user'])) && (isset($_POST['pass']))) {
$user = $_POST['user'];
$pass = $_POST['pass'];
<Database connection>
// mysql_real_escape_string stops SQL Injection
$query = mysql_query("SELECT * FROM `usertbl` WHERE 'user' = '".mysql_real_escape_string($user)."' AND
'pass' = '".mysql_real_escape_string($pass)."'");
$num_rows = mysql_num_rows($query);
if (isset($num_rows)) {
if ($num_rows >= 1) {
echo "Username accepted";
setcookie("UID", ($user . ":" . $pass), time()+7200);
}
echo "Username Incorrect";
}
echo "MySQL Error";
}
}
echo "<FORM Details>";
}
?>
Right, so now we have checked the database for for a the username and password and set the cookie.
Presuming our attacker's username and password are correct then the cookie will be something of the folowing
UID = "tom:password123".
Later on our attack visits a protected page and his cookie is checked with this code.
<?php
if (isset($_COOKIE['UID'])) {
$cookies = $_COOKIE['UID'];
$cookies = explode(":", $cookie);
<Database connection>
// $cookies[0] is the first part of $cookie ie User
$query = mysql_query("SELECT * FROM `usertbl` WHERE 'user' = '".($cookies[0])."' AND
'pass' = '".($cookies[1])."'");
// Notice here the webmaster forgot to prevent SQL Injection
$num_rows = mysql_num_rows($query);
if (isset($num_rows)) {
if ($num_rows >= 1) {
viewPage;
}
}
}
?>
Now, if the cookie stays the same the SQL query is safe. However, if you change the cookie you can use it as simply as a basic SQL injection.
Right, now we have see how basic cookie poisoning works with SQL Injection. This can also be utilised in all other major web vulnerabilities.
To start with I am going to show how the web master sets his data for his vulnerable CMS.
He begins with a form :-
[username] Username
[********] Password
[Button] Submit button
Once the form is submitted, the backend PHP which recieves the $_POST is as follows.
<?php
if ((isset($_POST['user'])) && (isset($_POST['pass']))) {
$user = $_POST['user'];
$pass = $_POST['pass'];
<Database connection>
// mysql_real_escape_string stops SQL Injection
$query = mysql_query("SELECT * FROM `usertbl` WHERE 'user' = '".mysql_real_escape_string($user)."' AND
'pass' = '".mysql_real_escape_string($pass)."'");
$num_rows = mysql_num_rows($query);
if (isset($num_rows)) {
if ($num_rows >= 1) {
echo "Username accepted";
setcookie("UID", ($user . ":" . $pass), time()+7200);
}
echo "Username Incorrect";
}
echo "MySQL Error";
}
}
echo "<FORM Details>";
}
?>
Right, so now we have checked the database for for a the username and password and set the cookie.
Presuming our attacker's username and password are correct then the cookie will be something of the folowing
UID = "tom:password123".
Later on our attack visits a protected page and his cookie is checked with this code.
<?php
if (isset($_COOKIE['UID'])) {
$cookies = $_COOKIE['UID'];
$cookies = explode(":", $cookie);
<Database connection>
// $cookies[0] is the first part of $cookie ie User
$query = mysql_query("SELECT * FROM `usertbl` WHERE 'user' = '".($cookies[0])."' AND
'pass' = '".($cookies[1])."'");
// Notice here the webmaster forgot to prevent SQL Injection
$num_rows = mysql_num_rows($query);
if (isset($num_rows)) {
if ($num_rows >= 1) {
viewPage;
}
}
}
?>
Now, if the cookie stays the same the SQL query is safe. However, if you change the cookie you can use it as simply as a basic SQL injection.
Right, now we have see how basic cookie poisoning works with SQL Injection. This can also be utilised in all other major web vulnerabilities.
Posted by 
