Follow us on Twitter!
I'd prefer to die standing, than to live on my knees - Che Guevara
Wednesday, April 23, 2014
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Members Online
Total Online: 27
Guests Online: 21
Members Online: 6

Registered Members: 82885
Newest Member: ConiBE
Latest Articles

Cookie injection

Arrow Image This is article about what is cookie injection and simple POC

note:there are few pictures, see them to better understanding.

Most of us thinks, that the HTTPS protocol is secure, its not true, when target server is using cookies to authentication. Io\\n whole implementations in browsers, and in programming languages (PHP) can be found principle flaws, what can lead to informations disclosure.

Theory:We have client station, accesiong web or LAN through proxy or site segment, what are we pwning. Client station will connect to \"our\" server via SSL and then receives the unique session ID, server will then binds with the ID credentials of the user (usr name and passwd), and then authorizes the user. Until here, u dont see any flaws. The only little problem can be found, when server is not using cookies with flag \"secure\", and u dont logout and browse to another page in same domen. In this case, attacker can catch the cookies and hijack the connection.

Now we understood, that way to cookies can lead throught unsecured connection. But what to do, if admin is defending cookies with flag \"secure\"? ie. that means, that cookies are not accessible on unsecured connection. Nothing is lost here. Most of programming languages and frameworks is not guarding distribution of cookies, ie.dont binds cookie to specified user or IP. In this caee, we can hijack session with a little trick:

First, we connect to secured server and let him receive the generated session ID cookie

a.:randomly generated cookie with session ID

now the client must count with that client is accessiong LAN/web through our segment or proxy. We give the client our previously generated cookie, if he login to unsecured part of web, or we will give him it like picture inserted into another page, in extreme case we can random client request forward to unsecured part of web,. To this purpose we can use filtering proxy servers, like Privoxy.

b.:Session Id what we know.

Now, the client stored cookie with session ID generated by us. Because most of the scripts controls, if u have ANY session, if not, it will generate, so web server will accept it. Server will not know, that somebody else is connecting with same session ID, it will just bind to the cookie new credentials (we cant get it, because its stored in server, and its binded to only session Id) and marks your session as ACCEPTED. In this case, u succesfully logged in to server via secured connection, and attacker know zour session ID, whit what he can do operations under his name. Now the attacker needs to jsut open browser and go to the page, he will be logged in. If hes transmitting both communication streams through proxy, it will look that user with same IP and session Id logged in.

SID:session ID

Practical attack realization:
1.Get filtering proxy server privoxy [linux] proxomitron [win32]
2.generate SID
3.In proxy server we insert our SID to headers in unsecured connection
4.Forward victim to unsecured connection: 301 redirect, hidden picture etc.
5.If we see activity on SSL port 443 , we only go to page and well be automatically logged in by system.
6.Enjoy :)

This tutorial is kinda hard to understand, and requires knowledge of basics of internet, cookies and proxys, plus packets.

All rights reserved (c) Nostur


wolfmankurdon October 23 2005 - 19:07:38
xdanxon October 23 2005 - 21:51:29
It''s simplier to use cookie editor from firefox?!?B)SmileWink
xdanxon October 23 2005 - 21:51:40
It''s simplier to use cookie editor from firefox?!?B)SmileWink
Post Comment


You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.