Close

Results 1 to 2 of 2
  1. #1
    Join Date
    Dec 2009
    Location
    Distopia
    Posts
    165
    Rep Power
    11

    Cookie Poisoning how to.

    Test cookie poisoning


    Web site cookie poisoning came up twice in the last week while testing so I guess now is great time to talk about how to test the for the vulnerability of cookie poisoning. I'm not going to get into the details of how a cookie works but rather how to poison them. If you want details of how they work from a testing point of view read this respectable paper.

    Web sites use cookies (a lot of them), cookies can be permanent (on disk) or temporary (in memory), and cookies contain variables; variables that the site cares about, and can be messed with or "poisoned" to get results that the Web site didn't intend to give you. Use the following test page as an example, The test pages are simple, if you have the right cookie content then you will receive a 50% discount; if the content isn't right then you will not receive the 50% discount. The first page sets the cookie with the content of "SpecialOffer=No" indicating that you are not eligible by default. The cookie setting code on this page is simple and looks like this:


    <SCRIPT>
    document.cookie = "SpecialOffer=No";
    </SCRIPT>
    Now, if you click the link "Click here to see if you are eligible for 50% discount" you'll see that you are not eligible for the discount. The check on the 2nd page is pretty simple too and looks like this:

    <SCRIPT>
    var pos = document.cookie.indexOf( "SpecialOffer=Yes" );
    if( pos == -1 ) {
    document.write("I'm sorry you are NOT eligible for the 50% discount");
    }
    else {
    document.write("You are eligible for the 50% discount");
    }
    </SCRIPT>

    In the above script I look for the value of "SpecialOffer=Yes" in the cookie content and then react accordingly. If I don't see "SpecialOffer=Yes" then you aren't eligible for the discount. Now, on to the fun stuff! How do you make yourself eligible for the discount? To do this we need to change the default cookie content value from "SpecialOffer=No" to "SpecialOffer=Yes". How does one change cookie values? There are quite a few ways but I'll share with you my 3 favorites:

    1. Add N Edit Cookies FireFox extension
    2. Paros Proxy
    3. Paste the following JavaScript in the URL bar to view the cookies:
    javascript:alert(document.cookie.split(';').join(' \n'))

    and the following to modify it:

    javascript:alert(window.c=function a(n,v,nv) {c=document.cookie;c=c.substring(c.indexOf(n) +n.length,c.length);c=c.substring(1,((c.indexOf("; ")>-1) ? c.indexOf(";") : c.length));nc=unescape(c).replace (v,nv);document.cookie=n+"="+escape(nc);return unescape (document.cookie);});alert(c(prompt("cookie name:",""), prompt("replace this value:",""),prompt("with::","")));

    How to poison cookies with Add N Edit Cookies

    1. Navigate to http://www.qainsight.net/examples/cookietest.htm in FireFox
    2. Click the cookie icon in your FireFox toolbar
    3. Find the cookie for www.QAInsight.net and double click it or highlight it and press the edit button
    4. Change the content form field from "No" to "Yes" (case sensitive)
    5. Go back to the browser and click the link "Click here to see if you are eligible for 50% discount"
    6. KaaaaPOW.... You now have the 50% discount! You're a freakin' evil, bad to the bone tester!

    How to poison cookies with Paros Proxy
    Typically I wouldn't use Paros in this situation because the cookie is being set on the client side (you won't see this too much in the real world). The following example isn't what I consider cookie poisoning but more JavaScript manipulation. The following assumes you have cleared your cache:

    1. Turn on Paros and set you IE connection options to use the address of 127.0.0.1 with a port of 8080
    2. In Paros click the "Trap" tab and check the "Trap Request" and "Trap Response" checkboxes
    3. Navigate to http://www.qainsight.net/examples/cookietest.htm in IE
    4. Go back to Paros (Trap tab) and press the "continue" button until you see the following text in the bottom pane:
    <SCRIPT>
    document.cookie = "SpecialOffer=No";
    </SCRIPT>
    5. Change the "No" to "Yes" in the above line
    6. Click the "Continue" button.
    7. Go back to IE and click the link "Click here to see if you are eligible for 50% discount"
    8. Whoot! You now have the 50% discount! You're one sexy cool tester with a severity 1 defect that needs to be submitted.

    There are situations where you will want to change the cookie value in the header (the top pane in the trap tab) on the response or the request, this is when you would use Paros over Add n Edit Cookies. Situations where you would need to manipulate the cookie before the response is rendered or before the request is sent due to the server or client side code manipulating the cookie.

    How to poison cookies with JavaScript

    1. Navigate to http://www.qainsight.net/examples/cookietest.htm in IE
    2. To view the set cookie, type the following in the URL bar:
    javascript:alert(document.cookie.split(';').join(' \n'))
    3. You will see "SpecialOffer=No". Click Ok
    4. Copy and paste the following JavaScript in the browser URL bar:
    javascript:alert(window.c=function a(n,v,nv) {c=document.cookie;c=c.substring(c.indexOf(n) +n.length,c.length);c= c.substring(1,((c.indexOf(";")>-1) ? c.indexOf(";") : c.length)); nc=unescape(c).replace(v,nv); document.cookie= n+"="+escape(nc);return unescape(document.cookie);}); alert(c(prompt("cookie name:",""), prompt("replace this value:",""), prompt("with::","")));
    5. Hit the enter key
    6. Click the Ok button at the JavaScript Alert
    7. Type the cookie name of SpecialOffer in the Alert box and click the Ok button
    8. At the "replace this value" script prompt type No and press the Ok button
    9. At the "with:" script prompt type Yes (case sensitive) and press the Ok button
    10. The next alert will show you the replaced cookie. You should see: SpecialOffer=Yes
    11. Click the Ok button
    12. In IE click the link "Click here to see if you are eligible for 50% discount"
    13. DingDingDingDing.... You're a winner! You now have the 50% discount! You're quite the bad-ass tester aren't you? You're like the wicked witch in Snow White but instead of poisoning apples you poison cookies.

    And that's how I conduct cookie poisoning when testing. Not too awful tough eh? Oh...if I ever get confused about the state of cookies before and after poisoning I use HTTPWatch to get a better idea of what is going on. I can usually get the gist of it by looking through the cookie and header tabs.

    When do you test for the cookie poisoning vulnerability you ask? Whenever there is a cookie being used! Is it a defect if you can manipulate the cookie? Not necessarily. They typically are defects when a cookie is being placed that impacts or restricts the site's behavior and you can exploit that feature. If you manipulate a cookie and it doesn't gain you anything or exploit a feature then it's not of much value, thus not a defect. But...it's important that you know what the cookie you are poisoning does, without knowing what the cookie does you may be poisoning something and may not be seeing that exploit. To prevent guess-work it's easiest if you work with your developer to understand what he/she is doing with cookies on the site so you can go straight for the kill.

    Happy poisoning!


    from Test cookie poisoning | testingReflections.com
    I live in cmd, so don't bother me asking for dir.

  2. #2
    s3my0n's Avatar
    s3my0n is offline #!/usr/bin/env s3my0n
    Join Date
    Sep 2009
    Location
    /home/s3my0n/
    Posts
    844
    Blog Entries
    3
    Rep Power
    14

    Re: Cookie Poisoning how to.

    Nice tutorial, I use tamperdata firefox extension which is pretty useful and faster than say paros proxy which you have to wait for to load and set the right proxy settings in firefox.

    I sure now will check cookie sessions to see if there's anything I can change to my advantage ^^

    +rep for sharing
    In view of such harmony in the cosmos which I, with my limited human mind, am able to recognise, there are yet people who say there is no God. But what makes me really angry is that they quote me for support of such views.
    Albert Einstein

Similar Threads

  1. IE8 cookie Disclosure through IMG tags
    By saif in forum Exploits, Vulnerabilities & PoCs
    Replies: 0
    Last Post: 13th January 2011, 14:39
  2. [Guide] Insecure Cookie Handeling
    By Starwiz in forum Web Hacking & War Games
    Replies: 1
    Last Post: 13th August 2010, 11:05
  3. [Question] Vb cookie
    By ccoder in forum General Hacking Discussions
    Replies: 3
    Last Post: 10th December 2009, 13:29
  4. [Guide] Arp Poisoning/MiTM Attack
    By Drathnar in forum Offensive Guides & Information
    Replies: 3
    Last Post: 12th November 2008, 09:44
  5. Cookie Stealer using IMAGES
    By HybriD in forum Offensive Guides & Information
    Replies: 3
    Last Post: 10th October 2008, 20:12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •