WebApp Sec mailing list archives
Re: Unable to impersonate another user although having its cookie
From: Irene Abezgauz <irene.abezgauz () gmail com>
Date: Wed, 1 Jul 2009 17:30:03 +0300
Juan, A few questions to direct this - 1. are there any parameters in the request itself that are not the cookie and can be suspected as client/session identifiers? (either in the body of a POST or as part of the URL in a GET)? 2. are you trying to execute a similar request? is there a chance you are failing not due to the cookie but due to lack of other parameters (such as an anti-csrf token)? 3. is it http or https traffic? I've encountered applications that make the connection between the ssl session and the application session. each of the above can be a direction of why it's not working for you. answering one or more of those can help direct to the problem. Irene On Wed, Jul 1, 2009 at 1:14 PM, Juan Kinunt <kinunt () gmail com> wrote:
Hi, I'm auditing a web application programmed in CakePHP and I'm having a problem. I'm almost sure the authentication mechanism is carried by a cookie but I'm unable to impersonate another user using its cookie. The probe I do is opening two sessions with two different users (one in internet explorer and one in firefox). Then I copy the cookie belonging to one user and substitute it in a request done by the other user (using WebScarab). The app throws and error and disconnects the validated and legal user. I think that some info is stored in server side about the client who owns each cookie. Is this possible? Is it the normal operation in sessions in CakePHP? Any info or pointer would be very useful. Thanks.
Current thread:
- Unable to impersonate another user although having its cookie Juan Kinunt (Jul 01)
- Re: Unable to impersonate another user although having its cookie pUm (Jul 01)
- Re: Unable to impersonate another user although having its cookie Brad Causey (Jul 01)
- Re: Unable to impersonate another user although having its cookie jay . tomas (Jul 01)
- Re: Unable to impersonate another user although having its cookie Christopher Firth (Jul 01)
- Message not available
- Re: Unable to impersonate another user although having its cookie jay . tomas (Jul 01)
- Re: Unable to impersonate another user although having its cookie Marc Ouwerkerk (Jul 01)
- Re: Unable to impersonate another user although having its cookie S I (Jul 01)
- Re: Unable to impersonate another user although having its cookie Heine Deelstra (Jul 01)
- Re: [SOLVED] Unable to impersonate another user although having its cookie Juan Kinunt (Jul 06)
- Re: Unable to impersonate another user although having its cookie pUm (Jul 01)
- Re: Unable to impersonate another user although having its cookie Michael Yelland (Jul 01)
- Re: Unable to impersonate another user although having its cookie Guillermo Caminer (Jul 06)
- Re: Unable to impersonate another user although having its cookie José Manuel Molina Pascual (Jul 06)
- <Possible follow-ups>
- RE: Unable to impersonate another user although having its cookie Martin O'Neal (Jul 01)
- Re: Unable to impersonate another user although having its cookie arvind doraiswamy (Jul 27)