Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] altering non-persistent cookies in memory

From: Dzzie Z <dzzie () YAHOO COM>
Date: Wed, 17 Jan 2001 03:36:32 -0500
Many companies are using non-persistent cookies to authenticate
user sessions. have any of you had any experience or ideas for acessing
and altering non-persistant cookies in a browsers memory? Options i have
considered are using JavaScript to overwrite the cookie during the session,


        I have played around with using cross sight scripting vunurabilities on
myself to access "extra curricular" data from servers that block direct
request of the files ...writing script to thier window to alter your
current cookie this should be just as effective...


editing the cookie in memory with Soft Ice or something similar during the

session.

never thought of changing it in memory good idea : )



Or
simply telnetting to port 80 of the webserver and submitting a fake cookie
directly?


        as for using a custom program to submit fake cookies, I think you would
have to accept the session cookie, alter it then spit it back...but would
there
be a trick in trying to maintain the session as a browser would? do
non-persistant session cookies have to always send a keep-alive?

        in all cases the trick would be to identify what you could change in the
cookie that was being taken for granted by the backend application and
keeping it at a valid value.

        as another side thought can anyone think of a way a developer might
organize a SQL statement that draws data from a cookie could be exploited
by the cookie containing SQL statements?

        if a developer was to pull the info the cookie by merly looping through a
collection and directly passing the name and value into a SQL statement I
could imagine quite bad things happening...on long long query string
submissions though this might just happen...

        outside of cookies, if you were to play around doing a css attack on
yourself and dynamically change the names of the contents of the
form....developers would expect these things to be set in stone...if they
didnt take the time and type to explicitly request them by name and just
looped through a collection then passed the names and values into SQl
statements....

        think I will play with this more on some of my applications and see if I
am missing somthing..but at least at 3:30 in the morning they seem like
quite viable techniques...anyone see where they might fail/work ?
Previous By Date Next
Previous By Thread Next

Current thread: