Penetration Testing mailing list archives

Re: common cookie db?

From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Fri, 20 Jan 2006 13:03:34 +0100

Ramon Pinuaga Cascales wrote:

Hi offset,

I've compiled a document called "cookie_figerprinting".
I put here the cookies I usually found working.

Interesting. Here's a patch adding some more cookies and also someadditional references.


Javier

--- cookie_fingerprinting.orig.txt      2006-01-20 10:54:20.515625000 +0100
+++ cookie_fingerprinting.txt   2006-01-20 13:01:18.046875000 +0100
@@ -27,8 +27,18 @@
 Microsoft IIS (www.microsoft.com)
 -------------
 
+Format:
+Set-Cookie: ASPSESSIONIDXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXX; path=/
+where 'X' is a upper case letter
+
+Sample:
 Set-Cookie: ASPSESSIONIDGQQGQYDC=KDGFBFGBLPNCMIIELPAINNJH; path=/
 
+Microsoft ASP.Net (www.microsoft.com)
+-----------------
+
+Set-Cookie: ASP.NET_SessionId=0hqed4qelkxvjj153tplacm0; path=/
+
 
 IBM Net.Commerce (www.ibm.com)
 ----------------
@@ -86,9 +96,15 @@
 
 IBM Tivoli Policy Director WebSeal (www.ibm.com)
 ----------------------------------
+Format:
+Set-Cookie: PD-S-SESSION-ID=2_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; Path=/; Secure
+where 'x' is {[A-Z],[a-z],[0-9],+,-}
 
+Example:
 Set-Cookie: PD-S-SESSION-ID=2_L7kl8vzZ9b8LMEwpm0PgqqQRIh2ZZakRamBlgvMXqIIAABDZ; Path=/; Secure
 
+When accessing a stateful sesion:
+Set-Cookie: PD_STATEFUL_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx=/LOCATION; Path=/
 
 WEBTRENDS ()
 ---------
@@ -96,8 +112,8 @@
 Set-Cookie: WEBTRENDS_ID=223.53.123.13-1091519275.658578; expires=Fri, 31-Dec-2010 00:00:00 GMT; path=/
 
 
-IBM WebSphere ()
--------------
+IBM WebSphere Application Server ()
+---------------------------------
 
 Set-Cookie: sesessionid=ZJ0DMWIAAA51VQFI50BD0VA;Path=/
 
@@ -120,3 +136,25 @@
 
 Set-Cookie: _sn=u3YBSdYfaf0oa5H1hz7Tc0ccApc0T1Iz60QWgeSiMEA_; Version=1; Path=/
 
+BlueCoat Proxy (www.bluecoat.com)
+--------------------------
+
+Set-Cookie: BCSI-CSC2B35314=1; Path=/
+
+Coldfusion (www.macromedia.com
+----------
+
+CFID, CFTOKEN, and CFGLOBALS
+
+More info at
+http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_17919
+http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_17915
+
+Urchin Tracking Module
+----------------------
+
+__utmz 
+__utma
+
+More info at:
+http://www.google.com/support/urchin45/bin/answer.py?answer=28307&topic=7425

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

common cookie db? offset (Jan 18)
- Re: common cookie db? Ramon Pinuaga Cascales (Jan 18)
  - Re: common cookie db? Javier Fernandez-Sanguino (Jan 22)