Results 1 to 6 of 6

Thread: Session Cookies

  1. #1
    Junior Member
    Join Date
    Aug 2004

    Session Cookies

    I was wondering about modifying a session cookie. Now, since the cookie isn't stored on disk, opening it through temp. internet storage or even a standard editing program is out of the question. The only thing I heard would be useful is HTTP Header Editing, yet I am clueless on how to do this. Firefox used to have an extension called Live HTTP Header, but sadly it no longer exists. Any suggestions on how to modify the cookie?

  2. #2
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Hi Neverness ,

    Do these help? ...

    4GuysFromRolla.com - The Lowdown on Cookies

    Web Application Articles

  3. #3
    Junior Member
    Join Date
    Aug 2004
    The links were informative, however I still don't understand how to edit during the session. My objective is to obtain a session cookie (done), and then modify the content from guest to admin (the encryption scheme has already been figured out), and then reload the page which in turn will trick the server and allow admin access. I think a side note is in order at the point. This is strictly legit, it is part of the ngsec quiz, and I really want to learn how to do this. Thank you for the help w/ the links, however I am just not understanding how exactly to assess the cookie since it is not stored in the temp folder on disk.


  4. #4
    Ninja Code Monkey
    Join Date
    Nov 2001
    Washington State
    You could build or get a simple proxy that captures the headers and allows editing before being fully received by the browser or sent to the server. It is fairly trivial to do an application such as this with visual basic. You might try google...I'm sure others have built apps like this.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  5. #5
    Senior Member
    Join Date
    Jan 2003
    Hey Hey,

    A piece of software you might want to look for that is along the lines of what Juridian said is Achilles Proxy.

    The homepage for it seems to no longer be available, however you can find it on packetstorm still http://www2.packetstormsecurity.org/...Bsearch%5D.y=0

    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  6. #6
    Junior Member
    Join Date
    Aug 2004
    Thank you for all the help you guys provided. I was able to complete this section, and more importantly learned exactly what I need to do in the future. I really appreciate the help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts