April 8th, 2005, 01:46 AM
I was wondering about modifying a session cookie. Now, since the cookie isn't stored on disk, opening it through temp. internet storage or even a standard editing program is out of the question. The only thing I heard would be useful is HTTP Header Editing, yet I am clueless on how to do this. Firefox used to have an extension called Live HTTP Header, but sadly it no longer exists. Any suggestions on how to modify the cookie?
April 8th, 2005, 01:57 AM
April 8th, 2005, 02:21 AM
The links were informative, however I still don't understand how to edit during the session. My objective is to obtain a session cookie (done), and then modify the content from guest to admin (the encryption scheme has already been figured out), and then reload the page which in turn will trick the server and allow admin access. I think a side note is in order at the point. This is strictly legit, it is part of the ngsec quiz, and I really want to learn how to do this. Thank you for the help w/ the links, however I am just not understanding how exactly to assess the cookie since it is not stored in the temp folder on disk.
April 8th, 2005, 02:27 AM
You could build or get a simple proxy that captures the headers and allows editing before being fully received by the browser or sent to the server. It is fairly trivial to do an application such as this with visual basic. You might try google...I'm sure others have built apps like this.
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
April 8th, 2005, 02:47 AM
A piece of software you might want to look for that is along the lines of what Juridian said is Achilles Proxy.
The homepage for it seems to no longer be available, however you can find it on packetstorm still http://www2.packetstormsecurity.org/...Bsearch%5D.y=0
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
April 8th, 2005, 04:17 AM
Thank you for all the help you guys provided. I was able to complete this section, and more importantly learned exactly what I need to do in the future. I really appreciate the help.