Printable View
I’m testing out how cookie stealing works by copying my own cookies from IE (I use Mozilla, but IE is easy to test this with). Specifically, I’m taking the cookie that phpBB uses to store my password in, copying it to another machine, renaming it to match the Windows account I’m logged in under and seeing if it lets me authenticate to my own site. So far it does not, and I guess that’s a good thing, but my question is why does the above method not work?
You need to export and import the cookies. Then it *should* work.
Opps, I think I made another mistake. I choose the wrong cookie, the one I have may not have the login information in it. Thanks for the pointer Phish.
Dag Nab It.....think your stealing a chocolet chip and get an oatmeal cookie instead.
(sorry, just couldn't resist that......heh heh heh)
Who took the cookies from the cookie jar?
Moxnix took the cookies from the cookie jar.
Moxnix: Who me?
AO: Yes you.
Moxnix: Couldn't be.
AO: Then who?
.......................
Uh... time for bed. My brain is officially fried...
12hrs in a classroom will do it.
8hrs in a upgrading admin skills from 2k server to 2k3 server workshop and then another 4hrs doing boolean algebra. ouch...
If you two keep up the bad jokes I think I’m going to be sick and lose my cookies. :)
Hey now! Watch where you're tossing those cookies...
Back to the subject: I did some playing around. What if all you have is a cookie file and can not get to the computer to do the export (as an attacker may not be able to do)? Is there a way if all they have is the cookie file?
I'm not all that good with web security yet. (I'm still learning)
I beleive that there are a couple of vulnerabilities in different web browsers that allowed an attacker to steal cookies. Google has come up with a couple of them.
Or, I know that an attacker can sniff your cookies and then play them back to the server.
Sorry, thats out of my scope. I've got a lot to learn about web security. I don't run webservers... so its always been a low priority for me. :(
Thats XSS (cross site scripting) bro! Go check it out...
AO was vulnerable to that a month or 3 ago... Like every CMS and forum software has been vulnerable to it at least once.
Soda_Popinsky - That was probably the 3rd issue of that nature I've run into on AO, and I'm quite happy to say I haven't run into any more since then ;)
Anyways, Irongeek, the goal of stealing the cookie is to get the unique session id. With someone's session id, you essentially are them. A quick look into web authentication at its simpler form reveals:
- User types in username/password into a form -> submits
- Website returns SessionID so the password isn't exchanged more than it needs to be
- SessionID is used to authenticate user since HTTP is session-less
Thus, once you have the SessionID (which is usually a random string of some sort stored in the cookie) you should be able to pose as someone. But, when the user logs out of the messageboard, the messageboard no longer associates that sessionid with that user. When you say you are getting the cookie that stores the Username/Password, that is just the "remember this user" cookie thing. It has little to do with sessionIDs.
For your experiment to work, you need to log in, and then "steal" your sessionID. Get the other computer to use that sessionID, and it *should* work as you intended.
So, for those wanting to protect yourself against getting your sessionID stolen, remember to log out. There are a few websites out there that use static session IDs that are the same, so that you don't acturally have to wait until someone logs in to hijack it, but as far as I've seen most major webmail and messageboards use dynamic sessionIDs that expire and change after a certain amount of time.