Cookie injection
Cookie injection
ghost | 8079 Reads | note:there are few pictures, see them to better understanding.
Intro:
Most of us thinks, that the HTTPS protocol is secure, its not true, when target server is using cookies to authentication. Io\n whole implementations in browsers, and in programming languages (PHP) can be found principle flaws, what can lead to informations disclosure.
Theory:We have client station, accesiong web or LAN through proxy or site segment, what are we pwning. Client station will connect to "our" server via SSL and then receives the unique session ID, server will then binds with the ID credentials of the user (usr name and passwd), and then authorizes the user. Until here, u dont see any flaws. The only little problem can be found, when server is not using cookies with flag "secure", and u dont logout and browse to another page in same domen. In this case, attacker can catch the cookies and hijack the connection.
Now we understood, that way to cookies can lead throught unsecured connection. But what to do, if admin is defending cookies with flag "secure"? ie. that means, that cookies are not accessible on unsecured connection. Nothing is lost here. Most of programming languages and frameworks is not guarding distribution of cookies, ie.dont binds cookie to specified user or IP. In this caee, we can hijack session with a little trick:
First, we connect to secured server and let him receive the generated session ID cookie
http://img431.imageshack.us/img431/1444/14la.gif
a.:randomly generated cookie with session ID
now the client must count with that client is accessiong LAN/web through our segment or proxy. We give the client our previously generated cookie, if he login to unsecured part of web, or we will give him it like picture inserted into another page, in extreme case we can random client request forward to unsecured part of web,. To this purpose we can use filtering proxy servers, like Privoxy.
http://img436.imageshack.us/img436/1167/28fq.gif
b.:Session Id what we know.
Now, the client stored cookie with session ID generated by us. Because most of the scripts controls, if u have ANY session, if not, it will generate, so web server will accept it. Server will not know, that somebody else is connecting with same session ID, it will just bind to the cookie new credentials (we cant get it, because its stored in server, and its binded to only session Id) and marks your session as ACCEPTED. In this case, u succesfully logged in to server via secured connection, and attacker know zour session ID, whit what he can do operations under his name. Now the attacker needs to jsut open browser and go to the page, he will be logged in. If hes transmitting both communication streams through proxy, it will look that user with same IP and session Id logged in.
http://img436.imageshack.us/img436/2556/33uk.gif
SID:session ID
Practical attack realization: 1.Get filtering proxy server privoxy [linux] proxomitron [win32] 2.generate SID 3.In proxy server we insert our SID to headers in unsecured connection 4.Forward victim to unsecured connection: 301 redirect, hidden picture etc. 5.If we see activity on SSL port 443 , we only go to page and well be automatically logged in by system. 6.Enjoy :)
This tutorial is kinda hard to understand, and requires knowledge of basics of internet, cookies and proxys, plus packets.
All rights reserved (c) Nostur
