Stealing and using my own cookie on HBH

After I logged in to HBH, I got my cookies from javascript:alert(document.cookie)

I deleted all my cookies using FireCookie, and refreshed the page. As expected, I was logged out.

Then I typed javascript: void(document.cookie="info from step 1") and refreshed the page. Nothing happened. Why isn't it that simple?

Im not sure, but I guess you miss a session. Just my 2 cents for what it's worth.

PHPSESSID is there in the cookie. I don't understand what's going on.

Maybe you took too long and the session expired. Maybe HBH destroys sessions when IPs connect without (valid) cookies.

I did it immediately. Why don't you try it yourself? It just takes a minute.

gregorian wrote: I did it immediately. Why don't you try it yourself? It just takes a minute.

Okay let me just!-

Oh wait, no.

Remember, I never clicked log out. I merely deleted the cookies and created them again.

HBH got hacked with some hashes put in cookies a fair few years ago. After that a post was made saying that extra protection was added. (This happened YEARS ago so details are scetchy!)

One extra layer is that if your ip changes you need to log back in. This obviously doesn't apply in your case but there are likely more. Perhaps your browser isn't using the cookie? Tried using something like wget and loading a cookie like that?

The timed challenges require you to use cookies so actually ignore what I said earlier no clue why it's not working for you.

wolfmankurd wrote: The timed challenges require you to use cookies so actually ignore what I said earlier no clue why it's not working for you. Well, for the timed challenges, I would allow my program to login, and then receive the cookies so that wouldn't be a problem. I was reading about stealing cookies using XSS, but if I can't use the cookie, what's the point?

I want to know if there is something wrong with what I did. No matter what the security measure, not being able to use my own cookie makes me feel like I can do nothing.

I remember doing exactly the same 1 or 2 years ago,it worked then.The "log in if IP changes" security was there at the time. LOL,I knew little about cookies then,I seem to have sent a bug report and a forum post about that:angry:.

ADDED: I think that HBH not merely checks the cookies but also the Cookie attributes;like expiry time,path,domain etc;I don't think merely copying the cookie would allow these to be copied as well.That way,it can detect if the given cookie is set by the site or thrown together by the user.

I was also thinking the same thing. The IP thing is also not completely secure because XSS tunneling might take place.

Just used tamper data;saw the headers sent to HBH.

Aim:Find out why a simple cookie copy doesn't allow one to log back in.

Software:Tamperdata addon in Firefox,Paint(print screen).(I have really bad memory) Observations:

1.)When I clear my cookies and refresh,I was not logged off(as could be seen in the online users data in HBH).This means that upon sending a header from an IP without having the necessary cookie;I am not automatically logged out.

2.)As expected;upon deleting the cookies and refreshing;HBH asked for a password.

3.)The only element that changes when I delete all my cookies and refresh is,obviously,the "Cookies" element.(so I copied the cookie from the header)

4.)Now;I put on start tamper and refreshed;this time adding the cookie element.Wonder of wonders!!I was back in.

5.)Next;I deleted the cookies again;and refreshed;and put on tamper.

6.)I noticed 5 things: a.)The first time;there is NO "Cookie" element. b.)The second time;there IS a "Cookie" element;but with the data changed(my 'guest cookie'). c.)Now;I again saw that I had NOT been logged out,refreshed with tamper on and changed the cookie data to the 'user cookie' value. d.)YAY!I was back again;but on reloading without tamper;I was again out. e.)In both the cookies,PHP session ID value is THE SAME. Conclusion: 1.)When you delete your cookies and refresh;you are(somehow) detected by HBH as a guest and assigned a 'guest cookie' 2.)When you copy back your cookie and refresh,due to some reason,HBH still detects you as a guest and you are,sadly,NOT BACK IN.Unless you manually modify the HTTP request(header). 3.)I am a total idiot and need to learn more about cookie systems,but maybe someone else may give an explanation.

Note: The cookie CHANGES.

My 'User Cookie':

My 'Guest Cookie': markupPHPSESSID=p7nkd5dpnaotllt5avnm7n52g5; __utma=240219034.1799399259.1278146261.1278146261.1278146261.1; __utmb=240219034.4.10.1278146261; __utmc=240219034; __utmz=240219034.1278146261.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fusion_visited=TRUE

As can be seen;The PHPSESSID remains the same;though most of the remaining part changes and fusion_user and fusion_lastvisit are deleted.

ADDED:

Sorry,I know that the format looks like a lame report and no actual reasons/conclusions have been offered.Can someone please contribute reasons/conclusions?:)

Given the guest cookie, that makes sense if you assume that HBH allows you to access if your cookie and ip matches the cookie and ip on the server Every time we access HBH, with a different cookie with the same IP, it updates the server cookie.

@gregorian: Well,if we assume that the online users script is correct;that would mean that HBH allows multiple cookies from the same IP.Hey,maybe if someone can automate this and set it up across many computers,one can use a DDOS attack.Worth thinking about.We can no longer hide behind the assumption that since a cookie is so small,it would take too many cookies to crash the server;remember,computers are getting faster every day.

Note:just checked to see if any SCRIPT modifies the copied cookie.Used Noscript and turned off javascript in options,cookie is still getting modified.

ADDED: We still don't know how our copied cookie is getting modified.

Regarding multiple cookies from the same IP, instead of doing all this, to verify it, I used a simpler strategy. Login from IE and FF. One of them will get signed out. That shows you can't have multiple sessions from the same IP. Simple, isn't it?

Actually, I never said log in. You can only log in once to your account; even if you change the IP. What I meant was, since each guest is assigned a different cookie ( as is evident from the no. of guests script ) .Why not make LOADS of guest cookies. Though I am sure HBH has a way of countering this, it might be a vulnerability in some other sites.

onejerlo wrote: Actually, I never said log in. You can only log in once to your account.

Really? Back in the day I exploited the user account system to complete challenges (and score points) twice.

That's interesting spyware. How did you do it? If I log into IE, I'm signed out of FF. I suppose you took advantage of a flaw back then. But even if that's the case, I don't understand how you did it.

I visualised the completion of a challenge as a switch that can be turned on once. Using race conditions is impractical. Could you elaborate?

gregorian wrote: That's interesting spyware. How did you do it? If I log into IE, I'm signed out of FF. I suppose you took advantage of a flaw back then. But even if that's the case, I don't understand how you did it.

I visualised the completion of a challenge as a switch that can be turned on once. Using race conditions is impractical. Could you elaborate?

Well no, you shouldn't be logged out, I can login from IE, chrome and FF simultaneously. And the exploit was to submit the right answer twice, each from different session, at the same time, if I remember correctly.

and onejerlo: didn't read whole of the 'analysis' post, but the main problem with the assumptions you make is that, when you appear in members online, you are logged in. This area is updated once certain time, like a cron job, so you may be listed there, although you've already logged out.

just my 2 cents

clone4 wrote: And the exploit was to submit the right answer twice, each from different session, at the same time

Right on the ball.

Why are you able to login from multiple browsers, while I can't?

That Chrome, FF thing still works. You can still login from different browsers without being logged out.

Works for me too Opera-Firefox.

1.If you have to steal a cookie then that is a cookie that is not your own 2. you can log on multiple times from the same browser with simple protocols ie… http://www.hellboundhackers.org https://www.hellboundhackers.org etc…