views:

267

answers:

4

I have been reading up on session fixing/hijacking recently, and understand the theory.

What I don't understand is how this would be exploited in practice. Would you have to tamper with your browser to make use of the stolen cookies? Append it to the URL and pass it to the web application?

Or would you write some sort of custom script to make use of this, and if so what would it do?

I'm not trying to ask for help with this or examples, but I am trying to learn more and understand. Any help is appreciated.

+3  A: 

If you use firefox there is a plugin called TamperData that lets you change the values of everything that is sent to a server. So if I could read your session cookie, I could basically just go to that site with my firefox and use tamperdata to send it your session cookie value instead of my own, thus hijacking your session.

/Klaus

klausbyskov
Hi Klaus, I have used TD before, and noticed you had to alter every single request. Acting that slowly seems like it could cause problems, which is why I wondered if there were a more automated way to do so.
Joshxtothe4
The "automated" way would be to edit whatever session cookies there are, and if the page uses GET or POST session information, just substitute that once, and the entire session will be the hijacked one from then on. Just a heads up, every plugin I've ever used for this sort of thing (Tamperdata, LiveHTTPHeaders, various cookie editors) reeks of bugs and annoyances.
Longpoke
+6  A: 

Forging a cookie is trivial. As mentioned by Klaus, you can do it right out of your browser.

Here's a practical example of how this could be exploited:

  • You login to your banking site
  • Banking site puts a session ID into a cookie, say 123456
  • Your browser sends the session ID to the server on every request. The server looks at his session store and recognizes you as the user who logged in a little while ago
  • I somehow gain access to your cookies, or I sniff one of your HTTP requests (impossible with SSL), and find out your session id: 123456
  • I forge a cookie for your banking site, containing the session ID
  • Banking site recognizes ME as you, still logged in
  • I transfer all your funds to my secret account in Switzerland and buy a ridiculously large boat

Of course, in practice there will be more security on high profile sites (for instance, one could check that a session ID never transfers to another client IP address), but this is the gist of how session hijacking works.

Alexander Malfait
"Impossible with SSL" with a sufficiently long (actually secret) key. You could also probably do something with the plain-text-injection-during-renegotiation flaw.
Tom Hawtin - tackline
+1  A: 

The internet isn't a magical black box that can only be utilized by browsers in the way the site wants you to.

You can edit your cookies or POST data or GET session variables, or write a simple script to do it. In the end all you're doing is sending HTTP requests and substituting your session data with whatever you want.

Longpoke
+1  A: 

Would you have to tamper with your browser to make use of the stolen cookies?

You could, but it would probably be easier just to type javascript:document.cookie='stolencookie=somevalue' in the address bar whilst viewing a page from the target site.

bobince