tags:

views:

299

answers:

3
+1  Q: 

Editing local cookie values

I'm attempting to do some soon-to-be-routine testing for cookie value injection for some of my web apps (ASP.NET, if that ends up mattering). I'm trying to insert some Javascript and SQL-specific code for this, but having some problems.

I have FireFox, IE 7 and 8, and Chrome. FireFox's Add N Edit Cookies extension won't allow me to change the value to anything with a semicolon in it. Nirsoft's IECookiesView won't show the specific cookie I'm after at all (ASP.NET's session ID cookie).

Are there any other utilities for editing cookies so that I can test this out? My Google-fu seems to be failing me with this one.

+1  A: 

Type this into your address bar on the website of the cookie you want to edit. Keep in mind document.cookie is different depending on the domain you are currently viewing. UNION ALL SELECT lname FROM Employee ORDER BY au_lname

Edit: Bobince is right about the semicolon, so here is sql injection without a semicolon.

javascript:document.cookie="SESSID=' union select password from users where id=1 -- ";

Tamperdata an addon for firefox has pre-built sql injection and xss strings that you can use for testing outgoing requests. Another option is Acunetix which can test http server variables as well as cookie parameters for xss/sql injection and many more vulnerabilities. The Acuentix xss tester is free. w3af and wapiti are free and open source but they do not test cookie variables.

Rook  2010-01-25 20:29:41
+1  A: 

Perhaps you can try modifying the outgoing http requests? like with the modify headers extension.

Also, you can look at the problem purely from an http analysis point of view, and use some http testing tools directly instead of using a browser. I am a Java developer, so JMeter and Solex come to mind.

I suspect that modifying cookies directly will be a problem, since the extensions tend to be http compliant, like you found out with Add N Edit Cookies. You can try to modify the cookies file directly and hope that firefox accepts it, but it sounds a bit flaky.

Yoni  2010-01-25 20:29:49
+1  A: 

; can't exist in a cookie value. It's impossible to set it in a Set-Cookie header or document.cookie assignment as it would be a separator and there is no standard escaping scheme to put out-of-band characters into a cookie.

You'd need a custom client or add-on to send Cookie: request headers including semicolons; a standard browser wouldn't do it.

bobince  2010-01-25 21:01:16
You are right sir, I have rewritten my injected query.
Rook  2010-01-26 04:33:29

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security