re: C is for Cookie...

From: gman . (gman1120at_private)
Date: Tue Oct 02 2001 - 09:06:21 PDT

Previous message: Pauli Ojanperä: ".com"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Peter,

Attached is a modification I made to Mozilla that allows you to edit cookies 
that your browser picks up, including session cookies.  I have compiled and 
tested this under Windows and Linux using the Mozilla 0.9.2 (it may work 
with newer versions, but this is untested) source code tree.  Its a pain to 
compile under Win32, so I suggest using it in Linux.  To use, just apply the 
patch to the source code with:

patch -p0 < (source to diff)/mozilla-cookie-edit.diff

User the following procedure to edit cookies:

Click edit->prefences.  Open the privacy and security twistie, and click on 
cookies.  Click view stored cookies to open the cookie manager.  From there, 
you can view any cookie (as you could always), and change the value by 
editing the value in the box and clicking "set cookie".

I've used this in web application security assesments, and have successfully 
hijacked other users sessions this way.  Of course you have to guess the 
session id (if that's all thats used), but considering the predictability of 
the session IDs generated by an unpatched WebShere application server, this 
could drive a good point home.

There is only caveat, when you modify a cookie, the value is not stored in 
the array used for the cookie manager (this is used for display only).  If 
you click another cookie, then come back to the one you have edited, it 
appears as though the change never occured (even though the value of the 
cookie in memory).  It will be modified if you close the cookie manager and 
open it back up.  This was intentional, since I use this as a way to revert 
the cookie to its original value, in case I click on the wrong one, or made 
a mistake ;)

Regards,

Steve

>Does anyone know of a piece of software that can be used for viewing >and
>manipulating the data inside of a cookie?

>Peter Holland
>Available Mortgage Funding
>Dallas, Texas



_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

text/plain attachment: mozilla-cookie-edit.diff

Next message: Nexus: "Re: .com"
Previous message: Pauli Ojanperä: ".com"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 02 2001 - 09:17:23 PDT