There is actually a relatively simple way to figure out what exactly
is causing the session stealing to fail.
Get a local proxy, such as WebScarab.
(http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) and
run it on the machine where the browsers are installed.
Configure _both_ broswers to use the local proxy. (127.0.0.1:8080 for
example) (http://dawes.za.net/rogan/webscarab/quickstart.php)
Use one browser to log in, and obvserve the first post-login request.
Use the second browser to try and put any differing values from the
first, into requests from the second. Viewing a diff of the two
requests will identify where the discrepancies are.
Hope this helps!
-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP
http://www.owasp.org
--
Never underestimate the time, expense, and effort an opponent will
expend to break a code. (Robert Morris)
--
On Wed, Jul 1, 2009 at 9:00 AM, pUm <hijacka (at) googlemail (dot) com [email concealed]> wrote:
>
> just a gues,
> but try to fake the user agent. something in the http header must be
> part of the cookie auth. so try them all and then reduce. My guess is
> that it is the user-agent
>
> 2009/7/1 Juan Kinunt <kinunt (at) gmail (dot) com [email concealed]>:
> > Hi,
> >
> > I'm auditing a web application programmed in CakePHP and I'm having a problem.
> > I'm almost sure the authentication mechanism is carried by a cookie
> > but I'm unable to impersonate another user using its cookie.
> > The probe I do is opening two sessions with two different users (one
> > in internet explorer and one in firefox). Then I copy the cookie
> > belonging to one user and substitute it in a request done by the other
> > user (using WebScarab). The app throws and error and disconnects the
> > validated and legal user.
> > I think that some info is stored in server side about the client who
> > owns each cookie.
> >
> > Is this possible? Is it the normal operation in sessions in CakePHP?
> >
> > Any info or pointer would be very useful.
> >
> > Thanks.
> >
> >
> >
>
>
There is actually a relatively simple way to figure out what exactly
is causing the session stealing to fail.
Get a local proxy, such as WebScarab.
(http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) and
run it on the machine where the browsers are installed.
Configure _both_ broswers to use the local proxy. (127.0.0.1:8080 for
example) (http://dawes.za.net/rogan/webscarab/quickstart.php)
Use one browser to log in, and obvserve the first post-login request.
Use the second browser to try and put any differing values from the
first, into requests from the second. Viewing a diff of the two
requests will identify where the discrepancies are.
Hope this helps!
-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP
http://www.owasp.org
--
Never underestimate the time, expense, and effort an opponent will
expend to break a code. (Robert Morris)
--
On Wed, Jul 1, 2009 at 9:00 AM, pUm <hijacka (at) googlemail (dot) com [email concealed]> wrote:
>
> just a gues,
> but try to fake the user agent. something in the http header must be
> part of the cookie auth. so try them all and then reduce. My guess is
> that it is the user-agent
>
> 2009/7/1 Juan Kinunt <kinunt (at) gmail (dot) com [email concealed]>:
> > Hi,
> >
> > I'm auditing a web application programmed in CakePHP and I'm having a problem.
> > I'm almost sure the authentication mechanism is carried by a cookie
> > but I'm unable to impersonate another user using its cookie.
> > The probe I do is opening two sessions with two different users (one
> > in internet explorer and one in firefox). Then I copy the cookie
> > belonging to one user and substitute it in a request done by the other
> > user (using WebScarab). The app throws and error and disconnects the
> > validated and legal user.
> > I think that some info is stored in server side about the client who
> > owns each cookie.
> >
> > Is this possible? Is it the normal operation in sessions in CakePHP?
> >
> > Any info or pointer would be very useful.
> >
> > Thanks.
> >
> >
> >
>
>
[ reply ]