As pUm said:
My guess is that it is the user-agent
it may be the user agent. Instead of tryin g them all, I sugget you to
install the Firefox User-Agent Switcher addon
"https://addons.mozilla.org/en-US/firefox/addon/59
And select the IE one. Or simply change copy/paste the IE user agent
to your WebScarab intercepted request
emitted with Firefox (and vice-versa).
You may generalize this technique to a greater number of HTTP hea ders
in order to completely
masquerade the browser you are trying to impersonate.
cheers,
SI
On Wed, Jul 1, 2009 at 11:00 PM, pUm <hijacka (at) googlemail (dot) com [email concealed]> wrote:
>
> just a gues,
> but try to fake the user agent. something in the http header must be
> part of the cookie auth. so try them all and then reduce. My guess is
> that it is the user-agent
>
> 2009/7/1 Juan Kinunt <kinunt (at) gmail (dot) com [email concealed]>:
> > Hi,
> >
> > I'm auditing a web application programmed in CakePHP and I'm having a problem.
> > I'm almost sure the authentication mechanism is carried by a cookie
> > but I'm unable to impersonate another user using its cookie.
> > The probe I do is opening two sessions with two different users (one
> > in internet explorer and one in firefox). Then I copy the cookie
> > belonging to one user and substitute it in a request done by the other
> > user (using WebScarab). The app throws and error and disconnects the
> > validated and legal user.
> > I think that some info is stored in server side about the client who
> > owns each cookie.
> >
> > Is this possible? Is it the normal operation in sessions in CakePHP?
> >
> > Any info or pointer would be very useful.
> >
> > Thanks.
> >
> >
> >
>
>
My guess is that it is the user-agent
it may be the user agent. Instead of tryin g them all, I sugget you to
install the Firefox User-Agent Switcher addon
"https://addons.mozilla.org/en-US/firefox/addon/59
And select the IE one. Or simply change copy/paste the IE user agent
to your WebScarab intercepted request
emitted with Firefox (and vice-versa).
You may generalize this technique to a greater number of HTTP hea ders
in order to completely
masquerade the browser you are trying to impersonate.
cheers,
SI
On Wed, Jul 1, 2009 at 11:00 PM, pUm <hijacka (at) googlemail (dot) com [email concealed]> wrote:
>
> just a gues,
> but try to fake the user agent. something in the http header must be
> part of the cookie auth. so try them all and then reduce. My guess is
> that it is the user-agent
>
> 2009/7/1 Juan Kinunt <kinunt (at) gmail (dot) com [email concealed]>:
> > Hi,
> >
> > I'm auditing a web application programmed in CakePHP and I'm having a problem.
> > I'm almost sure the authentication mechanism is carried by a cookie
> > but I'm unable to impersonate another user using its cookie.
> > The probe I do is opening two sessions with two different users (one
> > in internet explorer and one in firefox). Then I copy the cookie
> > belonging to one user and substitute it in a request done by the other
> > user (using WebScarab). The app throws and error and disconnects the
> > validated and legal user.
> > I think that some info is stored in server side about the client who
> > owns each cookie.
> >
> > Is this possible? Is it the normal operation in sessions in CakePHP?
> >
> > Any info or pointer would be very useful.
> >
> > Thanks.
> >
> >
> >
>
>
[ reply ]