|
|
Web Application Security
Unable to impersonate another user although having its cookie Jul 01 2009 10:14AM Juan Kinunt (kinunt gmail com) (4 replies) Re: Unable to impersonate another user although having its cookie Jul 03 2009 08:47PM Guillermo Caminer (flaco webappsec gmail com) (1 replies) Re: Unable to impersonate another user although having its cookie Jul 06 2009 06:22PM José Manuel Molina Pascual (raistlinmolina gmail com) RE: Unable to impersonate another user although having its cookie Jul 01 2009 04:26PM Hellman, Matthew (Hellman Matthew principal com) (1 replies) Re: Unable to impersonate another user although having its cookie Jul 02 2009 02:11PM Guillermo Caminer (flaco webappsec gmail com) Re: Unable to impersonate another user although having its cookie Jul 01 2009 02:30PM Irene Abezgauz (irene abezgauz gmail com) (1 replies) Re: Unable to impersonate another user although having its cookie Jul 01 2009 02:42PM Michael Yelland (myelland brotherhoodbank com) Re: Unable to impersonate another user although having its cookie Jul 01 2009 02:00PM pUm (hijacka googlemail com) (4 replies) Re: Unable to impersonate another user although having its cookie Jul 01 2009 03:02PM jay tomas infosecguru com (1 replies) Re: Unable to impersonate another user although having its cookie Jul 01 2009 02:50PM Marc Ouwerkerk (olderchurch gmail com) Re: Unable to impersonate another user although having its cookie Jul 01 2009 02:39PM S I (skander iversen gmail com) (1 replies) Re: Unable to impersonate another user although having its cookie Jul 01 2009 04:20PM Heine Deelstra (hdeelstra gmail com) (1 replies) Re: [SOLVED] Unable to impersonate another user although having its cookie Jul 02 2009 02:53PM Juan Kinunt (kinunt gmail com) Re: Unable to impersonate another user although having its cookie Jul 01 2009 02:20PM Brad Causey (bradcausey gmail com) |
|
Privacy Statement |
From re-reading Juan's message, it sounds like he's actually logging
in to the application once in a browser and then making the request
that the first browser would normally do in the second browser, with
the cookie from the first browser. In -theory- this shouldn't lock out
that session as there is only the 1 log in (which doesn't actually
happen with this specific application due to the user agent).
Chris
On 01/07/2009, at 11:02 PM, jay.tomas (at) infosecguru (dot) com [email concealed] wrote:
> If I understand the issue correctly you login successfully and get a
> cookie. You then try and login a second time with another browser
> trying to impersonate the first authenticated user. However, the
> first session then gets logged out. To me this would be expected if
> the app is designed correctly. I would think you would only want 1
> valid login at a time, and if another one is used it would
> invalidate the other.
>
> -Jay
>
>
> Quoting pUm <hijacka (at) googlemail (dot) com [email concealed]>:
>
>> just a gues,
>> but try to fake the user agent. something in the http header must be
>> part of the cookie auth. so try them all and then reduce. My guess is
>> that it is the user-agent
>>
>> 2009/7/1 Juan Kinunt <kinunt (at) gmail (dot) com [email concealed]>:
>>> Hi,
>>>
>>> I'm auditing a web application programmed in CakePHP and I'm
>>> having a problem.
>>> I'm almost sure the authentication mechanism is carried by a cookie
>>> but I'm unable to impersonate another user using its cookie.
>>> The probe I do is opening two sessions with two different users (one
>>> in internet explorer and one in firefox). Then I copy the cookie
>>> belonging to one user and substitute it in a request done by the
>>> other
>>> user (using WebScarab). The app throws and error and disconnects the
>>> validated and legal user.
>>> I think that some info is stored in server side about the client who
>>> owns each cookie.
>>>
>>> Is this possible? Is it the normal operation in sessions in CakePHP?
>>>
>>> Any info or pointer would be very useful.
>>>
>>> Thanks.
>>>
>>>
>>>
>>
>>
>>
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
>
>
>
[ reply ]