Cookie Pal

Cookie Pal

Cookie Pal is one of the best programs for monitoring the additions and changes to a system. Cookies are fields of data created in a file or multiple files that the browser uses to maintain state and retrieve information. Typically hidden from the user, cookies aren't inherently dangerous. However, their use can be abused to trick a Web server into giving more information than it should. In other words, we can alter our identification to the server by altering the cookie values in our GET requests.

Two types of cookies are used by servers and browsers: session and persistent cookies. Session cookies reside only in memory and are temporary fields of data held until the client's browser is closed. Persistent cookies reside on disk and are read by the browser when requested. For Internet Explorer, persistent cookies are stored in the C:\Documents and Settings\Administrator\Cookies directory. Each Web site has its own files with cookies in them. For example, the following cookie file holds three cookies: an identification number (RMID), a first name (welcome), and a username/password (userinfo):

RMID
4404be123ccb8c80
winespectator.com/
1056
3567004032
30124358
4178596544
29486711
*
welcome
Stuart
winespectator.com/
1056
1240627200
30394925
4269326544
29486711
*
userinfo
CTR(64-
1):c61+d86pcZN6o35ciKmTo5qXWIOkqZ1ZkmisfmqEY8PTrNaylsLexuTM0W7I4OWdWYVorH5qhWHD17bUto/C5
taTm5WOwunn3JzEsuqzaoZ0s+G2mH1bdKKRk5edm8PV7Ougv7XgsnbClrSit9pyU4aXkZ6MlV7G697kjL+w4aG5y
ZDC5m6jhUh/ooaentifxuns3Zu5p61+dodjh6Ruo45If6KGnp/Yn8bp7N2bvqTps7jBkrPevuWySH+i
winespectator.com/
1056
1240627200
30394925
4273736544
29486711
*

Cookie Pal allows control of both the session cookie and the persistent cookie before they committed to memory or disk, respectively. The program does so by intercepting the request in the Web server's response and displaying it in an Alert dialog box, as illustrated in Figure 15-13.

Figure 15-13. Cookie Pal Alert

graphics/15fig13.gif

The alert displays the server the cookie is coming from, the Name of the cookie, its value, and the expiration date. It also provides the option to accept or not accept the cookie. Once the cookie has been accepted, it can be viewed and cleared through the main user interface, as shown in Figure 15-14.

Figure 15-14. Cookie Pal display

graphics/15fig14.gif

Cookie Pal displays the session cookies when we click on the Session tab and the persistent cookies when we click on the Cookies tab. All the fields are displayed in the interface, and the option to Delete (persistent) or Clear (session) them is provided. You will be surprised at how many cookies you encounter in your Internet travels and will want to clean them out from time to time.

Cookies typically hold information such as stored username/passwords, preferences, a mailing address, and online identification. These little "harmless," cookies can contain a lot of information of value to an attacker. But they reside only in your computer's memory or hard drive, so a remote attacker wouldn't be able to access them, much less take advantage of them for an attack. Although cookies are generally harmless, you still must be wary of them.

Cookies can be either pulled off the network (as when your neighbor is on the same shared network) or reverse engineered. If an attacker can capture a cookie (a la Cookie Pal) and reverse engineer it, she can effectively impersonate another user. For online Web sites such as banks and trading sites, this prospect is enormously dangerous, as attackers (foreign and domestic) can take ownership of stock trades and bank transfers, for example. By breaking any identification information within a cookie, such as a username/password, the cookie can be used to impersonate another user.

To describe the relationship of cookies to security and privacy, let's take a simple example. In the following ASP code, we first insert a cookie in the user's browser to store the number of times she has visited our Web site. Then we display that number of times to the user.

<%
response.cookies("NumberofVisits").Expires = date + 365
num=request.cookies("NumberofVisits")
If num = "" Then
  response.cookies("NumberofVisits") = 1
Else
  response.cookies("NumberofVisits") = num + 1
End If
%>
 
<html>
<body>
 
<%
if num="" then
%>
 
<font face=verdana size=20>Our Cookie Example</font><br><br>
<font face=verdana size=6>This is the</font><font face=verdana size=6 color=red> <b>first time</b></font>
<font face=verdana size=6>you have graced us with your presence.</font>
 
<%
else
%>
 
<font face=verdana size=20><b>Welcome back!</b></font><br><br>
<font face=verdana size=6>You have visited this Web page:<br>
<font face=verdana size=6 color=red><b>
 
<%response.write(num)
if num=1 then
  response.write " time before!"
else
  response.write " times before!"
end if
end if
%>
 
</b></font>
</body>
</html>

The first time we use our browser to go to the Web site, we get the initial cookie shown in Figure 15-15.

Figure 15-15. Initial cookie

graphics/15fig15.gif

Cookie Pal intercepts it and prompts us to accept or reject it. We choose to accept it, and it now becomes a session cookie, as illustrated in Figure 15-16, and a persistent cookie, as illustrated in Figure 15-17.

Figure 15-16. Session cookie

graphics/15fig16.gif

Figure 15-17. Persistent cookie

graphics/15fig17.gif

The browser displays the results of our cookie setting and ASP script, as shown in Figure 15-18.

Figure 15-18. Cookie example results

graphics/15fig18.gif

The browser reveals that we didn't find an existing cookie in our Web site with the same name (NumberofVisits). So we add the cookie to the client's browser. The next time we click on the Web site (or just hit the Refresh button in the browser), the existing cookie will appear in the browser's cache and indicate a second message, as illustrated in Figure 15-19.

Figure 15-19. Second cookie

graphics/15fig19.gif

Note that the Value of the cookie to be set is now 2 instead of 1. The reason is that we found an existing cookie from 192.168.0.9 in the browser's cache and incremented that value by 1. Figure 15-20 shows the display that appears in our browser.

Figure 15-20. Browser display

graphics/15fig20.gif

If we really wanted to fool with the Web server's ASP script (and those prying eyes) we could modify the cookie, using Achilles to send a huge number of visits to the script. To do so we simply set up our Achilles proxy, make sure that our browser is set to use the Achilles proxy for its connections, and then point our browser to 192.168.0.9. The Achilles tool screen will look something like that shown in Figure 15-21.

Figure 15-21. Achilles tool screen

graphics/15fig21.gif

We then modify the Cookie name NumerofVisits to something big, such as 99,999,999, right in the Achilles edit window, as shown in Figure 15-22, and hit Send.

Figure 15-22. Modified Achilles tool screen

graphics/15fig22.gif

The ASP script processes the large value and sends it back to the browser, as illustrated in Figure 15-23.

Figure 15-23. ASP script response

graphics/15fig23.gif

Hence with cookie manipulation we can get the server to process values that aren't expected and therefore aren't intended to be handled properly. As you can imagine, the potential for such abuse is tremendous. We can send an even bigger cookie value in an attempt to overflow buffer: num, as shown in figure 15-24.

Figure 15-24. Buffer overflow caused by cookie

graphics/15fig24.gif

This action by itself wasn't all that dangerous because the error was caught by VBScript and handled with the error message shown. However, an attacker can try to get around this roadblock by sending various strings of null bytes and characters, looking for a way to break the application or, even worse, the Web server. If input sanitization isn't a used in code development, you will suffer the consequences. In this case, we should have a routine in the ASP script to confirm that the field is numeric only and can be only so big.

 



Web Hacking(c) Attacks and Defense
Web Hacking: Attacks and Defense
ISBN: 0201761769
EAN: 2147483647
Year: 2005
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net