Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Who's got it? Who's giving it away? How to protect your privacy and steal it from other people. For intellectual privacy, personal privacy, and blackhats alike... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
msn.com cookie stealing and timeout issues...
Posted by: istari
Date: July 02, 2007 05:11PM

let's say one manages to steal a cookie with credentials in it, such as msn.com's cookie containing the mspauth and mspprof keys for a given user. it is then possible to fake that cookie and hijack the user's account, but after a while -in msn.com, it's 24 hs- this will stop working...

my question is: who is the one responsible for the tiemout? some value in the stolen cookie itself, or the webserver? is there a way to bypass the timeout, either by modifying the stolen cookie or by putting the stolen credentials in a new cookie?

in any case, thanks for your help and information!

istari

ps: i am also interested in the more general, theoretical case: what's the most usual way to handle cookie timeouts? what's the most secure way to do this in a webapp?

Options: ReplyQuote
Re: msn.com cookie stealing and timeout issues...
Posted by: WhiteAcid
Date: July 02, 2007 07:17PM

If you simply extend the lifespan of the cookie does that help? If not, then MSN are most likely explicitly killing the session ID at the server after 24 hours.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: msn.com cookie stealing and timeout issues...
Date: July 03, 2007 09:43AM

Can you not make a script to access MSN sending the stolen cookie in the request to keep the cookie session active so the session expiration is extended? Provided MSN does it that way or just forces a cookie session active or not to be killed after 24hrs.

Options: ReplyQuote
Re: msn.com cookie stealing and timeout issues...
Posted by: istari
Date: July 06, 2007 05:32PM

@WhiteAcid

what do you mean by "extend the lifespan of the cookie"? is there a way to do so other than forcing the browser to send it in all transactions with a given site? my approach is usually to use a local proxy (such as proxomitron) to fake the http headers and send the stolen cookie to the site...

@CrYpTiC_MauleR

i hadn't thought of that: it sure sounds like a rather clever way to get past some of the timeouts that one may find out there, although in the case of msn.com re-using a session will not reset its timeout, so using the stolen cookie to log in every hour or so won't work in this case...

anyway, just in case someone wants to take a peek at what i'm dealing with here, i'll post an excerpt of msn.com's cookie which i think may be important in this case:

PIM=**SOME_RUBBISH**%2ctimestamp%2c1181780525%2c**MORE_RUBBISH**;
...
RPSMaybe=1181781264;

now the two numbers that appear there are definately time directions as returned by C's ctime() function:

1181780525 = Wed Jun 13 21:22:05 2007

1181781264 = Wed Jun 13 21:34:24 2007

given the difference between them, i'd say they are the time of log-in and maybe the last-used time (12 minutes is enough for checking your mail, isn't it?)

anyway, modifying these values didn't change anything whatsoever, so i'm still lost and in need of help...



Edited 2 time(s). Last edit at 07/06/2007 05:35PM by istari.

Options: ReplyQuote


Sorry, only registered users may post in this forum.