Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Using cookies
Posted by: doody
Date: March 07, 2010 03:08AM

How do I go about using cookies to log in on another computer? On computer A I have logged in onto a secure site (using SSO) and I retrieved the contents of document.cookie. Can I go to computer B, visit the same site, and set the cookie with the same values in order to "log in" to that same site on computer B?

Options: ReplyQuote
Re: Using cookies
Posted by: Matt Presson
Date: March 07, 2010 10:35AM

Yes. If you are using Firefox you can download Add-N-Edit Cookies, the Web Developer Toolbar or many other plugins that allow you to easily edit your cookies and do what you are looking for.

If you are using IE, you can to go into your Temporary Internet Files, locate the cookie file and you can modify it there.

Options: ReplyQuote
Re: Using cookies
Posted by: p0deje
Date: March 07, 2010 12:18PM

or just use Opera
Tools -> Advanced -> Cookies

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Using cookies
Posted by: Matt Presson
Date: March 07, 2010 05:39PM

For all intents and purposes, the browser used is irrelevant. As long as you have the correct cookie values, you can become that user.


-Matt

Options: ReplyQuote
Re: Using cookies
Posted by: doody
Date: March 07, 2010 09:03PM

Is it always the case that I can take over a session with just the cookies?

Options: ReplyQuote
Re: Using cookies
Posted by: PaPPy
Date: March 08, 2010 06:58AM

no, some sites log the IP address and compare the session to the IP

so if your IP is different they ask you to relogin.

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: Using cookies
Posted by: doody
Date: March 08, 2010 08:04AM

How can I implement this in JSP? Is it easy?

Options: ReplyQuote
Re: Using cookies
Posted by: thrill
Date: March 08, 2010 11:28AM

It's easier to implement in PASCAL.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Using cookies
Posted by: Matt Presson
Date: March 08, 2010 01:11PM

To get the client's IP, call request.getRemoteAddr(). Beware that this may be the IP of a proxy, concentrator or other network level device that the client is going through to access the internet. For an example think AOL.

Options: ReplyQuote
Re: Using cookies
Posted by: doody
Date: March 08, 2010 09:39PM

Thanks thrill but I don't know any PASCAL. Also, it's a requirement to use JSP for my project.

Hey Matt, sorry I don't live in the US so I don't know anything about AOL. But over here internet access goes through a proxy as well. Is it always the case that the proxy IP from a client will always be the same? Will there be a case where a client is routed through different proxies when accessing my website during the same session? Or is this something that depends on my ISP?

I suppose the best way of keeping track of this IP is by saving it as a session variable? Even if it's picked up an attacker wouldn't be able to change their IP. Storing the IP in the database would take up unnecessary space and there is also an issue of removing the entries once the session is over.

Options: ReplyQuote
Re: Using cookies
Posted by: SW
Date: March 09, 2010 07:39PM

If they're using Tor... hehe.

Options: ReplyQuote


Sorry, only registered users may post in this forum.