Tuesday, October 30, 2012

Cookie Poisioning

Web sites use cookies (a lot of them), cookies can be permanent (on disk) or temporary (in memory), and cookies contain variables; variables that the site cares about, and can be messed with or "poisoned" to get results that the Web site didn't intend to give you. Lets take an example of a website wherein the user gets discount, if you have the right cookie content then you will receive a 50% discount; if the content isn't right then you will not receive the 50% discount. The first page sets the cookie with the content of "SpecialOffer=No" indicating that you are not eligible by default. The cookie setting code on this page is simple and looks like this:
Now, if you click the link "Click here to see if you are eligible for 50% discount" you'll see that you are not eligible for the discount. The check on the 2nd page is pretty simple too and looks like this:
In the above script I look for the value of "SpecialOffer=Yes" in the cookie content and then react accordingly. If I don't see "SpecialOffer=Yes" then you aren't eligible for the discount. Now, on to the fun stuff! How do you make yourself eligible for the discount? To do this we need to change the default cookie content value from "SpecialOffer=No" to "SpecialOffer=Yes". How does one change cookie values? There are quite a few ways but I'll share with you my 3 favorites:
1. Add N Edit Cookies FireFox extension
2. Paros Proxy
3. Paste the following JavaScript in the URL bar to view the cookies:
and the following to modify it:

javascript:alert(window.c=function a(n,v,nv) {c=document.cookie;c=c.substring(c.indexOf(n) +n.length,c.length);c=c.substring(1,((c.indexOf(";")>-1) ? c.indexOf(";") : c.length));nc=unescape(c).replace (v,nv);document.cookie=n+"="+escape(nc);return unescape (document.cookie);});alert(c(prompt("cookie name:",""), prompt("replace this value:",""),prompt("with::","")));
How to poison cookies with Add N Edit Cookies
1. Navigate to http://www.qainsight.net/examples/cookietest.htm in FireFox
2. Click the cookie icon in your FireFox toolbar
3. Find the cookie for www.QAInsight.net and double click it or highlight it and press the edit button
4. Change the content form field from "No" to "Yes" (case sensitive)
5. Go back to the browser and click the link "Click here to see if you are eligible for 50% discount"
6. KaaaaPOW.... You now have the 50% discount! You're a freakin' evil, bad to the bone tester!
How to poison cookies with Paros ProxyTypically I wouldn't use Paros in this situation because the cookie is being set on the client side (you won't see this too much in the real world). The following example isn't what I consider cookie poisoning but more JavaScript manipulation. The following assumes you have cleared your cache:
1. Turn on Paros and set you IE connection options to use the address of with a port of 8080
2. In Paros click the "Trap" tab and check the "Trap Request" and "Trap Response" checkboxes
3. Navigate to http://www.qainsight.net/examples/cookietest.htm in IE
4. Go back to Paros (Trap tab) and press the "continue" button until you see the following text in the bottom pane:
5. Change the "No" to "Yes" in the above line
6. Click the "Continue" button.
7. Go back to IE and click the link "Click here to see if you are eligible for 50% discount"
8. Whoot! You now have the 50% discount! You're one sexy cool tester with a severity 1 defect that needs to be submitted.

There are situations where you will want to change the cookie value in the header (the top pane in the trap tab) on the response or the request, this is when you would use Paros over Add n Edit Cookies. Situations where you would need to manipulate the cookie before the response is rendered or before the request is sent due to the server or client side code manipulating the cookie.
How to poison cookies with JavaScript
1. Navigate to http://www.qainsight.net/examples/cookietest.htm in IE
2. To view the set cookie, type the following in the URL bar:
3. You will see "SpecialOffer=No". Click Ok
4. Copy and paste the following JavaScript in the browser URL bar:
javascript:alert(window.c=function a(n,v,nv) {c=document.cookie;c=c.substring(c.indexOf(n) +n.length,c.length);c= c.substring(1,((c.indexOf(";")>-1) ? c.indexOf(";") : c.length)); nc=unescape(c).replace(v,nv); document.cookie= n+"="+escape(nc);return unescape(document.cookie);}); alert(c(prompt("cookie name:",""), prompt("replace this value:",""), prompt("with::","")));
5. Hit the enter key
6. Click the Ok button at the JavaScript Alert
7. Type the cookie name of SpecialOffer in the Alert box and click the Ok button
8. At the "replace this value" script prompt type No and press the Ok button
9. At the "with:" script prompt type Yes (case sensitive) and press the Ok button
10. The next alert will show you the replaced cookie. You should see: SpecialOffer=Yes
11. Click the Ok button
12. In IE click the link "Click here to see if you are eligible for 50% discount"
13. DingDingDingDing.... You're a winner! You now have the 50% discount! You're quite the bad-ass tester aren't you? You're like the wicked witch in Snow White but instead of poisoning apples you poison cookies.
And that's how I conduct cookie poisoning when testing. Not too awful tough eh? Oh...if I ever get confused about the state of cookies before and after poisoning I use HTTPWatch to get a better idea of what is going on. I can usually get the gist of it by looking through the cookie and header tabs.
When do you test for the cookie poisoning vulnerability you ask? Whenever there is a cookie being used! Is it a defect if you can manipulate the cookie? Not necessarily. They typically are defects when a cookie is being placed that impacts or restricts the site's behavior and you can exploit that feature. If you manipulate a cookie and it doesn't gain you anything or exploit a feature then it's not of much value, thus not a defect. But...it's important that you know what the cookie you are poisoning does, without knowing what the cookie does you may be poisoning something and may not be seeing that exploit. To prevent guess-work it's easiest if you work with your developer to understand what he/she is doing with cookies on the site so you can go straight for the kill.
Happy poisoning!

No comments: