pierre Posted February 23, 2017 Share Posted February 23, 2017 (edited) Hello, Recently, Yahoo members were advertised about "forged cookie". The hacker just forged the cookie in his browser to usurp victim session. It work because the cookie value isn't renew and randomize each time another session is established (I may be wrong here, feel free to correct) But originally, how does the hacker get this famous cookie ? Tks Edited February 23, 2017 by pierre Quote Link to comment Share on other sites More sharing options...
digip Posted February 25, 2017 Share Posted February 25, 2017 (edited) Session hijacking and reusing cookies is nothing new, but wondering if what you mention is something different, as I haven't read what you are talking about. Capturing data on the line/same subnet from other machines using something like a MITM with a packet sniffer going, will allow you to copy out and inject locally the users cookies. This session data, if not properly checked on the sites they visit to validate or challenge the cookie data, will allow you to login as them, essentially bypassing logins, and giving you access to whatever the user has access to. Getting the cookie data is the hard part. Reusing it in most instances is trivial. You want to see your cookies for the forums, type in your address bar the following: javascript:document.cookie This should write in the page, your current cookie(s). To inject a cookie or change values, write the following(as an example): javascript:document.cookie="foo=1;" Then go back to the forums, and enter the first one I showed you up top. You should now see all of the old cookies and a new one called foo with value of 1. Also, just FYi, these cookies need to be loaded, per site you visit as well. They won't be of any use for blank open tabs, or the wrong sites, as they inject into the currently open site/tab you are viewing. Not all cookies can be read like this, but I'm just giving an example of how you can take a cookie from a packet capture, and inject it and then see if it's loaded. Session only cookies work a bit different, but general cookies can be injected this way. Token authentication I believe is in a separate protected storage, and not sure how you view them for sites directly other than in developer/console mode of a browser to view all session data(although may be transmitted on the wire which is where the sniffing of traffic comes into play). Token based I believe is also more server side. Edited February 25, 2017 by digip Quote Link to comment Share on other sites More sharing options...
pierre Posted February 28, 2017 Author Share Posted February 28, 2017 Thank you, understand well :) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.