Jump to content

[YAHOO] Forged cookie functioning


pierre
 Share

Recommended Posts

Hello,

Recently, Yahoo members were advertised about "forged cookie".

The hacker just forged the cookie in his browser to usurp victim session.

It work because the cookie value isn't renew and randomize each time another session is established (I may be wrong here, feel free to correct)

But originally, how does the hacker get this famous cookie ?

Tks

Edited by pierre
Link to comment
Share on other sites

Session hijacking and reusing cookies is nothing new, but wondering if what you mention is something different, as I haven't read what you are talking about.

Capturing data on the line/same subnet from other machines using something like a MITM with a packet sniffer going, will allow you to copy out and inject locally the users cookies. This session data, if not properly checked on the sites they visit to validate or challenge the cookie data, will allow you to login as them, essentially bypassing logins, and giving you access to whatever the user has access to. Getting the cookie data is the hard part. Reusing it in most instances is trivial.

You want to see your cookies for the forums, type in your address bar the following:

javascript:document.cookie

This should write in the page, your current cookie(s).

To inject a cookie or change values, write the following(as an example):

javascript:document.cookie="foo=1;"

Then go back to the forums, and enter the first one I showed you up top. You should now see all of the old cookies and a new one called foo with value of 1.

Also, just FYi, these cookies need to be loaded, per site you visit as well. They won't be of any use for blank open tabs, or the wrong sites, as they inject into the currently open site/tab you are viewing.

Not all cookies can be read like this, but I'm just giving an example of how you can take a cookie from a packet capture, and inject it and then see if it's loaded. Session only cookies work a bit different, but general cookies can be injected this way.

Token authentication I believe is in a separate protected storage, and not sure how you view them for sites directly other than in developer/console mode  of a browser to view all session data(although may be transmitted on the wire which is where the sniffing of traffic comes into play). Token based I believe is also more server side.

 

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...