Re: Unable to impersonate another user although having its cookie

[jay.tomas () infosecguru com]

I agree that best practices are not followed which is exactly why  
there are plenty of nightmares to laugh at. My point was to look at  
the least common denominator and say maybe this is working as  
designed. cakephp is open source so it may be easier to just look at  
the source and see whats' going on with it's auth process.

I guess what would be important to clarify is the request done by the  
second client flowing through cleanly or is it having to  
re-authenticate with the cookie? Thus now the apps detects it has two  
authenticated sessions with the same id?

If the server is disconnecting based on code on its side to invalidate  
the session if it sees a duplicate instance of an id, this may or may  
not show up in a request reply aka intercept proxy.

Jay

Quoting Kevin Stadmeyer <leviticus () gmail com>:

> what is expected and what is done are two different things, I rarely see
> apps which allow only one valid logon but it is refreshing when I do.
>
> I believe the issue however is that he is already logged, copying the
> cookies to another browser session/computer. In which case I agree with the
> above posters, something has to change for it to be detected, check the
> requests and view the diff.
>
> On Wed, Jul 1, 2009 at 11:02 AM, <jay.tomas () infosecguru com> wrote:
>
> > If I understand the issue correctly you login successfully and get a
> > cookie. You then try and login a second time with another browser trying to
> > impersonate the first authenticated user. However, the first session then
> > gets logged out. To me this would be expected if the app is designed
> > correctly. I would think you would only want 1 valid login at a time, and if
> > another one is used it would invalidate the other.
> >
> > -Jay
> >
> >
> >
> > Quoting pUm <hijacka () googlemail com>:
> >
> >  just a gues,
> > > but try to fake the user agent. something in the http header must be
> > > part of the cookie auth. so try them all and then reduce. My guess is
> > > that it is the user-agent
> > >
> > > 2009/7/1 Juan Kinunt <kinunt () gmail com>:
> > >
> > > > Hi,
> > > >
> > > > I'm auditing a web application programmed in CakePHP and I'm having  a
> > > > problem.
> > > > I'm almost sure the authentication mechanism is carried by a cookie
> > > > but I'm unable to impersonate another user using its cookie.
> > > > The probe I do is opening two sessions with two different users (one
> > > > in internet explorer and one in firefox). Then I copy the cookie
> > > > belonging to one user and substitute it in a request done by the other
> > > > user (using WebScarab). The app throws and error and disconnects the
> > > > validated and legal user.
> > > > I think that some info is stored in server side about the client who
> > > > owns each cookie.
> > > >
> > > > Is this possible? Is it the normal operation in sessions in CakePHP?
> > > >
> > > > Any info or pointer would be very useful.
> > > >
> > > > Thanks.
> >
> >
> > ----------------------------------------------------------------
> > This message was sent using IMP, the Internet Messaging Program.



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.