WebApp Sec mailing list archives

Re: Unable to impersonate another user although having its cookie

From: Brad Causey <bradcausey () gmail com>
Date: Wed, 1 Jul 2009 09:20:27 -0500

Juan,

There is actually a relatively simple way to figure out what exactly
is causing the session stealing to fail.

Get a local proxy, such as WebScarab.
(http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) and
run it on the machine where the browsers are installed.
Configure _both_ broswers to use the local proxy. (127.0.0.1:8080 for
example)  (http://dawes.za.net/rogan/webscarab/quickstart.php)

Use one browser to log in, and obvserve the first post-login request.
Use the second browser to try and put any differing values from the
first, into requests from the second. Viewing a diff of the two
requests will identify where the discrepancies are.

Hope this helps!

-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org
--
Never underestimate the time, expense, and effort an opponent will
expend to break a code. (Robert Morris)
--


On Wed, Jul 1, 2009 at 9:00 AM, pUm <hijacka () googlemail com> wrote:


just a gues,
but try to fake the user agent. something in the http header must be
part of the cookie auth. so try them all and then reduce. My guess is
that it is the user-agent

2009/7/1 Juan Kinunt <kinunt () gmail com>:

Hi,

I'm auditing a web application programmed in CakePHP and I'm having a problem.
I'm almost sure the authentication mechanism is carried by a cookie
but I'm unable to impersonate another user using its cookie.
The probe I do is opening two sessions with two different users (one
in internet explorer and one in firefox). Then I copy the cookie
belonging to one user and substitute it in a request done by the other
user (using WebScarab). The app throws and error and disconnects the
validated and legal user.
I think that some info is stored in server side about the client who
owns each cookie.

Is this possible? Is it the normal operation in sessions in CakePHP?

Any info or pointer would be very useful.

Thanks.

Current thread:

Unable to impersonate another user although having its cookie Juan Kinunt (Jul 01)
- Re: Unable to impersonate another user although having its cookie pUm (Jul 01)
  - Re: Unable to impersonate another user although having its cookie Brad Causey (Jul 01)
  - Re: Unable to impersonate another user although having its cookie jay . tomas (Jul 01)
    - Re: Unable to impersonate another user although having its cookie Christopher Firth (Jul 01)
    - Message not available
    - Re: Unable to impersonate another user although having its cookie jay . tomas (Jul 01)
  - Re: Unable to impersonate another user although having its cookie Marc Ouwerkerk (Jul 01)
  - Re: Unable to impersonate another user although having its cookie S I (Jul 01)
    - Re: Unable to impersonate another user although having its cookie Heine Deelstra (Jul 01)
    - Re: [SOLVED] Unable to impersonate another user although having its cookie Juan Kinunt (Jul 06)
- Re: Unable to impersonate another user although having its cookie Irene Abezgauz (Jul 01)
  - Re: Unable to impersonate another user although having its cookie Michael Yelland (Jul 01)
- RE: Unable to impersonate another user although having its cookie Hellman, Matthew (Jul 01)

(Thread continues...)