Re: Unable to impersonate another user although having its cookie

[Michael Yelland <myelland () brotherhoodbank com>]

Go dload sidejacking, it contains hampster and ferret

On Jul 1, 2009, at 9:36 AM, "Irene Abezgauz"  
<irene.abezgauz () gmail com> wrote:

> Juan,
>
> A few questions to direct this -
>
> 1. are there any parameters in the request itself that are not the
> cookie and can be suspected as client/session identifiers?  (either in
> the body of a POST or as part of the URL in a GET)?
> 2. are you trying to execute a similar request? is there a chance you
> are failing not due to the cookie but due to lack of other parameters
> (such as an anti-csrf token)?
> 3. is it http or https traffic? I've encountered applications that
> make the connection between the ssl session and the application
> session.
>
> each of the above can be a direction of why it's not working for you.
> answering one or more of those can help direct to the problem.
>
> Irene
>
> On Wed, Jul 1, 2009 at 1:14 PM, Juan Kinunt <kinunt () gmail com> wrote:
> > Hi,
> >
> > I'm auditing a web application programmed in CakePHP and I'm having  
> > a problem.
> > I'm almost sure the authentication mechanism is carried by a cookie
> > but I'm unable to impersonate another user using its cookie.
> > The probe I do is opening two sessions with two different users (one
> > in internet explorer and one in firefox). Then I copy the cookie
> > belonging to one user and substitute it in a request done by the  
> > other
> > user (using WebScarab). The app throws and error and disconnects the
> > validated and legal user.
> > I think that some info is stored in server side about the client who
> > owns each cookie.
> >
> > Is this possible? Is it the normal operation in sessions in CakePHP?
> >
> > Any info or pointer would be very useful.
> >
> > Thanks.
This message is intended only for the persons or entities to which it is addressed. The information transmitted herein 
may contain proprietary or
confidential material. Review, reproduction, retransmission, distribution, disclosure or other use, and any consequent 
action taken by persons or
entities other than intended recipients, are prohibited and may be unlawful. If you are not the intended recipient, 
please delete this information from
your system and contact the sender. The information contained herein is subject to change without notice. Although 
reasonable precautions have been
taken to ensure that no viruses are present, the sender makes no warranty or guaranty with respect thereto, and is not 
responsible for any loss or
damage arising from the receipt or use of this e-mail or attachments hereto.  This message is intended only for the 
persons or entities to which it is
addressed. The information transmitted herein may contain proprietary or confidential material. Review, reproduction, 
retransmission, distribution,
disclosure or other use, and any consequent action taken by persons or entities other than intended recipients, are 
prohibited and may be unlawful.
If you are not the intended recipient, please delete this information from your system and contact the sender. The 
information contained herein is
subject to change without notice. Although reasonable precautions have been taken to ensure that no viruses are 
present, the sender makes no warranty
or guaranty with respect thereto, and is not responsible for any loss or damage arising from the receipt or use of this 
e-mail or attachments hereto.