.

Decoding Cookies

<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Sun Jul 14, 2013 2:24 pm

Decoding Cookies

I'm testing this site that uses a cookie to control access to resources for various users. There are 2 problems so far:

1. The cookie value does not change, when a user logs in their cookie is the same each time, so it can be replayed.
2. Logging out does not invalidate the cookie on the server. It makes it so the user no longer sends the cookie, but manually adding the cookie to the request allows access.

These two issues combined are pretty serious, but before I inform my client, I was wondering how difficult it would be to determine the encoding algorithm used for the cookie. Due to the nature of the site, all userids are public, therefore if you could figure out the algorithm you could log in as any user.

But I don't know anything about encoding algorithms. Can anyone here decode these cookies, or point me in the right direction (or let me know if it's hopeless trying) on how to try to determine the cookie generation algorithm?

Here are two cookies and their corresponding userids:

sean1: s%3A547534.QTGk277bpV36lKyGPcTg59M1pxnE8beBpekPL0d%2BXpI
sean2: s%3A556231.vzgC4enspO4yMKWJpXbPxnGXModkUmRDNC03Iu%2BvMcY

Any help would be greatly appreciated. Thanks.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Jul 15, 2013 12:48 am

Re: Decoding Cookies

The session ID should be a random/unique value that identifies the session in the session database on the web server. There *shouldn't* be any information encoded into the session ID itself. You can use burp to perform a statistical analysis of session IDs, but if they're using something that's part of a standard framework instead of rolling their own implementation, it's probably pretty well vetted already.
The day you stop learning is the day you start becoming obsolete.
<<

slinky

User avatar

Newbie
Newbie

Posts: 3

Joined: Tue Jul 17, 2007 10:28 am

Post Mon Jul 15, 2013 10:14 am

Re: Decoding Cookies

The Portswigger site has a good walk-through on how to use Burp's Sequencer to test the randomness of the session ID:

http://www.portswigger.net/burp/help/se ... arted.html

And here's a good article on interpreting the results from Burp Sequencer:
http://blog.portswigger.net/2008/05/bur ... r-101.html

You could try using Burp's decoder to see if you can find human-readable patterns and see if it's tied to anything like IP address, timestamp, etc.
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Tue Jul 16, 2013 1:09 pm

Re: Decoding Cookies

I wasn't able to find how to decode that cookie yet, but the site is using Ruby on Rails and I was able to decode another session cookie using this:

https://chrome.google.com/webstore/detail/cookitor/fhkfggemmbpliiikmibomomcagnlbpdp?hl=en

Now if only I could modify the values and reencode them :)

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software