.

w3af - cookies

<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Apr 28, 2009 10:52 pm

w3af - cookies

I can't seem to figure out how to get w3af to import a session cookie for a particular URL I am trying to scan.  It's asking for a Mozilla compatible cookiejar filename.  I am not sure exactly what that is.  FF3 uses SQLite for it's cookie database.  I tried that but it didn't work.  Does anyone know what it wants?
~~~~~~~~~~~~~~
Ketchup
<<

jimbob

Post Wed Apr 29, 2009 5:41 am

Re: w3af - cookies

I think you've kinda answered your own question. I believe it looking for the cookie file used by Firefox >= 2.x. This I believe was a plaintext, whitespace-delimited file. I guess someone could write a script to dump the SQLite database in FireFox >= 3 into the old format... there's a weekend project for someone.

Jimbob
<<

jimbob

Post Wed Apr 29, 2009 7:16 am

Re: w3af - cookies

OK, I couldn't resist the challenge, my C skills need some sharpening and I've never used sqlite. Here's a short program to extract the cookie information from the sqlite3 database used my Firefox 3 into the old format.

I've tested this on Cygwin but there is no reason why it should not compile on another platform so long as the sqlite3 libraries and headers are installed. I compiled it with the following command:

gcc -Wall -g -o cookiejar cookiejar.c  -lsqlite3

Regards,
Jimbob

  Code:
#include <stdlib.h>
#include <stdio.h>
#include <sqlite3.h>

/*
  These are the columns in the moz_cookies table
  id = used internall my Firefox?
  name = some_name
  value = some_value
  host = .ethicalhacker.net
  path = /
  expiry = 1304073154
  lastAccessed = 1241001154890625
  isSecure = 0
  isHttpOnly = 0

  The Firefox 2.x cookie file format is...
  Domain       Domain scope?  Path  Secure  Expires     Name      Value
  .example.com TRUE           /     FALSE   1143149359  login_id  123456
*/

static int callback(void *NotUsed, int argc, char **argv, char **azColName){
  printf("%s\t%s\t%s\t%s\t%s\t%s\t%s\n",
    argv[0],                            // host or domain name
    *argv[0] == '.' ? "TRUE" : "FALSE", // Domain accessible if host starts with a '.'
    argv[1],                            // path
    *argv[2] == '1' ? "TRUE" : "FALSE", // SSL only?
    argv[3],                            // Expiry
    argv[4],                            // Cookie name
    argv[5] ? argv[5] : "NULL"          // Cookie value
  );

  return 0;
}

int main(int argc, char **argv){
  sqlite3 *db;
  char *zErrMsg = 0;
  char *sql = "select host,path,isSecure,expiry,name,value from moz_cookies";
  int rc;

  if( argc!=2 ){
    fprintf(stderr, "Usage: %s DATABASE\n", argv[0]);
    exit(1);
  }

  //TODO: Stat the file first

  // Open the database, exit on failure
  rc = sqlite3_open(argv[1], &db);
  if( rc ){
    fprintf(stderr, "Can't open database: %s\n", sqlite3_errmsg(db));
    sqlite3_close(db);
    exit(1);
  }

  rc = sqlite3_exec(db, sql, callback, 0, &zErrMsg);
  if( rc!=SQLITE_OK ){
    fprintf(stderr, "SQL error: %s\n", zErrMsg);
    sqlite3_free(zErrMsg);
  }

  // Close the database
  sqlite3_close(db);
  return 0;
}
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Apr 29, 2009 11:04 am

Re: w3af - cookies

Wow, thanks jimbob!    I thought I had a project to do this weekend :)  Thank you very much again!  I am pretty comfortable with C/C++, so I can tweak if necessary.  Have I said thanks? :)
~~~~~~~~~~~~~~
Ketchup
<<

jimbob

Post Wed Apr 29, 2009 3:56 pm

Re: w3af - cookies

No problem at all. I fixed it up to compile with Visual C++, which is a first for me. I generally don't do any windows programming outside cygwin/vi/gcc so I've also gained from this exercise.

References
http://www.sqlite.org/quickstart.html
http://kb.mozillazine.org/Cookies

Jimbob
Last edited by jimbob on Wed Apr 29, 2009 3:58 pm, edited 1 time in total.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Apr 29, 2009 4:55 pm

Re: w3af - cookies

I tested it and it worked like a charm.  The only thing I had to add was a comment line at the top of the cookies file:

#Netscape Cookie File

VC++ is actually pretty nifty in terms of debugging and IDE options.  I also like the MFC classes, especially the later editions when they took security a bit more seriously.  They really have come a long way from strcmp(tinystr, hugestr) days. 

I've started using SQLite in the last 6 months or so.  It's a pretty cool portable database system.  The only compatible alternative I know is MS Access, and that's a mess.  SQLite is not terribly fast on inserts, but it really does the trick when you need something portable.

Thanks again!
~~~~~~~~~~~~~~
Ketchup
<<

jimbob

Post Fri May 01, 2009 2:43 am

Re: w3af - cookies

I shall have to spend some more time learning VC++, it's a useful skill. I'll add the leading comment to my source and publish it somewhere. I know there are other tools out there that read the cookie SQLite database but I'm a command line ki d of guy and I like output I can pipe.

I imagine Berkeley DB to be the closest to SQLite in terms of embedded database but I like SQLite on the basis that I already know SQL. I can see this too being useful :-)

Jimbob
<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Tue Jan 12, 2010 3:36 pm

Re: w3af - cookies

Sorry to bring up an old topic and thanks for the great script!

For some reason the cookies of a couple of sites I'm testing are not stored in the same place as other cookies. The only difference that I can see from the sites I'm testing and others is that the sites I'm testing are HTTPS. I tried logging into other HTTPS sites and they do seem to be saved into the same sqlite database.

I thought it may have been a problem with the script, however after openning the sqlite database and inspecting the data, the cookies were not there.

The location of my cookies.sqlite file:
/home/user/.mozilla/firefox/apj29vu2.default/cookies.sqlite

Does Firefox save HTTPS cookies in a different location? Is there something else going on here?

Thanks in advance.  ;D

P.S. Firefox 3.0.15 / BackTrack4 Final
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Jan 14, 2010 5:33 pm

Re: w3af - cookies

I am not sure why you are not seeing the cookies.  I am not an expert on cookies, but could they be expiring (session cookies)? 

I also use wget to write the cookiejar file sometimes.  Perhaps it will help you here:

  Code:
wget --save-cookies cookiefile --post-data "login info goes here" -O URL > /dev/null
~~~~~~~~~~~~~~
Ketchup

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software