OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: gman . (gman1120hotmail.com)
Date: Tue Oct 02 2001 - 12:30:20 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Peter,

    The following link points to a modification I made to Mozilla that allows
    you to edit cookies that your browser picks up, including session cookies.
    This is important becuase editing cookies stored in files is useless about
    90% of the time.

    http://www1.securityfocus.com/data/tools/mozilla-cookie-edit.diff

    I have compiled and tested this under Windows and Linux using the Mozilla
    0.9.2 (it may work with newer versions, but this is untested) source code
    tree. Its a pain to compile under Win32, so I suggest using it in Linux.
    To use, just apply the patch to the source code with:

    patch -p0 < (source to diff)/mozilla-cookie-edit.diff

    User the following procedure to edit cookies:

    Click edit->prefences. Open the privacy and security twistie, and click on
    cookies. Click view stored cookies to open the cookie manager. From there,
    you can view any cookie (as you could always), and change the value by
    editing the value in the box and clicking "set cookie". I've used this in
    web application security assesments, and have successfully hijacked other
    users sessions this way. Of course you have to guess the session id (if
    that's all that's used), but considering the predictability of the session
    IDs generated by an unpatched WebShere application server, this could drive
    a good point home.

    There is only one caveat. When you modify a cookie, the value is not stored
    in the array used for the cookie manager (this is used for display only).
    If you click another cookie, then come back to the one you have edited, it
    appears as though the change never occured (even though the value of the
    cookie in memory has changed). You will be able to see modified if you
    close the cookie manager and
    open it back up. This was intentional, since I use this as a way to revert
    the cookie to its original value, in case I had clicked on the wrong one, or
    made some other mistake ;)

    Regards,

    Steve

    >Does anyone know of a piece of software that can be used for viewing >and
    >manipulating the data inside of a cookie?

    >Peter Holland
    >Available Mortgage Funding
    >Dallas, Texas

    _________________________________________________________________
    Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp