AdSense

Friday, April 6, 2018

Spoofing an Authentication Cookie


SPOOFING AN AUTHENTICATION COOKIE

- Layout for this exercise:




1 - Authentication cookies

- Authentication cookies are the most common method used by web servers to know whether the user is logged in or not, and which account they are logged in with. 

https://en.wikipedia.org/wiki/HTTP_cookie

- Without such a mechanism, the site would not know whether to send a page containing sensitive information, or require the user to authenticate themselves by logging in. 

- The security of an authentication cookie generally depends on the security of the issuing website and the user's web browser, and on whether the cookie data is encrypted. 

- Security vulnerabilities may allow a cookie's data to be read by a hacker, used to gain access to user data, or used to gain access (with the user's credentials) to the website to which the cookie belongs.

- In this exercise the OWASP WebGoat v5.4 will be used for the purpose of exemplifying the spoofing of an authentication cookie: 




2 - Session Management Flaws

- Going to Session Management Flaws -> Spoof an Authentication Cookie:




- The scenario consists of a login web form that works correctly for two different username/password cases, for instance signing in with webgoat/webgoat and aspect/aspect the authentication is ok:













- However, the challenge is to achieve a successful authentication bypass for the user alice, what at first is rejected by the login process:







3 - Tampering the authentication process

- With the purpose of retrieving authentication cookies for webgoat/webgoat and aspect/aspect let's use the Tamper Data add-on of the browser Firefox:




- Starting the tamper:







- Now, let's sign in with webgoat/webgoat:




- Tampering:




- Copying the cookie:





- Storing the authentication cookie for further study:




- Same thing for aspect/aspect:












- As a result of the tampering, now we have two authentication cookies, one for webgoat/webgoat and the other one for aspect/aspect:



- Comparing the two cookies it is clear that both start by 65432 and end up with two different strings: ubphcfx and udfqtb



4 - Decoding/encoding the cookies

- Going to:

yehg.net/encoding





- Entering the string ubphcfx and reversing:








- Decoding with Char-- (shifting down one character):




- The result is the expected webgoat:




- Same process with the authentication cookie udfqtb obtained for aspect/aspect:




- So now what we can do is to follow the reverse method with alice in order to achieve a similar string to build a new authentication cookie:



- Reversing and encoding with Char++ (shifting up one character):







- The result is:




-  Actually the encoding process is very simple, consisting of just reversing plus shifting one character:

wegboat ->  taogbew -> ubphcfx 
aspect    ->  tcepsa    -> udfqtb
alice       ->  ecila        -> fdjmb


- To build alice's cookie the string fdjmb is prepended to 65432 in this way:





5  - Launching the cookie spoofing attack

- Now, let's tamper again an authentication session for webgoat/webgoat:








- At this moment, let's copy alice's crafted cookie and paste it into the cookie field:






- Clicking OK:




- Finally the attack is successful and the spoofed user alice becomes authenticated:
Posted by at
Labels: