Last Updated on Sunday, 29 November 2009 10:23 Written by DarkKnightH20 Saturday, 15 August 2009 12:41
What is cookie theft?
Why would someone want to steal cookies?
Besides being tasty (oh, what a good joke), the art of cooking theft is most commonly associated with the stealing of login credentials, which is particularly easy if the user has “automatically login” enabled for the website in question. In theory (and commonly in practice), if you have another user’s login cookie, you can login to their account (sounds simple enough). Most cookies, if they contain important information (i.e. a password), are encrypted. An attacker can decrypt the cookie to find out the actual password. Thankfully, most cookies do NOT contain passwords. Instead, “Session IDs” can be used, which contain a script generated series of letters and numbers, usually in conjunction with the username. This, though more secure, is still subject to vulnerabilities, as sessions can be hijacked if the user replaces his/her own cookie with the newly obtained one. An easy solution to this is to restrict the session to work with only the original IP address used. Unfortunately, this is not very friendly towards those with dynamic IPs, thus can be thrown away partly.
How is it done?
One day, you decide to visit a forum that you commonly go to. It turns out the owner decided to enable HTML so that people could make cool signatures using HTML instead of the built-in forum code. You see a post with the title “Hey Everybody, Look Here!” and you decide “Hmm…Ok…I’ll play ball” — so you click it. When doing so, you simply see a normal post with text saying “Boo!”. Naturally, you’re a little annoyed so you exit the post and go to bed angry. When you wake up, you are left to find that someone deleted your private messages, changed your signature and avatar to something vulgar, and made a million posts under your name…And, ontop of all of that, the admins are mad at you and want to ban you because they think you’re the one who did it. Oh no!
This scenario is not as uncommon as you might think. Remember what I said about document.cookie? Well, it can be used to steal cookies in a most invisible manner. An attacker can use invisible iframes to feed the cookie stealer (very stealthy), can redirect the page in question to feed the cookie stealer (not as stealthy), can use a popup window to feed the cookie stealer (a bad method, especially since so many people use popup blockers now adays), and, unfortunately, can even use a flash file to feed the cookie stealer (very stealthy), which is even more dangerous, as many community scripts (i.e. forums) allow for flash files to be posted.
Proof of Concept
The above PoC is a simple redirection-based script. It will feed the URL the cookie in a primitive, yet effective way. I will not post an example capture script, as I in no way want to promote the theft of cookies, but it’s a very basic code that many web scripters could create in less than a minute.
Note 2: Firefox has tools available that allow users to modify their cookies for a particular website on the fly. This, undoubtedly, is of great assistance to those who perform cookie theft.
Note 3: Forums with HTML enabled are incredibly prone to cookie theft. Either enable adequate filtering or disable HTML altogether to help increase safety.
Note 4: Cookie theft is often used in conjunction with other vulnerabilities. As stated, often times it works hand-in-hand with HTML injection. However, it can also popup where you least expect it…an example situation — a CPanel vulnerability could help an attacker insert a cookie stealing script into the CPanel logs, which, upon viewing, would execute the theft of the CPanel cookie (Note: I used CPanel as an example for no particular reason other than it is commonly used).
Incoming search terms:
- cookie theft
- cookies theft