Having Fun With Cookies
by Simon Templer
In 22:3 A5an0 talked about a great technique for changing form values using the address bar, which is excellent when you don't have a tool such as WebSleuth.
Changing form values via JavaScript is a technique I often use when testing web applications. But another common pitfall for a lot of web developers is storing information in cookies. Most don't realize that cookies are easy to view and just as easy to edit.
So what can you find in cookies?
Well, besides the publicized use of tracking people on the web, the real chocolate chips are the mistakes, using cookies to store access levels, consecutive user IDs, and price information. So how do you find the chocolate chips?
Depending on your preferred method, you can look at cookies in a number of ways:
JavaScript: By simply pasting the following into the address bar, you will receive a message box with the contents of the cookie:
VB6: If you add a reference to the Internet Explorer library (SHDOCVW.DLL) and retrieve the document object property you can use its "cookie" property.
Mozilla Firefox Extensions: Firefox has a few extensions you can download for free that will allow you to both view and edit cookies. (Example: AnEC Cookie Editor)
To demonstrate the misuse of the cookie we will use a real e-commerce site that sells various tools and equipment. (All potentially damaging information has been omitted to protect the company.)
An examination of the cookie during checkout yielded the following:
Noting the various fields, we can begin the ones of manipulating the cookie values and seeing how the web application responds.
Again, depending on your preferred method, you can edit the cookies via the following methods:
JavaScript: By pasting this code into the address bar it will set the Shopperid cookie value to 8000 and then display the new value via a message box.
VB6: Similar to the JavaScript method, setting the cookie property of the document object will change the value of the cookie.
Mozilla Firefox Extensions: If you're using the Add N Edit Cookie Editor (addneditcookies-0.2.1.0.xpi) for Firefox then you can simply search for the cookie you wish to edit and edit its content value.
Regardless of the method, changing the value of Shopperid resulted in a very disturbing outcome.
The checkout information was automatically populated with other customers' information.
By simply changing the value of Shopperid, I was able to enumerate information for several different people.
But the fun continued on. Changing the AllowOnAccount value to true unlocked an option to checkout on account instead of using a credit card.
I'm sure this could certainly be misused. And of course the finale was being able to login and impersonate anyone by simply copying the cookie values and changing the email address to a known valid address.
So let's recap what we've learned.
Developers often make the mistake of storing security related information in cookies. By changing the values in the cookies we are sometimes able to exploit logic flaws to retrieve information, escalate our privileges, or bypass security mechanisms.
Many homegrown and for purchase web applications suffer these flaws, so have fun trying to find them!