Monday, April 02, 2007

Fun with cookies

(Another geeky post)

Recently at work the topic of HTTP cookies came up. (For some background info on HTTP cookie, see this). Most websites that provide a logon form (username & password) use cookies to allow you to save your logon information ("Remember my information on this computer"). Sites also use cookies to store user information if you don't tell the computer to remember your information - these cookies stay around as long as your web browser is open.

Why is this bad? One reason is that it's sometimes possible for people to steal your logon information using what's calls Cross-Site Scripting (XSS). I won't go into that here, but will share some simple mechanisms you can use to inspect cookies, and mess with them. (Nothing here is really new or revolutionary, but was new to me, so I thought I'd share it...)

It turns out your web browser is capable of showing you the cookies for any page you're viewing: just paste

javascript:{alert(document.cookie);}
in the address bar. You should see a window pop up with cookie information, such as this (from Google) :


Some websites requiring a logon will have your username and password right there in the cookie (making it easy for someone to use them if stolen). One example of such a site is www.cellartracker.com. If you have an account there, log on and then use the above javascript to see your info - nifty, eh?

Now let's pretend we're an attacker that has stolen cookies from someone. How would you use them to log into a website? Again, Javascript makes this really easy. Let's take www.cellartracker.com as an example again (I'm not bashing on them, their site is great!)

Log out (if you were logged in), and look at your cookie using the above Javascript. It should only contain one entry, e.g.:

ASPSESSIONIDCCDSQTRS=DNCMEHMBIFCJIPMIOBJOMJIF
Now let's "inject" the logon information we stole (you can use your real CellarTracker information if you have an account). Type in the following in the address bar, replacing and with your info:

javascript:{document.cookie="Password=your password; User=your username";}
The webpage will change to display the cookie values you just set. No problem, just re-enter www.cellartracker.com in the address bar. You should now see the page for logged-in users...

Tweaking cookies using Javascript is an interesting way to do targeted deletion of cookies you don't want hanging around (instead of erasing all cookies). This website covers Javascript and cookies in more depth, and has some examples of deleting cookies.

Note that there's a way to prevent all of the above: HTTP-Only cookies. This tells the web browser to not expose the cookies to the web page in any way (so no script access). They are still sent to the web site when you make requests, but malicious script code running in your browser can't see them or modify them...

2 comments:

Peter May - The Pinotage Club said...

Mark - I don't understand. If you have stolen a cookie with the username/password why not just logon using them instead putting this in the address bar?

javascript:{document.cookie="Password=your password; User=your username";}

Mark said...

Peter - you're right. Normally, if you had stolen someone's username/password, you would just logon using them.

I was showing how to set cookie values using the address bar, mainly to show how easy this is to do. For things that are not normally entered by the user (such as a Session ID), this would be the way to do it...